[Systems] Fwd: Please Help SN under spam attack

Samuel Cantero scanterog at gmail.com
Tue Feb 21 09:46:12 EST 2017


Done.

Simple script added in /etc/firewall. Default policy is accept and it
blocks the ranges 5.188.211.0/24 and 188.143.232.0/24.

In case new ips come up, just update the range (better than single ips) to
BLOCK_RANGE (one per line) and apply firewall executing /etc/firewall.

Added to rc.local in order to apply rules after reboot.

Best regards,

Sam.

On Tue, Feb 21, 2017 at 11:25 AM, Sebastian Silva <sebastian at fuentelibre.org
> wrote:

> Hi Samuel,
>
> Agreed that ufw firewall is trying to be smart and blocking too much. I
> appreciate your help in blocking the following IPs.
>
> IPs that have been attacking network.sugarlabs.org:
>
> 5.188.211.10
> 5.188.211.11
> 5.188.211.13
> 5.188.211.14
> 5.188.211.15
> 5.188.211.16
> 5.188.211.19
> 5.188.211.21
> 5.188.211.22
> 5.188.211.24
> 5.188.211.26
> 5.188.211.35
> 5.188.211.37
> 5.188.211.39
> 5.188.211.40
> 5.188.211.41
> 5.188.211.43
> 5.188.211.62
> 5.188.211.70
> 5.188.211.72
> 188.143.232.10
> 188.143.232.11
> 188.143.232.13
> 188.143.232.14
> 188.143.232.15
> 188.143.232.16
> 188.143.232.19
> 188.143.232.21
> 188.143.232.22
> 188.143.232.24
> 188.143.232.26
> 188.143.232.34
> 188.143.232.35
> 188.143.232.37
> 188.143.232.40
> 188.143.232.41
> 188.143.232.43
> 188.143.232.62
> 188.143.232.70
> 188.143.232.72
>
>
> -------- Forwarded Message --------
> Subject: Re: Fwd: Please Help SN under spam attack
> Date: Wed, 18 Jan 2017 13:29:49 -0500
> From: Sebastian Silva <sebastian at fuentelibre.org>
> <sebastian at fuentelibre.org>
> To: Laura Vargas <laura at somosazucar.org> <laura at somosazucar.org>,
> Sebastian Silva <sebastian at somosazucar.org> <sebastian at somosazucar.org>
> CC: Aleksey Lim <me at alsroot.su> <me at alsroot.su>, systems
> <systems at lists.sugarlabs.org> <systems at lists.sugarlabs.org>
>
>
> Hi Aleksey,
>
> I'm cc systems@ just to keep them informed of this ongoing attack and
> countermeasures.
>
> One context in the Sugar Network was being updated with POST requests from
> 20 different hosts, every second or so.
>
> Aleksey, your suggestion to use apache Require directive to block them did
> not work before Apache 2.4, and we have 2.2.
>
> So I enabled the ufw firewall and blocked the following 20 addresses
> coming from Russia :-)
>
> I isolated the IPs from apache access logs.
>
> 188.143.232.10
> 188.143.232.11
> 188.143.232.13
> 188.143.232.14
> 188.143.232.15
> 188.143.232.16
> 188.143.232.19
> 188.143.232.21
> 188.143.232.22
> 188.143.232.24
> 188.143.232.26
> 188.143.232.34
> 188.143.232.35
> 188.143.232.37
> 188.143.232.40
> 188.143.232.41
> 188.143.232.43
> 188.143.232.62
> 188.143.232.70
> 188.143.232.72
>
> I was wondering, I enabled http, https and ssh.
>
> Aleksey, just doublechecking, do Sugar Network XO clients connect over
> port 80, correct?
>
> Are there other services on jita.sugarlabs.org that require other ports
> open?
>
> Regards,
>
> Sebastian
>
> On 18/01/17 12:13, Laura Vargas wrote:
>
> FYI
>
> Thanks and blessings for both.
>
> ---------- Forwarded message ----------
> From: Aleksey Lim <me at alsroot.su>
> Date: 2017-01-18 11:27 GMT-05:00
> Subject: Re: Please Help SN under spam attack
> To: Laura Vargas <laura at somosazucar.org>
>
>
> January 18, 2017 7:10 PM, "Laura Vargas" <laura at somosazucar.org> wrote:
> >> or blocking IPs on Apache level.
> >
> > Any risk attached to this option? is this something you could do?
>
> Never did such stuff myself, but fast googling suggested
> https://httpd.apache.org/docs/2.4/howto/access.html
> So, ask icarito to tune webui Apache configuration.
>
> --
> Aleksey
>
>
>
> --
> Laura V.
> * I&D SomosAZUCAR.Org*
>
> “No paradox, no progress.”
> ~ Niels Bohr
>
> Happy Learning!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20170221/3a4fcae7/attachment.html>


More information about the Systems mailing list