Strange Log entry - any valid reason for this?

IP removed in case it is just an operator error ;-).

Oct 9 13:52:29 kiwisdr kiwid: 08:06:12.948 0... ** attempt to save kiwi config with auth_admin == FALSE! IP X.X.X.X
Oct 9 13:52:29 kiwisdr kiwid: 08:06:12.952 0... ** attempt to save kiwi config with auth_admin == FALSE! IP X.X.X.X
Oct 9 13:52:29 kiwisdr kiwid: 08:06:12.961 0... ** attempt to save kiwi config with auth_admin == FALSE! IP X.X.X.X
Oct 9 13:52:29 kiwisdr kiwid: 08:06:12.964 0... ** attempt to save kiwi config with auth_admin == FALSE! IP X.X.X.X
Oct 9 13:52:29 kiwisdr kiwid: 08:06:12.970 0... ** attempt to save kiwi config with auth_admin == FALSE! IP X.X.X.X
Oct 9 13:52:39 kiwisdr kiwid: 08:06:23.029 0... 0 7020.00 kHz lsb z0 "X.X.X.X" Guangzhou, China (ARRIVED)
Oct 9 13:54:07 kiwisdr kiwid: 08:07:50.571 .... 0 1000.00 kHz am z4 "X.X.X.X" Guangzhou, China (LEAVING after 0:01:39)

From experience elsewhere I'd lock down your public interface to trusted IP's when setting up new devices.

Comments

  • jksjks
    edited October 2018
    I see those occasionally and don't quite understand them. But I also haven't spent any time trying to track them down. My guess would be some buffering problem where a configuration save command from a prior admin session is leftover someplace and gets flushed out to the Kiwi during the next connection (the arrival from China in this case). I don't believe anything malicious is going on here.
    Powernumpty
  • OK thanks, that did occur to me but checking back through the logs couldn't see it before so was a bit concerned.
    I look after a small FTP server for work and we must have got on some BOT list as we'd see a pattern of malicious brute force connections hitting through the day, I ended up blocking large geographical ranges and China was No.1.
    Not saying the bad actors were from China but attacks relayed mainly from those IP ranges (and a specific insecure CMS for about 70% of the sources).
    I checked this IP on abuseipdb.com and it was not found.
  • jksjks
    edited October 2018
    The only downside when I started using Linode.com for hosting kiwisdr.com (website, proxy & TDoA service etc.) was the massive, unbelievable incoming http and ssh bot traffic. I had to put some active filtering in place just to have some piece of mind. I'd never experienced anything like that before. But I guess the ipv4 ranges of these server farms are prime targets for the bad guys.
  • I actually got some helpful response from Linode abuse address (the first time anyway) trouble is there are so many bad servers and the CMS company said their CMS was not insecure but "people leave the default credentials on there" (not sure seemed too widespread and systematic). It's small wonder that any site stays up really. At least our client base actually had a limited range of IP's so me blocking nearly eight million addresses has yet to impact a customer.
Sign In or Register to comment.