I am running the ddns client on the Kiwi and I have been for a while. It is very handy to have the ddns client on the kiwi itself...
As a quick workaround I am using a different machine which is unfortunate: another possible point of failure, more energy consumption etc. (I am fully remote).
Duckdns uses a regular https connection to send updates (port 443) not a specific port.
I would argue that some of those ranges seem a bit wide (for example 35.0.0.0/8). Also, why not allow outbound connections to those?
Cutting out cloud providers like that seems like an uphill battle: how long before attackers begin using compromised dial-up hosts?
I changed iptables to also filter on the Kiwi server local TCP port number. It seems to be working. So I'll put this in the next release.
But I think I'll make it opt-in initially for testing (i.e. an admin page setting). Making changes to the fundamental networking has gotten me into trouble before. After some people have tested it out we can then change it to opt-out.
I get suspicious connections several times a day from IP ranges which are direct allocations which belong to a "The Constant Company, LLC". They log in with a username of generic two letter words with a dot in between (i.e. Kaily.Trnuer, Tank.Brown).
They scan the entire WF and leave after about 2 minutes.
v1.660 limits the Kiwi blacklist filtering to the Kiwi server's active port number. So unrelated services, like DDNS, won't be affected if they are talking to servers hosted by providers in a blacklisted IP range.
@HB9TMC There's some "special code" to identify and filter out those particular scanners since they use many IP addresses (some of which are not in the blacklist). But the code needs to be adjusted occasionally as their behavior changes. Time for more adjustments I guess. If I could connect as admin and look at your log that would tell me what to do.
But you're right though. If they just got on here and explained what they want they'd probably get some support..
Comments
I am running the ddns client on the Kiwi and I have been for a while. It is very handy to have the ddns client on the kiwi itself...
As a quick workaround I am using a different machine which is unfortunate: another possible point of failure, more energy consumption etc. (I am fully remote).
Duckdns uses a regular https connection to send updates (port 443) not a specific port.
I would argue that some of those ranges seem a bit wide (for example 35.0.0.0/8). Also, why not allow outbound connections to those?
Cutting out cloud providers like that seems like an uphill battle: how long before attackers begin using compromised dial-up hosts?
I changed iptables to also filter on the Kiwi server local TCP port number. It seems to be working. So I'll put this in the next release.
But I think I'll make it opt-in initially for testing (i.e. an admin page setting). Making changes to the fundamental networking has gotten me into trouble before. After some people have tested it out we can then change it to opt-out.
I get suspicious connections several times a day from IP ranges which are direct allocations which belong to a "The Constant Company, LLC". They log in with a username of generic two letter words with a dot in between (i.e. Kaily.Trnuer, Tank.Brown).
They scan the entire WF and leave after about 2 minutes.
----------------------------------
CMD_MARKER: unknown varient [SET MARKER min=5625.000 max=7500.000 zoom=4 width=1920]
CMD_MARKER: unknown varient [SET MARKER min=7500.000 max=9375.000 zoom=4 width=1920]
----------------------------------
etc.
First it was from 66.135.23.227, and a day after I blocked them, it was 65.20.107.103.
I wouldn't mind them doing that, if there was a bit transparency what they are doing.
They seem to have many IP ranges: https://geofeed.constant.com/
v1.660 limits the Kiwi blacklist filtering to the Kiwi server's active port number. So unrelated services, like DDNS, won't be affected if they are talking to servers hosted by providers in a blacklisted IP range.
@HB9TMC There's some "special code" to identify and filter out those particular scanners since they use many IP addresses (some of which are not in the blacklist). But the code needs to be adjusted occasionally as their behavior changes. Time for more adjustments I guess. If I could connect as admin and look at your log that would tell me what to do.
But you're right though. If they just got on here and explained what they want they'd probably get some support..