[Systems] Fwd: Please Help SN under spam attack

Sebastian Silva sebastian at fuentelibre.org
Tue Feb 21 10:32:57 EST 2017

Previous message (by thread): [Systems] Fwd: Please Help SN under spam attack
Next message (by thread): [Systems] Fwd: Please Help SN under spam attack
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for your time, especially for the details. They will be useful in
the future for sure.

Regards,

Sebastian


On 21/02/17 09:46, Samuel Cantero wrote:
> Done.
>
> Simple script added in /etc/firewall. Default policy is accept and it
> blocks the ranges 5.188.211.0/24 <http://5.188.211.0/24>
> and 188.143.232.0/24 <http://188.143.232.0/24>. 
>
> In case new ips come up, just update the range (better than single
> ips) to BLOCK_RANGE (one per line) and apply firewall executing
> /etc/firewall.
>
> Added to rc.local in order to apply rules after reboot.
>
> Best regards,
>
> Sam.
>
> On Tue, Feb 21, 2017 at 11:25 AM, Sebastian Silva
> <sebastian at fuentelibre.org <mailto:sebastian at fuentelibre.org>> wrote:
>
>     Hi Samuel,
>
>     Agreed that ufw firewall is trying to be smart and blocking too
>     much. I appreciate your help in blocking the following IPs.
>
>     IPs that have been attacking network.sugarlabs.org
>     <http://network.sugarlabs.org>:
>
>     5.188.211.10
>     5.188.211.11
>     5.188.211.13
>     5.188.211.14
>     5.188.211.15
>     5.188.211.16
>     5.188.211.19
>     5.188.211.21
>     5.188.211.22
>     5.188.211.24
>     5.188.211.26
>     5.188.211.35
>     5.188.211.37
>     5.188.211.39
>     5.188.211.40
>     5.188.211.41
>     5.188.211.43
>     5.188.211.62
>     5.188.211.70
>     5.188.211.72
>     188.143.232.10
>     188.143.232.11
>     188.143.232.13
>     188.143.232.14
>     188.143.232.15
>     188.143.232.16
>     188.143.232.19
>     188.143.232.21
>     188.143.232.22
>     188.143.232.24
>     188.143.232.26
>     188.143.232.34
>     188.143.232.35
>     188.143.232.37
>     188.143.232.40
>     188.143.232.41
>     188.143.232.43
>     188.143.232.62
>     188.143.232.70
>     188.143.232.72
>
>
>
>     -------- Forwarded Message --------
>     Subject: 	Re: Fwd: Please Help SN under spam attack
>     Date: 	Wed, 18 Jan 2017 13:29:49 -0500
>     From: 	Sebastian Silva <sebastian at fuentelibre.org>
>     <mailto:sebastian at fuentelibre.org>
>     To: 	Laura Vargas <laura at somosazucar.org>
>     <mailto:laura at somosazucar.org>, Sebastian Silva
>     <sebastian at somosazucar.org> <mailto:sebastian at somosazucar.org>
>     CC: 	Aleksey Lim <me at alsroot.su> <mailto:me at alsroot.su>, systems
>     <systems at lists.sugarlabs.org> <mailto:systems at lists.sugarlabs.org>
>
>
>
>     Hi Aleksey,
>
>     I'm cc systems@ just to keep them informed of this ongoing attack
>     and countermeasures.
>
>     One context in the Sugar Network was being updated with POST
>     requests from 20 different hosts, every second or so.
>
>     Aleksey, your suggestion to use apache Require directive to block
>     them did not work before Apache 2.4, and we have 2.2.
>
>     So I enabled the ufw firewall and blocked the following 20
>     addresses coming from Russia :-)
>
>     I isolated the IPs from apache access logs.
>
>     188.143.232.10
>     188.143.232.11
>     188.143.232.13
>     188.143.232.14
>     188.143.232.15
>     188.143.232.16
>     188.143.232.19
>     188.143.232.21
>     188.143.232.22
>     188.143.232.24
>     188.143.232.26
>     188.143.232.34
>     188.143.232.35
>     188.143.232.37
>     188.143.232.40
>     188.143.232.41
>     188.143.232.43
>     188.143.232.62
>     188.143.232.70
>     188.143.232.72
>
>     I was wondering, I enabled http, https and ssh.
>
>     Aleksey, just doublechecking, do Sugar Network XO clients connect
>     over port 80, correct?
>
>     Are there other services on jita.sugarlabs.org
>     <http://jita.sugarlabs.org> that require other ports open?
>
>     Regards,
>
>     Sebastian
>
>
>     On 18/01/17 12:13, Laura Vargas wrote:
>>     FYI
>>
>>     Thanks and blessings for both.
>>
>>     ---------- Forwarded message ----------
>>     From: *Aleksey Lim* <me at alsroot.su <mailto:me at alsroot.su>>
>>     Date: 2017-01-18 11:27 GMT-05:00
>>     Subject: Re: Please Help SN under spam attack
>>     To: Laura Vargas <laura at somosazucar.org
>>     <mailto:laura at somosazucar.org>>
>>
>>
>>     January 18, 2017 7:10 PM, "Laura Vargas" <laura at somosazucar.org
>>     <mailto:laura at somosazucar.org>> wrote:
>>     >> or blocking IPs on Apache level.
>>     >
>>     > Any risk attached to this option? is this something you could do?
>>
>>     Never did such stuff myself, but fast googling suggested
>>     https://httpd.apache.org/docs/2.4/howto/access.html
>>     <https://httpd.apache.org/docs/2.4/howto/access.html>
>>     So, ask icarito to tune webui Apache configuration.
>>
>>     --
>>     Aleksey
>>
>>
>>
>>     -- 
>>     Laura V.
>>     *I&D SomosAZUCAR.Org*
>>
>>     “No paradox, no progress.” 
>>     ~ Niels Bohr
>>
>>     Happy Learning!
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20170221/04314055/attachment.html>

Previous message (by thread): [Systems] Fwd: Please Help SN under spam attack
Next message (by thread): [Systems] Fwd: Please Help SN under spam attack
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Systems mailing list