Kiwirecorder client session wrongly assigned to RX0

At KFS I have five Kiwis configured in 8 channel mode, limited to 6 KWR sessions, and running v1.460.

On four of the Kiwis all six of the KWR sessions are assigned to RX2...RX7. But on the primary Kiwi at kfs.wsprdaemon.org:8073 the KWR recorder sessions are assigned to RX0 and RX3...RX7. When there are no other clients, even after killing the RX0 session the restored KWR session is assigned to RX0 while RX1 and RX2 are also free. I can find no daemon.log messages about these events and upping the 'max non-Kiwi apps' value to 8 sessions does not affect this behavior.

Since there are only five KFS Kiwis on four antennas, those waterfall sessions are highly prized and I would like to make all of them publicly available. It seems like a configuration problem but I don't know where else to look.

Comments

  • jksjks
    edited May 26

    Fixed. For now.

    What's happening is that particular Kiwi is under continuous connection attack from an Alibaba ip address. When I use the "kick" button on the admin status tab for the KWD on rx0 there's about a 5 second delay before it tries connecting again.

    But during that time the Alibaba ip gets in there and allocates the rx2 channel. You don't see it immediately on the admin status display because there is a delay. You have to look on the "log" tab. But rx2 being allocated to Alibaba forces KWD to rx0.

    The fix was to append the Alibaba ip to your already long list of blacklisted ip addresses on the network tab. I did that. Waited a bit for the firewall to get updated. Kicked KWD rx0 again. And it ended up on rx2 where it belongs.

    Not a long term solution though..

  • jksjks
    edited May 26

    Update: They're back again today using different Alibaba ip addresses (47.242.241.144 & 47.242.111.83). The pattern (looking at the log) is that they connect every 30 seconds for about 20 seconds and listen to 8870 kHz usb, an MWARA/ARINC frequency (aircraft HF comm).

    I increased the size of the blacklist entry to the entire Alibaba CIDR of 47.240.0.0/14 (they have 5 CIDRs if you do a whois on the ips). Pretty drastic, but screw 'em.

  • edited May 27

    Thanks John.

    I have added that Alaibaba range to the other 4 KFS Kiwis and suppressed multiple logins from the same IP.

    That blacklist is long enough that I wonder if we could maintain a blacklist database on a web server from which a button on the Admin table would get refreshed.

    Now that you have alerted me to this issue, I notice a Baltimore IP which has been parked on 11175/usb (military aviation) for almost 90 minutes, and I think that frequency is very commonly monitored by that user. It would be nice if as admin I could put up a chat window on his screen and ask "What are you doing here for so long?" ;=)

    BTW - The forum server did not email me a notification of your response even though my account is configured to do so. So I found your response only when I looked for it.

  • That blacklist is long enough that I wonder if we could maintain a blacklist database on a web server from which a button on the Admin table would get refreshed.

    Excellent idea.

    Now that you have alerted me to this issue, I notice a Baltimore IP which has been parked on 11175/usb (military aviation) for almost 90 minutes, and I think that frequency is very commonly monitored by that user.

    You could mask that frequency: http://kiwisdr.com/quickstart/index.html#id-user-marker-masked

    BTW - The forum server did not email me a notification of your response even though my account is configured to do so. So I found your response only when I looked for it.

    Something else for me to look at..

  • Masking 11175 did drive him away.

    I found the forum notice emails were being put in my spam folder, so that problem was at my end.

  • I am once again finding RX1 empty but unusable. I find only this suspicious line in the logs tab:

    Sat Jun 12 02:02:39 1d:03:29:10.414 01234567 1     PWD kiwi W/F ALLOWED: no config pwd set, allow any (45.63.115.181)

    What is the process for finding out who is hogging my rx channels?

  • That is a Vultr.com address, they constantly scan ports here.

    I'd just block them at the router as I've yet to see any benefit of letting them have access to local SDR's.

    abuseipdb.com is very useful finding if an address has other abuse reports, and to also report abuse so that others know it is ongoing. I've reported addresses previously but it does need multiple validated reports for others to be able to see active warnings.

Sign In or Register to comment.