Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #710

Re: yet another IP blocklist (mine!)

From Moe Trin <ibuprofin@painkiller.example.tld.invalid>
Newsgroups comp.os.linux.security
Subject Re: yet another IP blocklist (mine!)
Date 2016-11-28 02:10 +0000
Organization Crash Test Dummy Training Academy
Message-ID <slrno3n4i5.6ni.ibuprofin@planck.phx.az.us> (permalink)
References (4 earlier) <MPG.327d9502ab733f6f989682@reader80.eternal-september.org> <slrno1a8cn.q8v.ibuprofin@planck.phx.az.us> <MPG.329ea37bff320fd4989681@news.albasani.net> <slrno3cfo3.gb2.ibuprofin@planck.phx.az.us> <MPG.32a3ddc17009d6e5989683@news.albasani.net>

Show all headers | View raw

On Sat, 26 Nov 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.32a3ddc17009d6e5989683@news.albasani.net>, Supratim Sanyal wrote:

>ibuprofin@painkiller.example.tld.invalid says...

>> Last month, I enabled logging on the firewall for a day, and was
>> seeing an _average_ of 81 rather obvious 'bots per hour during the
>> entire period.  Based on the RFC defined protocols, more than 95% of
>> the connection attempts I saw (1953 of 2029 in 24 hours) were 'bots.

>Made some progress. Looked deeper at one of my internet-facing OpenVMS 
>VMs, clearly see "/bin/busybox MIRAI" forced right after the attempted
>password. I have OpenVMS logs already forwarded to a central linux
>syslog server, wrote a bash script to parse these and spoof pam
>privlog lines. fail2ban picks them up, and bans them as well as
>reports to blocklist.de ...

Seems like a waste of CPU cycles to me - how many sane people offer a
server on port 23 today (since... maybe 1999 or so)?   Busybox itself
is not the problem - it's the idiots who fail to secure the boxes where
busybox is frequently a main tool - routers, DVDs, etc.   Lately, I'm
also seeing an up-tick in connection attempts to 7547/tcp (the RomPager
web-server used on routers/DVD-players/etc.) which is another massive
security hole.  Thing is, it's a moving target - two months ago, I was
seeing 30-50 hits/hour on 53413/udp (Netis/NetCore router backdoor),
while in the first several months of this year it was DDOS attacks
using mis-configured DNS servers (and in consequence, lots of hits on
53/udp looking for open nameservers).

>spam has gone down but will not disappear

'spam' is what you get in the mail - and actually, my received spam
levels have decreased over the past 15 years.  I can't remember the
last time I was offered pills at lower costs, a lower interest rate on
the credit card/mortgage or multiple millions of $CURRENCY_UNITS from
the wife of the deceased dictator of Lower Whoositz or what-ever.

>OpenVMS logs the hostname after a lookup and reverse-DNS does not work
>for all of the hostnames it logs.

Used to was, ("man 5 hosts_access") we did reverse lookups to validate
any remote trying to connect:

   PARANOID
       Matches  any  host  whose name does not match its address.  When
       tcpd is built with -DPARANOID (default mode), it drops  requests
       from  such  clients  even  before  looking at the access control
       tables.  Build without -DPARANOID when  you  want  more  control
       over such requests.
       
but I'm seeing a substantial number of ISPs that don't bother setting
up PTR records on their DNS.  In the late-1980s when I was also doing
registrar duties and responsible for the division's DNS and NIS yellow
pages services, we had a Makefile ("man 1 make") that automagically
parsed the source hosts file we used to create the appropriate (DNS and
NIS) file entries from a single entry - it was assumed that an A record
in DNS (hostname to IP) would have a matching PTR record (IP to
hostname) as well as the "yp" files that are similar to looking in the
/etc/hosts files.  The sub-domain I was responsible for had some 31000
IPv4 addresses to match up - which any idiot who know shell scripting
can handle.  There was even a Perl script that was supplied with bind
(Berkeley Internet Name Daemon - the de-facto standard name server)
that would create the appropriate DNS zone files from a source file
that was formatted like /etc/hosts.   ISPs seem to lack this caliber of
skill - I guess the drug crazed chimpanzees (hired because their 7
bananas/day wage is what the ISP can pay and still make a profit) they
are using as network administrators were not trained.  Consequently, I
am used to seeing /12s (255.240.0.0) either return NXDOMAIN, SERVFAIL,
"localhost" or "." to any PTR lookup.  Another source of the problem is
virtual hosts - when you have 100 hostname (A) records pointing to a
single IP, which name should your PTR record for that IP point to?  You
may find the RFC "draft-ietf-dnsop-isp-ip6rdns" interesting.  The
abstract for version -02 of the document reads

  "Reverse DNS in IPv6 for Internet Service Providers", Lee Howard,
  2016-07-18, <draft-ietf-dnsop-isp-ip6rdns-02.txt>

    In IPv4, Internet Service Providers (ISPs) commonly provide IN-
    ADDR.ARPA information for their customers by prepopulating the zone
    with one PTR record for every available address.  This practice does
    not scale in IPv6.  This document analyzes different approaches and
    considerations for ISPs in managing the ip6.arpa zone for IPv6
    address space assigned to many customers.

There are several paragraphs in that document (use a search engine, or
try "ftp search.ietf.org" and look in the /internet-drafts/ directory)
are discouraging, but when the smallest IPv6 address block being handed
out to end-users is a /96 (ffff:ffff:ffff:ffff:ffff:ffff:0000:0000 or
2^32 hosts), it's not unexpected.

        Old guy

Back to comp.os.linux.security | Previous | NextPrevious in thread | Find similar

Thread

yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
  Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
    Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
      Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
        Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
          Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
            Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
              Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
                Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
                Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000

csiph-web