IP address blacklist seemingly doesn't [true only for proxied Kiwis, fixed in v1.336]
x.0.0.0/16 isn't preventing user access from IP within defined range.
Can't tell if other blacklisted IP addresses are being blocked or no attempts are being made from those addresses anymore. Am suspecting attempted connections from blacklisted address aren't logged as don't see anything about 47.88.219.24 in the log anymore.
So user access has to be turned off. How do I continue to access my Kiwi from outside?
-VR2BG.
Can't tell if other blacklisted IP addresses are being blocked or no attempts are being made from those addresses anymore. Am suspecting attempted connections from blacklisted address aren't logged as don't see anything about 47.88.219.24 in the log anymore.
So user access has to be turned off. How do I continue to access my Kiwi from outside?
-VR2BG.
Comments
So now how to allow continued TDoA server access, whilst continuing to make all users suffer because of the one guy who just wouldn't stop taking the piss?
-VR2BG.
But after having connecting as admin from outside, the timers seem to no longer work. I've restarted server & then tried again (still no timer), done a Beagle reboot & tried again (still no timer) & also a power off & still no timer cutting me off from an outside connection.
Grrrrr.
-VR2BG.
The blacklist on the admin network tab uses Linux iptables to do the filtering. This means traffic is filtered long before it even gets to the Kiwi server and no indication of successful filtering will appear in the Kiwi log. Instead, on Kiwi admin console tab, you have to use a "ipt -v" command to see an incrementing "pkts" count that tells you traffic is being filtered (use "ipt -Z" to zero the stats).
The same cookie saving is currently not done when you bypass the timeouts by giving "&pwd=..." in the URL. I'm thinking about changing this to be more consistent.
Okay, so will not be expecting anything to be logged.
x.0.0.0/16 doesn't block the guy behind all this. He's local & apparently has his own Kiwi, but uses mine a lot.
Because masked labels didn't stop him from listening to local MW stations for extended periods of time (they seem to just prevent the receiver from working if tuned by clicking on the labels), he stepped up his game & would sit & listen to WWV/JJY/BPM or 0.0 MHz. And using multiple IPs. But that particular one still gets through.
Now I can't tell if the timers set for 1 minute are working as when I access the Kiwi from outside, the timers no longer cut me off.
-VR2BG.
-VR2BG.
Oct 23 12:33:59 kiwisdr kiwid: 3d:11:23:20.232 0123456. 6 0.00 kHz am z0 "www.paulrowe.com" 210.0.147.10 Central, Hong Kong (ARRIVED)
Oct 23 12:39:45 kiwisdr kiwid: 3d:11:29:06.149 01234567 7 14100.00 kHz cw z0 "101.70.93.40" (ARRIVED)
Oct 23 12:47:21 kiwisdr kiwid: 3d:11:36:42.904 01234567 UPDATE: exiting because admin update check not enabled
Oct 23 12:47:22 kiwisdr kiwid: 3d:11:36:42.956 0123456. 7 15250.00 kHz am z0 "101.70.93.40" Huzhou, China (LEAVING after 0:07:49)
Oct 23 12:47:22 kiwisdr kiwid: 3d:11:36:42.959 0123456. UPDATE: exiting because admin update check not enabled
Oct 23 12:50:41 kiwisdr kiwid: 3d:11:40:02.111 01234567 7 0.00 kHz am z0 "www.paulrowe.com" 210.0.147.29 Central, Hong Kong (ARRIVED)
Oct 23 12:51:00 kiwisdr kiwid: 3d:11:40:21.122 012345.7 6 5000.00 kHz am z0 "www.paulrowe.com" 210.0.147.10 Central, Hong Kong (LEAVING after 0:17:01)
Oct 23 12:51:00 kiwisdr kiwid: 3d:11:40:21.126 012345.7 UPDATE: exiting because admin update check not enabled
Oct 23 13:00:49 kiwisdr kiwid: 3d:11:50:10.164 012345.. 7 5000.00 kHz am z0 "www.paulrowe.com" 210.0.147.29 Central, Hong Kong (LEAVING after 0:10:09)
Blacklist as displayed now:
Blacklisting 210.0.0.0/16 isn't blocking 210.0.147.29
73, Brett.
-VR2BG.
I can't completely block an unwanted abuser's IP, setting limits to effectively hobble all external user use (but still allowing password access for me whilst outside) isn't working, which leaves turning off user access - but that also cuts local access. Alternatively, I pull the plug on the reverse proxy service - but I've exceeded the mobile data quota for the month on my phone & remote access of the local computers using the Kiwi doesn't work with the hobbled data rate I now have.
???.
73, VR2BG.
This is something I'll have to fix. The reason I used iptables is that it's very efficient at filtering. I can't do nearly as well in the Kiwi code and I didn't want to impose a penalty on everyone since there is currently one default blacklist rule on every single Kiwi.
But when the proxy is in use from the Kiwi's perspective all the connection attempts appear to be coming from the single proxy ip (by definition). The reason you still see the actual user's ip in the log messages is that there is an extra step to uncover the true ip address when the proxy is in use. But this step is not visible to iptables. So for the proxy case I'm going to have to find an efficient way to filter in the Kiwi code..
The "ipt" shell alias now automatically includes the "-v" argument so you can see the packet counter for the iptable filtering rules. I.e. an incrementing packet count means the blacklist filter has been hit. Use "iptz" or "iptc" to clear the counters. These aliases can be used on the admin page console tab.
The best confirmation to see that the timeout are in effect and counting down is to look at the "user" tab of the control panel (for regular connections) or on the "status" tab of the admin page. If there is a timeout in effect the remaining time will appear in orange at the end of the user information for each channel. A timeout will not occur precisely when the countdown hits zero. There can be a delay of 10 to 20 seconds before the connection is actually kicked.
To see if timeouts have been suppressed because a correct exemption password is in effect look in the admin log tab for a message like: You will see other messages for other time limit conditions: These messages only appear on the admin page log tab. They are not logged to the Linux syslog to help prevent dead Tesla syndrome.
73, VR2BG.