IP address black lists
Hi all,
I found my kiwi completely utilised again today. When you kick them, they would be back within 10 seconds, so some kind of bot. No idea what they are doing exactly and what the fun is...
Anyway added them to my IP black list and problem is solved....
Does anyone maintains an IP black list? What I have right now is:
47.88.219.24/24 139.99.219.160/32 185.220.101.1/24 46.165.245.1/24 149.129.81.68/32 110.87.122.99/32
Would be good if collect known bot/spam IP addresses and block them everywhere ...
73
Rick
DU6/PE1NSQ
I found my kiwi completely utilised again today. When you kick them, they would be back within 10 seconds, so some kind of bot. No idea what they are doing exactly and what the fun is...
Anyway added them to my IP black list and problem is solved....
Does anyone maintains an IP black list? What I have right now is:
47.88.219.24/24 139.99.219.160/32 185.220.101.1/24 46.165.245.1/24 149.129.81.68/32 110.87.122.99/32
Would be good if collect known bot/spam IP addresses and block them everywhere ...
73
Rick
DU6/PE1NSQ
This discussion has been closed.
Comments
I use a list built from known attacks to the works FTP server, includes lots of scanners and most of China (sorry China but seriously!).
I think it blocks about 7 million addresses last time I added it up.
I would hesitate to try importing that sort of list to the Kiwi so I use it on the router.
Once I had that done I discovered there was/is a continual slow COMPLETE port scan going on from the Netherlands to my IP.
I'd not seen the Bristol address (close to me) but I think they try to avoid scanning close to the scanner.
At least one of those is mentioned in relation to Bitcoin, maybe there is a bot looking to recruit, bit of packet sniffing may be in order?
Cheers
Stu
Unfortunately I have the reverse proxy service, otherwise I would have done the same.
Just notice right now a new IP address again, looks like an endless battle ...
It would be nice to recognise the pattern of connecting and block them based on that. But maybe that is a bit too much for the power of the beagle ...
Cheers,
Rick
Updated block list:
47.88.219.24/24 139.99.219.160/32 185.220.101.1/24 46.165.245.1/24 149.129.81.68/32 110.87.122.99/32 47.74.181.109/32 149.129.109.56/32
To me unless you really are concerned about the odd denied user I'd start with /24 blocks or greater (unless the IP address is in a trusted country with near zero hits on the abuse sites) . In your list you have two in the 149.129.0.0/16 range, change those to that /16 see if anyone real is blocked.
Make sure there is an email address or some other contact details out there so a real person can ask to be let in.
On the Works FTP got tired of seeing the same sort of attack from incrementing IP's so decided if it is country X or Y then they get a /16 straight away, I know that will block some legitimate users at some stage but many places like China have large IP subnets anyway. I did that and waited for the first customer to complain (fully expecting it, just not sure time scale), many years later still not had a false positive but the logs are much smaller and unusual events easier to recognise. I know it is a different use case for the Kiwi but if a false-locked Kiwi is of no help to anyone, losing a /16 of the global problem helps the legitimate users enjoy your radio.
Cheers
Stu
You are absolutely right. I found the blocks which they are part of, so its easy enough to block the whole thing, just didnt want to go to that extreme (as it seems to be legitimate ISP), but if it continues like this i will certainly do it.
I also enabled the single connection, so they cant fill up the channels from the same IP at least ...
Im only curious if others are getting the problems out there?
Cheers,
Rick
http://forum.kiwisdr.com/discussion/1918/log-file-quite-a-bit-bigger?
73, VR2BG.
its very annoying. Unfortunately my ISP changed the setup here, so we have to deal with provider level NAT. Meaning I cant get any traffic to my router and I have to use the reverse proxy service from John. So I cant filter at that level. That would have solved a lot tbh ...
Anyway, i keep on blocking larger IP blocks until all of china has been blocked haha
Every second there is a blocked msg in the log of kiwi now ...
my current block list:
47.88.219.24/24 139.99.219.160/32 185.220.101.1/24 46.165.245.1/24 149.129.0.0/16 110.87.0.0/16 47.74.181.109/32 185.237.99.234/32 47.240.23.0/24 94.190.209.0/24 210.152.84.111/32
118.143.0.0/16 138.19.0.0/16 173.255.0.0/16 95.179.0.0/16 193.38.0.0/16 47.240.0.0/16 47.74.0.0/16 110.87.0.0/16 149.129.0.0/16 38.143.0.0/16 185.237.0.0/16 117.30.0.0/16 162.211.0.0/16 92.38.0.0/16
It would be interesting to know if other Kiwis are experiencing this.
73, VR2BG.
Yes that was the reason for starting this topic. I cannot imagine we are the only ones having these issues
Seems to be spreading now to korean IP's a well. Latest here is 13.125.229.253 ...
Ive got a tail running and cant confirm that its not over haha
Mar 9 04:37:43 kiwisdr kiwid: 1d:14:36:13.631 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:43 kiwisdr kiwid: 1d:14:36:13.635 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:45 kiwisdr kiwid: 1d:14:36:15.173 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:45 kiwisdr kiwid: 1d:14:36:15.778 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:47 kiwisdr kiwid: 1d:14:36:17.132 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:48 kiwisdr kiwid: 1d:14:36:18.851 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:49 kiwisdr kiwid: 1d:14:36:19.786 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:50 kiwisdr kiwid: 1d:14:36:20.798 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:50 kiwisdr kiwid: 1d:14:36:20.891 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:51 kiwisdr kiwid: 1d:14:36:21.033 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:52 kiwisdr kiwid: 1d:14:36:22.871 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:52 kiwisdr kiwid: 1d:14:36:22.875 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:54 kiwisdr kiwid: 1d:14:36:24.174 0... IP BLACKLISTED: 114.38.82.173
Mar 9 04:37:54 kiwisdr kiwid: 1d:14:36:24.178 0... IP BLACKLISTED: 114.38.82.173
Mar 9 04:37:54 kiwisdr kiwid: 1d:14:36:24.937 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:55 kiwisdr kiwid: 1d:14:36:25.779 0... IP BLACKLISTED: 110.87.123.26
Mar 9 04:37:55 kiwisdr kiwid: 1d:14:36:25.805 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.239 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.265 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.745 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.749 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.753 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.754 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:58 kiwisdr kiwid: 1d:14:36:28.571 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:58 kiwisdr kiwid: 1d:14:36:28.621 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:59 kiwisdr kiwid: 1d:14:36:29.147 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:59 kiwisdr kiwid: 1d:14:36:29.964 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:37:59 kiwisdr kiwid: 1d:14:36:29.967 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:01 kiwisdr kiwid: 1d:14:36:31.915 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:02 kiwisdr kiwid: 1d:14:36:32.851 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:03 kiwisdr kiwid: 1d:14:36:33.950 0... IP BLACKLISTED: 110.87.123.26
Mar 9 04:38:05 kiwisdr kiwid: 1d:14:36:35.325 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:06 kiwisdr kiwid: 1d:14:36:36.060 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:06 kiwisdr kiwid: 1d:14:36:36.064 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:06 kiwisdr kiwid: 1d:14:36:36.916 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:06 kiwisdr kiwid: 1d:14:36:36.985 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:07 kiwisdr kiwid: 1d:14:36:37.149 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:09 kiwisdr kiwid: 1d:14:36:39.271 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:09 kiwisdr kiwid: 1d:14:36:39.963 0... IP BLACKLISTED: 47.74.181.109
Mar 9 04:38:10 kiwisdr kiwid: 1d:14:36:40.253 0... IP BLACKLISTED: 110.87.123.26
That 38 one is my block list too, but I have not noticed any recent connection attempts