It looks like you're new here. If you want to get involved, click one of these buttons!
While logged in via ssh, where do I find the whole log. The one that is partially display on the admin log page
What the system log?
/var/log/messages or syslog
AFAIK the logs are in /var/log/ so I often just
Not what you are asking?
the log of kiwirecorder.py connects that I see in the admin webpage log
I found them... dunno how I had missed them before
so here's the bots nagging me
@WA2ZKD Today's KiwiSDR logs (under root or sudo) cat /var/log/syslog | grep kiwid | more or syslog.1 - yesterday's
cat /var/log/syslog | grep kiwid | more
Only 126.96.36.199 was not already on my Vultr radar, thanks for that one.
If you guys want to help me out you could do a whois of those IPs and figure out the correct CIDR I need to add to the downloadable blacklist.
You have to be extremely careful doing this analysis. The whois will often list multiple IP ranges. You have to use the latter one (most narrow CIDR) specifically allocated to the end user. You also need to check the CIDR isn't already partially or completely covered by an existing blacklist entry. Do curl -s kiwisdr.com/ip_blacklist/ip_blacklist2.cjson to see the current file. Sometimes an existing entry's netmask needs to be enlarged rather than adding a new entry. We need to keep our iptables as efficient as possible.
curl -s kiwisdr.com/ip_blacklist/ip_blacklist2.cjson
Use a website like: https://www.ipaddressguide.com/cidr to check that your CIDR produces the correct IP low-high range.
@jks Hi John, do you have any information about this bot? It appears to be the same software from different IPs and countries using kiwirecorder for frequencies starting at 58.59kHz and ending at 28125.00kHz. Maybe these people contacted with you before the start?
I can't help feeling if this was a legitimate use the source would contact John and declare intention and keep him updated.
I've been banging on about Vultr for at least a year so they surely must know they are being specifically blocked due to "activity not consistent with open and fair use".
I'll go back over my router blocklists but these seem obvious bot sources from recent activity (Jim)
188.8.131.52 [184.108.40.206 - 220.127.116.11, 18.104.22.168/21, The Constant Company, LLC (CHOOP-1), AS20473]
22.214.171.124 [126.96.36.199 - 188.8.131.52, 184.108.40.206/18, The Constant Company, LLC (CHOOP-1), AS20473]
220.127.116.11 [18.104.22.168 - 22.214.171.124, 126.96.36.199/18, The Constant Company, LLC (CHOOP-1), AS20473]
188.8.131.52 [184.108.40.206 - 220.127.116.11, 18.104.22.168/20, The Constant Company, LLC (CHOOP-1), AS20473]
22.214.171.124 [126.96.36.199 - 188.8.131.52, 184.108.40.206/19, The Constant Company, LLC (CHOOP-1), AS20473]
220.127.116.11 [18.104.22.168 - 22.214.171.124, Vultr Holdings LLC Amsterdam, AS20473]
Some of the first ones are a bit more complicated to extract the right CIDR, I'll view after work E.G. https://rdap.apnic.net/ip/126.96.36.199
As my router has IP ranges blocked, it is quite easy to see the logs of IP's active from those ranges. Blocking IP's is a fairly agricultural way to reduce the traffic on a short term basis but it has at least highlighted the problem.
To see what actual IP addresses seem active in these ranges I replaced with a placeholder and counted some log entries since last Sunday 188.8.131.52 seems the most active in this period.
184.108.40.206 AAA =156
220.127.116.11 AAB =82
18.104.22.168 AAC =639
22.214.171.124 AAD = 296
126.96.36.199 AAE = 806
188.8.131.52 AAF = 470
184.108.40.206 AAG = 750
220.127.116.11 AAH = 528
18.104.22.168 AAI = 272
22.214.171.124 AAJ = 542
126.96.36.199 AAK = 414
188.8.131.52 AAL = 475
184.108.40.206 AAM = 466
220.127.116.11 AAN = 236
18.104.22.168 AAO = 258
22.214.171.124 AAP = 182
126.96.36.199 AAQ = 28
@rz3dvp Maybe these people contacted with you before the start?
No, I've never heard from these people. The main problem is that their script/program makes multiple, simultaneous or repeated connections on the same Kiwi, tying up all the receive channels. And seems to sample the same portions of the waterfall while doing this. Like their script has a bug or something. If they behaved better we probably wouldn't even notice them. Just like no one notices the 30 second TDoA sampling connections.
CHOOP (Constant) and VULTR are the same
"CHOOP (Constant) and VULTR are the same"
That is why I mentioned AS20473