Reverse Proxy Service won't stop

The bot assault on kiwi's impacts not only the network traffic on the Kiwisdr Proxy, it has increased the traffic across my isp link. Even with the firmware release v1.690, this morning the bots are still attempting connection to the Kiwi at a high rate of speed thus putting un-necessary network data usage on my ISP link..


I intended to stop outside access to my Kiwi by removing the reverse proxy information from the Kiwi Admin screen. It took a couple attempts to clear out the registration key, and host name. I was never able to remove the proxy server host name.


However, even with that information removed, the reverse proxy service continues. The bot attempts continue, and I can continue to connect to my kiwi using outside isp's and the bots continue. Restarts of the kiwi server and reboots of the Beagle has not cleared the proxy access.


My only solution so far has been to put an air gap in the kiwi cat-5, or block full internet access in my firewall to the Kiwi. The connection attempts are still being clocked up on my ISP account. I would like to be able to temporarily stop the proxy service and still allow the kiwi to get access to the things it needs from the internet. (Like NTP)


M. Meek

Comments

  • Yeah, so this is complete nonsense.

    Whenever you change the 5-item menu on the admin connect tab you are prompted to restart the Kiwi server. And when "reverse proxy" is not selected the proxy client process is not even started when the Kiwi server resumes. So there's no process even listening to the connection attempts on *.proxy.kiwisdr.com

    Sure, they'll be a handful of bytes come through as a TCP connection attempts to be established. But it's nothing in the grand scheme of things. The botnet is not attempting to connect hundreds or thousands of times a second. That's not the behavior I've observed.

  • @jks

    You say this is complete nonsense. I don't know what you are implying sir, but I wrote this discovery as I was continuing the development of my Arduino Antenna Switch. I was using tcp captures on the BBG to aid my debugging.

    I have tcpdump capture files made on the BBG on July 1st, to back up my statements in my original post. For example: From 10:08:22.011892 message 336 to 10:08:22.972133 message 525, I have a solid stream of data packets between my Kiwi and one of our favorite Bot machines. Most of those data packets were at the MTU size. I don't consider that an "handfull of bytes", especially as this was going on 24 /7.

    I respectfully disagree that a kiwi restart will remove the proxy service after changing the kiwi admin screen. I did not keep screen prints, but when I tried a proxy access thru my Verizon cell service, it worked as usual.

    Today, I do not have the reverse proxy configured in the kiwi, and opened port 7000 on my firewall. I CAN ACCESS THE KIWI ON MY CELL PHONE. I am listening to my kiwi on my cell right now.

    M.Meek

  • Assuming it is n8oou.proxy.kiwisdr.com, I can connect to it too.

    @n8oou Which configuration do you have selected in the "connect" tab on the top right? (Is "reverse proxy" not selected anymore?)

  • @HB9TMC

    Yes that is the correct url. The connect screen currently contains this information;

    Reverse Proxy;

    User Key; I previously deleted out my user key, it now says "required"

    Host Name: I previously deleted out my host name, it now says "required"

    Status: User key or host name field blank

    Reverse Proxy box/button: Use domain name from reverse proxy configuration below: (none currently set) That box is still colored green.

    Based on the above selection the URL to connect to your Kiwi is: (incomplete information, fill-in field above)


    I have changed my firewall rules back to dropping access to my Kiwi. After opening the rules, as expected, I started hosting guests from all over the world again, including our bot friends.


    M.Meek

  • A screenshot might be useful, but I suspect that you still have "Reverse Proxy" selected.

    Try clicking on "Public IP".

  • jksjks
    edited July 14

    Well, I can't replicate this behavior at all.

    Sure, if I have "reverse proxy" selected and the server has restarted such that the frpc* process is running then a tcpdump tcp dst port 7000 will see MTU-sized traffic just as you describe.

    But as soon as I select any other connection method in the menu, and restart as prompted, frpc is not restarted and there is no further traffic on port 7000. There is no process listening on that port for frps on kiwisdr.com to connect to. You should get the "page you visit not found" message when trying to connect using the proxy URL.

    Now when you are configured for proxy mode it is certainly possible to connect via multiple methods simultaneously, e.g. (serial number).proxy.kiwiswdr.com and (ip address):8073 for example. Using the proxy doesn't prevent these other methods from working. The proxy is simply a solution for when these other methods don't work.

    If the proxy is configured and running, and you attempt to disable it by emptying the user and host fields and clicking the "re-register" button, none of those actions will not stop a currently active frpc from running. Because it already read the configuration file when it started. And it doesn't continuously monitor the file for changes. It's only when you change the 5-item connection method menu and restart that frpc will be disabled because it won't be started in the first place.

    Maybe what you did was clear the user/host fields and then changed the 5-item menu to something other than "reverse proxy". But then failed to restart as the user interface prompts you to do. In that case frpc would still be running and you'd still see traffic if there were bots actively connecting using the proxy-based URL.

    I will add code in the next release to stop frpc immediately after the menu is changed to anything other than "reverse proxy" to help with this scenario.

    Use something like "htop" (alias "ht") in the console tab to check that frpc is, or is not, running.

    frpc* = "fast reverse proxy, client"

  • @jks

    Thank you for the response. I understand the other ways to access the kiwi thru ethernet. StarLink is my ISP provider and they use CGNAT which prevents any of my IP4 hosts from being open to the outside internet. I have turned off their router, and implemented my own using OpenWRT.

    I started up the kiwi admin connect page and confirmed it showed the same info as I reported above. I issued both htop, and ps aux console commands and did not find a running frpc process.

    I have the admin flag set to reboot the kiwi daily, to reduce the impact of StarLink changing IP numbers on me. I find in the system logs where frpc is started after every reboot. I see in the frpc logs where an error is recorded when I have the 7000 port blocked. I did not find any log showing frpc being stopped but some how it must be.

    I removed the port 7000 blocks on my firewall restarted the BBG and have proxy access again.

    I do find a config file that is retaining the Reverse Proxy login/configuration information, even though those fields were removed from the admin connect screen 13 plus days ago. It should be easy to now replicate this behavior.

    M.Meek

Sign In or Register to comment.