Second build sold out. Message will appear here when store is ready for third build ordering.

IP address black lists

Hi all,

I found my kiwi completely utilised again today. When you kick them, they would be back within 10 seconds, so some kind of bot. No idea what they are doing exactly and what the fun is...
Anyway added them to my IP black list and problem is solved....

Does anyone maintains an IP black list? What I have right now is:

47.88.219.24/24 139.99.219.160/32 185.220.101.1/24 46.165.245.1/24 149.129.81.68/32 110.87.122.99/32

Would be good if collect known bot/spam IP addresses and block them everywhere ...

73
Rick
DU6/PE1NSQ
Powernumpty

Comments

  • Thanks, from me, for those Rick, always good to know actual sources of problems.
    I use a list built from known attacks to the works FTP server, includes lots of scanners and most of China (sorry China but seriously!).
    I think it blocks about 7 million addresses last time I added it up.

    I would hesitate to try importing that sort of list to the Kiwi so I use it on the router.
    Once I had that done I discovered there was/is a continual slow COMPLETE port scan going on from the Netherlands to my IP.

    I'd not seen the Bristol address (close to me) but I think they try to avoid scanning close to the scanner.
    At least one of those is mentioned in relation to Bitcoin, maybe there is a bot looking to recruit, bit of packet sniffing may be in order?

    Cheers
    Stu
  • hi Stu,

    Unfortunately I have the reverse proxy service, otherwise I would have done the same.
    Just notice right now a new IP address again, looks like an endless battle ...
    It would be nice to recognise the pattern of connecting and block them based on that. But maybe that is a bit too much for the power of the beagle ...

    Cheers,
    Rick

    Updated block list:
    47.88.219.24/24 139.99.219.160/32 185.220.101.1/24 46.165.245.1/24 149.129.81.68/32 110.87.122.99/32 47.74.181.109/32 149.129.109.56/32
  • Hi Rick,
    To me unless you really are concerned about the odd denied user I'd start with /24 blocks or greater (unless the IP address is in a trusted country with near zero hits on the abuse sites) . In your list you have two in the 149.129.0.0/16 range, change those to that /16 see if anyone real is blocked.
    Make sure there is an email address or some other contact details out there so a real person can ask to be let in.
    On the Works FTP got tired of seeing the same sort of attack from incrementing IP's so decided if it is country X or Y then they get a /16 straight away, I know that will block some legitimate users at some stage but many places like China have large IP subnets anyway. I did that and waited for the first customer to complain (fully expecting it, just not sure time scale), many years later still not had a false positive but the logs are much smaller and unusual events easier to recognise. I know it is a different use case for the Kiwi but if a false-locked Kiwi is of no help to anyone, losing a /16 of the global problem helps the legitimate users enjoy your radio.
    Cheers
    Stu
  • Hi Stu,

    You are absolutely right. I found the blocks which they are part of, so its easy enough to block the whole thing, just didnt want to go to that extreme (as it seems to be legitimate ISP), but if it continues like this i will certainly do it.
    I also enabled the single connection, so they cant fill up the channels from the same IP at least ...
    Im only curious if others are getting the problems out there?

    Cheers,
    Rick
  • Upper octets of mentioned addresses are familiar.

    http://forum.kiwisdr.com/discussion/1918/log-file-quite-a-bit-bigger?

    73, VR2BG.
  • lol, yeah i feel you ...
    its very annoying. Unfortunately my ISP changed the setup here, so we have to deal with provider level NAT. Meaning I cant get any traffic to my router and I have to use the reverse proxy service from John. So I cant filter at that level. That would have solved a lot tbh ...

    Anyway, i keep on blocking larger IP blocks until all of china has been blocked haha
    Every second there is a blocked msg in the log of kiwi now ...

    my current block list:
    47.88.219.24/24 139.99.219.160/32 185.220.101.1/24 46.165.245.1/24 149.129.0.0/16 110.87.0.0/16 47.74.181.109/32 185.237.99.234/32 47.240.23.0/24 94.190.209.0/24 210.152.84.111/32
  • I believe these are what I've added to my block list recently:

    118.143.0.0/16 138.19.0.0/16 173.255.0.0/16 95.179.0.0/16 193.38.0.0/16 47.240.0.0/16 47.74.0.0/16 110.87.0.0/16 149.129.0.0/16 38.143.0.0/16 185.237.0.0/16 117.30.0.0/16 162.211.0.0/16 92.38.0.0/16

    It would be interesting to know if other Kiwis are experiencing this.

    73, VR2BG.
  • Thanks for sharing ...
    Yes that was the reason for starting this topic. I cannot imagine we are the only ones having these issues
  • Same here ...
    Seems to be spreading now to korean IP's a well. Latest here is 13.125.229.253 ...
  • yeah i know how frustrated this can be ...
    Ive got a tail running and cant confirm that its not over haha
    Mar 9 04:37:43 kiwisdr kiwid: 1d:14:36:13.631 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:43 kiwisdr kiwid: 1d:14:36:13.635 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:45 kiwisdr kiwid: 1d:14:36:15.173 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:45 kiwisdr kiwid: 1d:14:36:15.778 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:47 kiwisdr kiwid: 1d:14:36:17.132 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:48 kiwisdr kiwid: 1d:14:36:18.851 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:49 kiwisdr kiwid: 1d:14:36:19.786 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:50 kiwisdr kiwid: 1d:14:36:20.798 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:50 kiwisdr kiwid: 1d:14:36:20.891 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:51 kiwisdr kiwid: 1d:14:36:21.033 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:52 kiwisdr kiwid: 1d:14:36:22.871 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:52 kiwisdr kiwid: 1d:14:36:22.875 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:54 kiwisdr kiwid: 1d:14:36:24.174 0... IP BLACKLISTED: 114.38.82.173
    Mar 9 04:37:54 kiwisdr kiwid: 1d:14:36:24.178 0... IP BLACKLISTED: 114.38.82.173
    Mar 9 04:37:54 kiwisdr kiwid: 1d:14:36:24.937 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:55 kiwisdr kiwid: 1d:14:36:25.779 0... IP BLACKLISTED: 110.87.123.26
    Mar 9 04:37:55 kiwisdr kiwid: 1d:14:36:25.805 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.239 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.265 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.745 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.749 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.753 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:57 kiwisdr kiwid: 1d:14:36:27.754 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:58 kiwisdr kiwid: 1d:14:36:28.571 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:58 kiwisdr kiwid: 1d:14:36:28.621 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:59 kiwisdr kiwid: 1d:14:36:29.147 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:59 kiwisdr kiwid: 1d:14:36:29.964 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:37:59 kiwisdr kiwid: 1d:14:36:29.967 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:01 kiwisdr kiwid: 1d:14:36:31.915 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:02 kiwisdr kiwid: 1d:14:36:32.851 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:03 kiwisdr kiwid: 1d:14:36:33.950 0... IP BLACKLISTED: 110.87.123.26
    Mar 9 04:38:05 kiwisdr kiwid: 1d:14:36:35.325 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:06 kiwisdr kiwid: 1d:14:36:36.060 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:06 kiwisdr kiwid: 1d:14:36:36.064 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:06 kiwisdr kiwid: 1d:14:36:36.916 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:06 kiwisdr kiwid: 1d:14:36:36.985 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:07 kiwisdr kiwid: 1d:14:36:37.149 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:09 kiwisdr kiwid: 1d:14:36:39.271 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:09 kiwisdr kiwid: 1d:14:36:39.963 0... IP BLACKLISTED: 47.74.181.109
    Mar 9 04:38:10 kiwisdr kiwid: 1d:14:36:40.253 0... IP BLACKLISTED: 110.87.123.26

    That 38 one is my block list too, but I have not noticed any recent connection attempts
This discussion has been closed.