9 Apr
2019
9 Apr
'19
9:18 a.m.
Probably a compromised Stanford system, that makes one suspect those coltish
"Stanford students" instead of the real culprit who is more likely either A/ to
frustrate your service, such as tor or wikileaks etc, B/ to be a script kiddie, C/ to be
an APT.
--------------------------------------------
En date de : Mar 9.4.19, Keith Williams <keithwilliamsnp(a)gmail.com> a écrit :
Objet: Re: [bitfolk] I know I should not take it personally but ...
À: "BitFolk Users" <users(a)lists.bitfolk.com>
Date: Mardi 9 avril 2019, 9h00
Thanks,
I'll check it out. 6 hits a second over more than 24
hours is well over the top, what ever their excuse
On Tue, 9 Apr 2019
at 14:55, Ryan Bibby <r.bibby(a)gmail.com>
wrote:
Hi Keith
Stanford University you say?
At work
I had some suspicious traffic from some Stanford University
addresses. I contacted there abuse contact and it turned out
they host a commercial vulnerability scanning service. In my
case they had a legitimate contract to do this, but the
message had not reached me.
It's possible that in your case
it's the same tool rather than students, so it may be
worth contacting them to find out why they are scanning your
services.
Best
wishes
Ryan
On Tue, 9 Apr
2019, 04:45 Keith Williams, <keithwilliamsnp(a)gmail.com>
wrote:
No
questions, just a bit of spleen venting.
Having been on a little break to deepest
province where internet is very poor, I came back to find my
vps under a lot of attacks.
Firstly once or
twice a day a website was going down for upto 5 minutes a
day. Sorted that. Fail2ban was not running for some reason
(again sorted by reinstalling from Debian backports) Found
that known spamming IPs were hitting it hard but also were
hitting at virtual hosts that no longer exist - Apache then
redirects to the default virtual host. All sorts of thing
then happening including SSL timeouts etc.. Fail2ban, adding
a daily updated set of addresses from a content spammer
blacklist to the firewall and removing A and AAAA records
where possible from Bind for those old domains. ( I had to
leave some like weirdname.exmple.com
as they are used by other systems such as honeytraps etc)
all seemed to bring that very much under control. Some were
looking for URLs that have not existed for a long long
time.
Hours of perusing debug logs and
tracking IPs via Google persuaded me to reinstall something
I have not used in a while.
My SSH is quite
safe, I use a different port, don't allow password sign
on etc. So there is nothing listening on port 22.
So set up that any attempt there, the IP gets
added to a naughtyboy set then is logged and dropped. Any
future visits by that IP to any port, logged and dropped.
Bit like F2B but this is more of a permaban.
Within seconds there were half a dozen IPs in
the set. All in the same /21 CIDR block. The logs show them
coming back up to twice a second each for at least 24 hours
now. They go for ports 22.23.53, 80, 443 and 7777. That last
one is particularly nasty. They have each done a couple of
pings (blocked of course) The group of 3 IPs all are
registered to Stanford University, So probably some
students
Keith
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
-----La pièce jointe associée suit-----
9 Apr
9 Apr
1:44 p.m.
New subject: I know I should not take it personally but ...
Your theory about it just being a try out practice run sort of thing
does, unfortunately, sound feasible. The hit rate is not large enough on
its own to be dangerous - 6 a second - but it has gone on for so long
with no success at all on their part. hey throw in the odd ping every
now and then as well.
Still awaiting a response from their abuse address
Keith
On 2019-04-09 17:18, Max B via users wrote:
Probably a compromised Stanford system, that makes one
suspect those
coltish "Stanford students" instead of the real culprit who is more
likely either A/ to frustrate your service, such as tor or wikileaks
etc, B/ to be a script kiddie, C/ to be an APT.
10 Apr
10 Apr
12:38 p.m.
New subject: I know I should not take it personally but ...
Are they just hitting the same URL over and over again, or are they
actively crawling your pages and trying different things in URL parameters
and forms?
You could temporarily setup Cloudflare for your websites on the server. If
you just want it to filter out the unwanted traffic the free tier is
probably enough, but if you think your server is actually under attack I'd
recommend the pro trier. After setup you can toggle that you are under
attack, and filtering will be more aggressive.
https://www.cloudflare.com/plans/
On Tue, Apr 9, 2019 at 3:45 PM Keith <keith(a)keiths-place.co.uk> wrote:
Your theory about it just being a try out practice run
sort of thing
does, unfortunately, sound feasible. The hit rate is not large enough on
its own to be dangerous - 6 a second - but it has gone on for so long
with no success at all on their part. hey throw in the odd ping every
now and then as well.
Still awaiting a response from their abuse address
Keith
On 2019-04-09 17:18, Max B via users wrote:
--
My PGP is available at: http://downgoat.net/pages/contact.html
<http://downgoat.net/contact/>
Probably a compromised Stanford system, that
makes one suspect those
coltish "Stanford students" instead of the real culprit who is more
likely either A/ to frustrate your service, such as tor or wikileaks
etc, B/ to be a script kiddie, C/ to be an APT.
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
13 Apr
13 Apr
11:13 p.m.
New subject: I know I should not take it personally but ...
Thanks Sindre
On Wed, 10 Apr 2019 at 20:39, Sindre Smistad <sindre(a)downgoat.net> wrote:
Are they just hitting the same URL over and over
again, or are they
actively crawling your pages and trying different things in URL parameters
and forms?
You could temporarily setup Cloudflare for your websites on the server. If
you just want it to filter out the unwanted traffic the free tier is
probably enough, but if you think your server is actually under attack I'd
recommend the pro trier. After setup you can toggle that you are under
attack, and filtering will be more aggressive.
https://www.cloudflare.com/plans/
On Tue, Apr 9, 2019 at 3:45 PM Keith <keith(a)keiths-place.co.uk> wrote:
Your theory about it just being a try out
practice run sort of thing
does, unfortunately, sound feasible. The hit rate is not large enough on
its own to be dangerous - 6 a second - but it has gone on for so long
with no success at all on their part. hey throw in the odd ping every
now and then as well.
Still awaiting a response from their abuse address
Keith
On 2019-04-09 17:18, Max B via users wrote:
--
My PGP is available at: http://downgoat.net/pages/contact.html
<http://downgoat.net/contact/>
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
Probably a compromised Stanford system, that
makes one suspect those
coltish "Stanford students" instead of the real culprit who is more
likely either A/ to frustrate your service, such as tor or wikileaks
etc, B/ to be a script kiddie, C/ to be an APT.
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
2079
days inactive
2083
days old
3 comments
4 participants
participants (4)
-
Keith -
Keith Williams -
Max B -
Sindre Smistad