• Banned

    From Digimaus@618:618/1 to All on Mon Apr 29 11:12:19 2024
    Hi everyone,

    So I was checking my server's fail2ban "recidive-subnet" filter and I see 20.197.49.0 sitting there. Nearly everything else showing up are IP blocks owned by Tencent out of Singapore (Chinese government script kiddies are everywhere) so I was interested.

    The results made me laugh:

    ===
    NetRange: 20.192.0.0 - 20.255.255.255
    CIDR: 20.192.0.0/10
    NetName: MSFT
    NetHandle: NET-20-192-0-0-1
    Parent: NET20 (NET-20-0-0-0-0)
    NetType: Direct Allocation
    OriginAS:
    Organization: Microsoft Corporation (MSFT)
    RegDate: 2017-10-18
    Updated: 2021-12-14
    Ref: https://rdap.arin.net/registry/ip/20.192.0.0
    ===

    But of course it's MS Azure. LOL.

    -- Sean

    ... A police state is a wonderful thing...if you're the police.
    --- MultiMail/Linux v0.52
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Mike Powell@618:250/1 to DIGIMAUS on Tue Apr 30 08:49:00 2024
    ===
    NetRange: 20.192.0.0 - 20.255.255.255
    CIDR: 20.192.0.0/10
    NetName: MSFT
    NetHandle: NET-20-192-0-0-1
    Parent: NET20 (NET-20-0-0-0-0)
    NetType: Direct Allocation
    OriginAS:
    Organization: Microsoft Corporation (MSFT)
    RegDate: 2017-10-18
    Updated: 2021-12-14
    Ref: https://rdap.arin.net/registry/ip/20.192.0.0
    ===

    I think I have had a few Microsoft IPAs wind up in the banned file over the years. I also get a chuckle out of it. ;)

    Mike


    * SLMR 2.1a * Psychoceramics: The study of crackpots.
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (618:250/1)
  • From Digimaus@618:618/1 to Mike Powell on Tue Apr 30 19:58:30 2024
    Mike Powell wrote to DIGIMAUS <=-

    I think I have had a few Microsoft IPAs wind up in the banned file over the years. I also get a chuckle out of it. ;)

    With this "recidive-subnet" filter for fail2ban and using the built-in "pam-generic" filter, that combo works well. I have pfSense up and running
    now as my former router couldn't handle my 600/600 fiber connection. So
    after tossing together an old HP EliteDesk 705 (3.4 gHz i5, 8GB RAM) with
    two Intel PRO/1000 PCIe NICs, I've had some good success.

    From a speedtest.net test I just ran: https://tinyurl.com/zd8w8w43

    I'm getting 608 mbps down and 605 mbps up (rounded) so I am definitely not complaining!

    Anyhow, back to the filter...lately it's been a bunch of subnets belonging
    to Tencent in Singapore. Those Chinese script kiddies and CCP members are everywhere! XD

    What's funny is that I have port 22 wide open and interestingly enough, the rest of my filters are empty:

    {'recidive-subnet': ['163.47.39.0', '129.226.147.0', '43.134.118.0', '154.16.56.0', '192.144.65.0', '43.163.237.0', '124.156.223.0',
    '43.130.42.0', '43.163.214.0', '43.134.111.0', '20.197.49.0']}

    Almost all of the above are from Chinese ISPs.

    The ban time for that filter is 26 weeks. Sucks to be them.

    -- Sean

    ... That must be wonderful! I don't understand it at all.
    --- MultiMail/Linux v0.52
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Mike Powell@618:250/1 to DIGIMAUS on Wed May 1 08:22:00 2024
    What's funny is that I have port 22 wide open and interestingly enough, the rest of my filters are empty:

    {'recidive-subnet': ['163.47.39.0', '129.226.147.0', '43.134.118.0', '154.16.56.0', '192.144.65.0', '43.163.237.0', '124.156.223.0', '43.130.42.0', '43.163.214.0', '43.134.111.0', '20.197.49.0']}

    Almost all of the above are from Chinese ISPs.

    Many of mine are from China also. When I had 22 open I noticed that the scripts hit that port (SSH) a *lot* harder than the standard telnet port.
    I found that interesting since SSH is encrypted but, then again, most IoT devices are probably more likely to have an SSH port open vs. a telnet port.

    Mike


    * SLMR 2.1a * A problem can be found for almost every solution.
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (618:250/1)
  • From Jas Hud@618:250/1 to Mike Powell on Thu May 2 19:24:29 2024
    To: Mike Powell
    Re: Re: Banned
    By: Mike Powell to DIGIMAUS on Wed May 01 2024 08:22 am

    From Newsgroup: micronet.comp

    What's funny is that I have port 22 wide open and interestingly enough, the rest of my filters are empty:

    {'recidive-subnet': ['163.47.39.0', '129.226.147.0', '43.134.118.0', '154.16.56.0', '192.144.65.0', '43.163.237.0', '124.156.223.0', '43.130.42.0', '43.163.214.0', '43.134.111.0', '20.197.49.0']}

    Almost all of the above are from Chinese ISPs.

    Many of mine are from China also. When I had 22 open I noticed that the scripts hit that port (SSH) a *lot* harder than the standard telnet port.
    I found that interesting since SSH is encrypted but, then again, most IoT devices are probably more likely to have an SSH port open vs. a telnet port.

    Mike

    i've been running servers for so long i don't even pay attention to that stuff unless it's intelligent or causing harm. i took over datastream from a dead ssyop and he had MD and he tried every online scheme to make money and that caused a lot of traffic over the years.
    --- Synchronet 3.19b-Win32 NewsLink 1.113
    * bbses.info - http://bbses.info - telnet://bbses.info
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (618:250/1)