<div dir="ltr">Done.<div><br></div><div>Simple script added in /etc/firewall. Default policy is accept and it blocks the ranges <span style="font-size:12.8px"><a href="http://5.188.211.0/24">5.188.211.0/24</a> and <a href="http://188.143.232.0/24">188.143.232.0/24</a>. </span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">In case new ips come up, just update the range (better than single ips) to BLOCK_RANGE (one per line) and apply firewall executing /etc/firewall.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Added to rc.local in order to apply rules after reboot.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Best regards,</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Sam.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 21, 2017 at 11:25 AM, Sebastian Silva <span dir="ltr"><<a href="mailto:sebastian@fuentelibre.org" target="_blank">sebastian@fuentelibre.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Samuel,</p>
<p>Agreed that ufw firewall is trying to be smart and blocking too
much. I appreciate your help in blocking the following IPs.<br>
</p>
<p> IPs that have been attacking <a href="http://network.sugarlabs.org" target="_blank">network.sugarlabs.org</a>:</p>
<p>5.188.211.10<br>
5.188.211.11<br>
5.188.211.13<br>
5.188.211.14<br>
5.188.211.15<br>
5.188.211.16<br>
5.188.211.19<br>
5.188.211.21<br>
5.188.211.22<br>
5.188.211.24<br>
5.188.211.26<br>
5.188.211.35<br>
5.188.211.37<br>
5.188.211.39<br>
5.188.211.40<br>
5.188.211.41<br>
5.188.211.43<br>
5.188.211.62<br>
5.188.211.70<br>
5.188.211.72<span class=""><br>
188.143.232.10<br>
188.143.232.11<br>
188.143.232.13<br>
188.143.232.14<br>
188.143.232.15<br>
188.143.232.16<br>
188.143.232.19<br>
188.143.232.21<br>
188.143.232.22<br>
188.143.232.24<br>
188.143.232.26<br>
188.143.232.34<br>
188.143.232.35<br>
188.143.232.37<br>
188.143.232.40<br>
188.143.232.41<br>
188.143.232.43<br>
188.143.232.62<br>
188.143.232.70<br>
188.143.232.72<br>
</span></p>
<div class="m_5853646080211941851moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="m_5853646080211941851moz-email-headers-table" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">Subject:
</th>
<td>Re: Fwd: Please Help SN under spam attack</td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">Date: </th>
<td>Wed, 18 Jan 2017 13:29:49 -0500</td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">From: </th>
<td>Sebastian Silva <a class="m_5853646080211941851moz-txt-link-rfc2396E" href="mailto:sebastian@fuentelibre.org" target="_blank"><sebastian@fuentelibre.org></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">To: </th>
<td>Laura Vargas <a class="m_5853646080211941851moz-txt-link-rfc2396E" href="mailto:laura@somosazucar.org" target="_blank"><laura@somosazucar.org></a>, Sebastian
Silva <a class="m_5853646080211941851moz-txt-link-rfc2396E" href="mailto:sebastian@somosazucar.org" target="_blank"><sebastian@somosazucar.org></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">CC: </th>
<td>Aleksey Lim <a class="m_5853646080211941851moz-txt-link-rfc2396E" href="mailto:me@alsroot.su" target="_blank"><me@alsroot.su></a>, systems
<a class="m_5853646080211941851moz-txt-link-rfc2396E" href="mailto:systems@lists.sugarlabs.org" target="_blank"><systems@lists.sugarlabs.org></a></td>
</tr>
</tbody>
</table><div><div class="h5">
<br>
<br>
<p>Hi Aleksey,</p>
<p>I'm cc systems@ just to keep them informed of this ongoing
attack and countermeasures.</p>
<p>One context in the Sugar Network was being updated with POST
requests from 20 different hosts, every second or so.<br>
</p>
<p>Aleksey, your suggestion to use apache Require directive to
block them did not work before Apache 2.4, and we have 2.2.<br>
</p>
<p>So I enabled the ufw firewall and blocked the following 20
addresses coming from Russia :-) <br>
</p>
<p>I isolated the IPs from apache access logs.<br>
</p>
<p>188.143.232.10<br>
188.143.232.11<br>
188.143.232.13<br>
188.143.232.14<br>
188.143.232.15<br>
188.143.232.16<br>
188.143.232.19<br>
188.143.232.21<br>
188.143.232.22<br>
188.143.232.24<br>
188.143.232.26<br>
188.143.232.34<br>
188.143.232.35<br>
188.143.232.37<br>
188.143.232.40<br>
188.143.232.41<br>
188.143.232.43<br>
188.143.232.62<br>
188.143.232.70<br>
188.143.232.72<br>
</p>
<p>I was wondering, I enabled http, https and ssh.</p>
<p>Aleksey, just doublechecking, do Sugar Network XO clients
connect over port 80, correct?<br>
</p>
<p>Are there other services on <a href="http://jita.sugarlabs.org" target="_blank">jita.sugarlabs.org</a> that require
other ports open?</p>
<p>Regards,</p>
<p>Sebastian<br>
</p>
<br>
<div class="m_5853646080211941851moz-cite-prefix">On 18/01/17 12:13, Laura Vargas
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">FYI
<div><br>
</div>
<div>Thanks and blessings for both.</div>
<div><br>
<div class="gmail_quote">---------- Forwarded message
----------<br>
From: <b class="gmail_sendername">Aleksey Lim</b> <span dir="ltr"><<a href="mailto:me@alsroot.su" target="_blank">me@alsroot.su</a>></span><br>
Date: 2017-01-18 11:27 GMT-05:00<br>
Subject: Re: Please Help SN under spam attack<br>
To: Laura Vargas <<a href="mailto:laura@somosazucar.org" target="_blank">laura@somosazucar.org</a>><br>
<br>
<br>
<span>January 18, 2017 7:10 PM, "Laura Vargas"
<<a href="mailto:laura@somosazucar.org" target="_blank">laura@somosazucar.org</a>>
wrote:<br>
>> or blocking IPs on Apache level.<br>
><br>
> Any risk attached to this option? is this something
you could do?<br>
<br>
</span>Never did such stuff myself, but fast googling
suggested<br>
<a href="https://httpd.apache.org/docs/2.4/howto/access.html" rel="noreferrer" target="_blank">https://httpd.apache.org/docs/<wbr>2.4/howto/access.html</a><br>
So, ask icarito to tune webui Apache configuration.<br>
<span class="m_5853646080211941851HOEnZb"><font color="#888888"><br>
--<br>
Aleksey<br>
</font></span></div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_5853646080211941851gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>Laura V.<br>
<font color="#ff00ff"><b> I&D SomosAZUCAR.Org</b></font></div>
<div><br>
</div>
<div><font size="2"><span>“No
paradox, no progress.” </span></font></div>
<div><font size="2"><span>~ Niels
Bohr</span></font><br>
<br>
</div>
<div>Happy Learning!<br>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</div>
</blockquote></div><br></div>