It looks like you're new here. If you want to get involved, click one of these buttons!
I second G8JNJ's suggestion on the option to select automatic updates for the IP blacklist. I would suggest the default be manual, as it is now, and to give the admin a button or a checkbox to enable auto updates.
Good morning and happy holidays.
.. this morning after previous IP blacklisting
which access on my Kiwi and remain stable for the entire time allowed by the connection on a frequency in AM mode where there are no transmissions, tired of the last IP to access and being rejected by the blacklist, I found a new parasite connected:
"(no identity)" (188.8.131.52, unknown location) 1357.82 kHz am z13 1:15:14
performed a reverse ip:
184.108.40.206 Asia Pacific Network Information Center (AS4134) - 220.127.116.11.broad.xm.fj.dynamic.163data.com.cn
and a whois lockup:
Whois Record for 163Data.com.cn
How does this work?
Registrar 阿里 云 计算 有限公司 （万 网）
IANA ID: -
Whois Server: -
Registrar Status clientUpdateProhibited, inactive
Dates 5,280 days old
Created on 2007-07-11
Expires on 2022-07-11
Tech Contact -
Website Title None given.
Whois Record (last updated on 2021-12-24)
Domain Name: 163data.com.cn
Domain Status: clientUpdateProhibited
Domain Status: inactive
Registrant: 中国 电信 集团公司
Registrant Contact Email: firstname.lastname@example.org
Sponsoring Registrar: 阿里 云 计算 有限公司 （万 网）
Registration Time: 2007-07-11 17:04:42
Expiration Time: 2022-07-11 17:04:42
Having said that, I have noticed on my log some lines that I think are suspicious, but being totally ignorant in programming I cannot decipher if they are problems or not. I sent a copy of the log to jks and email@example.com, hoping to have an explanation.
However, in the face of all this I have blacklisted all the 64.536 IPs of the domain 120.36.xxx.xxx [18.104.22.168/16]
If this has also happened to others, I would appreciate an exchange of views also by private message here on the forum so as not to clog the discussion.
Not seen that one here, thanks will add to the router.
Good morning and happy holidays.
I would like to bring to your attention the following IP:
Fri Dec 31 13:04:25 12:16:07.735 012. 1 L 216.00 kHz am z7 "22.214.171.124" Ukraine (ARRIVED)
RX1 (126.96.36.199, Ukraine) 262.82 kHz am z7 0:05:02 0:10:15 act
... impossible to trace the DNS at least with my checks. As you can see, it is positioned on an (empty) frequency at least at my latitidini and remains fixed there for as long as allowed. Which reminds me (if you scroll up some posts you will find mine from December 24th
... in both cases frequency free from transmissions with frequency ending [xxxx.82].
I don't know if he's become paranoid, but these recurring behaviors leave me thinking.
Obviously, for the avoidance of doubt, it is blacklisted.
Welcome any comments.
Added 188.8.131.52/17 (Google cloud services) which was caught hammering on proxy host. Please download a new ip blacklist. Remember to save and re-add your local changes to the blacklist.
Is it still advisable to keep 184.108.40.206/8 220.127.116.11/8 blacklisted?
Definitely. I see all kinds of traffic from those ranges to the proxy server.
In v1.485 the admin page, network tab, will show when a new blacklist is available for download.
No automatic update mechanism yet. That's difficult for a number of reasons.
IP-adres 18.104.22.168 constantly bombs my SDR3 so finally the kiwi became unavailable to the public...
I have added 22.214.171.124/32 to the blacklist... hopefully it helps...
P.S.: All kiwis are fully available to the public (4 channels mode per kiwi) - sadly with some very noticable PLC-noise from the neighbors... outside of hambands plc-homeplug users are primary frequency users in Belgium, unfortunately with very high allowed transmission levels
Thanks. The proxy server sees the same ip targeting other Kiwis. 126.96.36.199/16 is Google cloud. So I added that to the downloadable blacklist. The admin page, network tab, of all Kiwis running v1.485 or later should show that a new download is available.
New Vultr seen today 188.8.131.52
Might be OK, but worth checking logs for issues around that time (IMO).
While we are at it, does anyone know more precisely the meaning of the following log messages?
L "(no identity)" 184.108.40.206 incomplete connection kicked
Is is reasonable to assume these denote some sort of "doorknob twisting" and are hence targets for blacklisting?
Eventually we're going to hit the problem of someone having a valid Kiwi-related service in the ip range of a well known cloud provider that is otherwise blacklisted. For example an SSL proxy. The kiwisdr.com services use a cloud provider that is less well known so for now this hasn't been an issue (and specific ip addresses otherwise blacklisted could always be put on a whitelist I guess).
Okay, we had a blacklist entry for 220.127.116.11/16 which I replaced with 18.104.22.168/10 and 22.214.171.124/12. Use the download button on your admin page, network tab to get the updated blacklist. Also added 126.96.36.199/20 from Stu's report yesterday.
Thank you John.
After downloading the shared blacklist, still getting this hit, from a rather large AWS subnet:
L "(no identity)" 188.8.131.52 incomplete connection kicked
NetRange: 184.108.40.206 - 220.127.116.11
Parent: NET3 (NET-3-0-0-0-0)
NetType: Direct Allocation
Organization: Amazon Technologies Inc. (AT-88-Z)
I have that one blocked at the router from October 2021.
I only block 18.104.22.168/24 and have not noticed a wider issue (until I post this and they move).
New Vultr seen today
In case anyone wonders, I had issues with Vultr so blocked a few addresses, since blocking them I realised I had constant port scans from these ranges, just checked from five days ago and in the order of 10k scans or connection attempts on a non listed SDR. The source IP changes as, I assume, people recognise it.
Parent company medium scam risk
it would be nice to block by name, e.g. * .adsl.xyz.xy and a separate tab for your own list that does not disappear after retrieving a new list like it is now
22.214.171.124/18 Chinese bot, when connected without identification and showing no typical user characteristics, just takes up slots
You'll need to update to v1.492 (or later) to receive ongoing updates to the ip blacklist.
A bug was fixed allowing more than 64 entries in the blacklist.
v1.493 has an additional, local, writable ip blacklist that won't get overwritten when the primary blacklist is downloaded. See admin page, network tab.
Thank you for a great job
So I blew my router config, had to use a spare, was visited by some new (Constant Company) addresses.
126.96.36.199, 188.8.131.52, 184.108.40.206
220.127.116.11/16 18.104.22.168/20 22.214.171.124/20
IP: 126.96.36.199 looks like bad script without KiwiSDR responses processing...
Today's Vultr Canada 188.8.131.52
They must run out soon, I thought IPv4 addresses were in short supply.