Server updates

[exxos]

I looked through all the logs and I don't see the IP address listed as being blocked or connection refused anywhere. The server has correctly processed every connection which it has seen from that IP address. I even checked the abuse database and the IP address was only reported once five months ago (not by me). So the IP has never been blocked by any rules.

[exxos]

I've been getting a few unban IP requests over the past few days.. I've looked into it and found a common problem in my webexploits rules. I've fixed the problem, and unbanned the whole jail , as there's likely others who not reported the problem yet.

[exxos]

I've noticed a IP address from yesterday got banned again (sorry) I'm looking into what happened this time...

EDIT:

It's odd because the IP address (89.23.5.137) was unbanned , and wasn't logged as been banned again, but was still banned :WTF:

EDIT2:

OK I see the problem, its coming from russia search engine which I blocked totally.. because I blocked russia totally because of obvious reasons... I've removed that rule.. see how we get on now.. But if we start getting hammered again then that rule may have to go back..

[exxos]

I assume nobody is getting banned again at this point?

I've not had any unban requests lately so I assume all is well...

There are several hundred rules in play and constant tweaking is likely needed..

I can report for the first time all this started that we don't seem to be under heavy attack anymore. :hide:

There used to be several thousand IPs hitting the server constantly and looking at the abuse log, theres only a small number of ips being banned every hour now. So I don't know if they finally gave up, or run out of IPs. We've banned 260,000+ so far..

[alexh]

Nope no bans anymore. Very grateful.

[exxos]

Seem to have IPs doing 1 "forgot password" etc type of thing, but only once per IP. The IP ranges from like 201.x.x.x to 145.x.x.x . Those are tricky blighters as can't really tell if they are legit users or not.

My only idea is to block entire subnets if similar links happen in similar subnets.. but sad times if blocking whole subnets is how things are going now..

I will likely be doing some rule updates tonight... so watch out ;)


EDIT:

AI can figure it out :P

Capture.PNG

[exxos]

Been over 2,500 registration attempts from "random IPs" over the past few hours.

There's been a couple more fail2ban rules check more prudently for registration sign of abuse (it is unlikely registration is completing because cleantalk blocks most of them).

Most are being sneaky by rotating the IP address generously to avoid detection but my new AI powered script will hunt them down , ban and report them :)

Certainly not a serious thing by far, but is way too hot (30c now in my room) do do much else tonight anyway. I've also found another weird bot evading detection which is now also killed.

Capture.PNG

There are hits from thousands of IP's hitting the rules and terms pages which are avoiding detection at the moment which I also need to look into blocking. The problem is thousands of IP's on "slow rotation" so hunt their subnets and blocking seems the way to catch them.

[stween]

Those are all under 57.129.0.0/17 (https://bgp.he.net/ip/57.129.24.1) which is announced by AS16276, which is OVH, a VPS hosting company. If they can spin VMs up and down at will, then I guess those VMs can also be (re)assigned IPs when they're brought up.

You could report abuse (https://www.ovhcloud.com/en/abuse/) and OVH may shut down the account, though obviously the spammers might turn up tomorrow with a new credit card. Alternatively you could block the /17 outright, because OVH isn't a typical eyeball ISP, so they're unlikely to be bringing much legit traffic in the first place.

[exxos]

@stween Thanks. Though that's just a very small part of the log. Similar with 201.x.x.x to 145.x.x.x and a few other ranges.

I could block the entire ranges but that's like half the internet :lol: Fail2ban doesn't help as they are rotating IPs often enough to avoid hitting any rules.

There's a script in place which scans the logs for similar IPs all hitting the exact same pages now. But it's difficult to avoid hitting legitimate traffic under the current "attacks".

Not many ever get past CleanTalk. But it starts to become a bit of a problem when such vast ranges of IP ranges start hitting the registration pages. Even though we have a SSD on the server., I've got most stuff cached in RAM now to reduce disk based bottlenecks. So we can take a pretty big beating these days. But if left unchecked, the attacks tend to grow :(

Like these..

14.191.104.172
14.191.11.104
14.191.113.176
14.191.120.32
14.191.138.184
14.191.150.181
14.191.153.230
14.191.193.38
14.191.202.91
14.191.205.151
14.191.61.59
14.191.64.61
14.191.86.46
14.191.95.29
14.162.156.36
14.162.29.1
14.162.45.7
14.162.5.226
14.162.63.90
14.186.170.251
14.186.189.34
14.186.202.240
14.186.203.210
14.186.221.3
14.186.235.188
14.186.5.6

Where do you draw the line to block the ranges..

EDIT:

My blocked IP list shot up overnight :shock: So scripts are holding up currently. So hopefully that be the end of it.. for now..

[exxos]

A bit of irony with this one :lol:

https://www.abuseipdb.com/check/104.28.254.77