• Dealing with Microsoft

    From Sean Dennis@618:618/1 to All on Thu Feb 17 01:46:36 2022
    Hello All,

    I was looking at my fail2ban setup tonight and noticed some unusual activity. Lo and behold, the IP is registered to Microsoft. What it's doing scanning my SSH port I don't know but I went looking around on Google and found a way to do it in pfSense. If you want the particulars, look at the article (URL at end of message) but look at the size of this list of domains and subdomains to block (this is from 2019 so I am sure it's out of date):

    ===
    a-0001.a-msedge.net
    a.ads1.msn.com
    a.ads2.msn.com
    ad.doubleclick.net
    adnexus.net
    adnxs.com
    ads.msn.com
    ads1.msads.net
    ads1.msn.com
    az361816.vo.msecnd.net
    az512334.vo.msecnd.net
    choice.microsoft.com
    choice.microsoft.com.nsatc.net
    compatexchange.cloudapp.net
    corp.sts.microsoft.com
    corpext.msitadfs.glbdns2.microsoft.com
    cs1.wpc.v0cdn.net
    cs1.wpc.v0cdn.net statsfe1.ws.microsoft.com
    df.telemetry.microsoft.com
    diagnostics.support.microsoft.com
    fe2.update.microsoft.com.akadns.net
    feedback.microsoft-hohm.com
    feedback.search.microsoft.com
    feedback.windows.com
    i1.services.social.microsoft.com
    i1.services.social.microsoft.com.nsatc.net
    oca.telemetry.microsoft.com
    oca.telemetry.microsoft.com.nsatc.net
    pre.footprintpredict.com
    preview.msn.com
    rad.msn.com
    redir.metaservices.microsoft.com
    reports.wes.df.telemetry.microsoft.com
    services.wes.df.telemetry.microsoft.com
    settings-sandbox.data.microsoft.com
    sls.update.microsoft.com.akadns.net
    sqm.df.telemetry.microsoft.com
    sqm.telemetry.microsoft.com
    sqm.telemetry.microsoft.com.nsatc.net
    statsfe1.ws.microsoft.com
    statsfe2.update.microsoft.com.akadns.net
    statsfe2.ws.microsoft.com
    survey.watson.microsoft.com
    telecommand.telemetry.microsoft.com telecommand.telemetry.microsoft.com.nsatc.net
    telemetry.appex.bing.net
    telemetry.appex.bing.net:443
    telemetry.microsoft.com
    telemetry.urs.microsoft.com
    vortex-sandbox.data.microsoft.com
    vortex-win.data.microsoft.com
    vortex.data.microsoft.com
    watson.live.com
    watson.microsoft.com
    watson.ppe.telemetry.microsoft.com
    watson.telemetry.microsoft.com
    watson.telemetry.microsoft.com.nsatc.net
    wes.df.telemetry.microsoft.com
    a.ads1.msn.com
    a.ads2.msads.net
    a.ads2.msn.com
    a.rad.msn.com
    a-0001.a-msedge.net
    a-0002.a-msedge.net
    a-0003.a-msedge.net
    a-0004.a-msedge.net
    a-0005.a-msedge.net
    a-0006.a-msedge.net
    a-0007.a-msedge.net
    a-0008.a-msedge.net
    a-0009.a-msedge.net
    ac3.msn.com
    ad.doubleclick.net
    adnexus.net
    adnxs.com
    ads.msn.com
    ads1.msads.net
    ads1.msn.com
    aidps.atdmt.com
    aka-cdn-ns.adtech.de
    a-msedge.net
    apps.skype.com
    az361816.vo.msecnd.net
    az512334.vo.msecnd.net
    b.ads1.msn.com
    b.ads2.msads.net
    b.rad.msn.com
    bs.serving-sys.com
    c.atdmt.com
    c.msn.com
    ca.telemetry.microsoft.com
    cache.datamart.windows.com
    cdn.atdmt.com
    cds26.ams9.msecn.net
    choice.microsoft.com
    choice.microsoft.com.nsatc.net
    compatexchange.cloudapp.net
    corp.sts.microsoft.com
    corpext.msitadfs.glbdns2.microsoft.com
    cs1.wpc.v0cdn.net
    db3aqu.atdmt.com
    db3wns2011111.wns.windows.com
    df.telemetry.microsoft.com
    diagnostics.support.microsoft.com
    ec.atdmt.com
    fe2.update.microsoft.com.akadns.net
    fe3.delivery.dsp.mp.microsoft.com.nsatc.net
    feedback.microsoft-hohm.com
    feedback.search.microsoft.com
    feedback.windows.com
    flex.msn.com
    g.msn.com
    h1.msn.com
    i1.services.social.microsoft.com
    i1.services.social.microsoft.com.nsatc.net
    lb1.www.ms.akadns.net
    live.rads.msn.com
    m.adnxs.com
    m.hotmail.com
    msedge.net
    msftncsi.com
    msnbot-207-46-194-33.search.msn.com
    msnbot-65-55-108-23.search.msn.com
    msntest.serving-sys.com
    oca.telemetry.microsoft.com
    oca.telemetry.microsoft.com.nsatc.net
    pre.footprintpredict.com
    preview.msn.com
    pricelist.skype.com
    rad.live.com
    rad.msn.com
    redir.metaservices.microsoft.com
    reports.wes.df.telemetry.microsoft.com
    s.gateway.messenger.live.com
    s0.2mdn.net
    schemas.microsoft.akadns.net
    secure.adnxs.com
    secure.flashtalking.com
    services.wes.df.telemetry.microsoft.com
    settings.data.microsof.com
    settings-sandbox.data.microsoft.com
    settings-win.data.microsoft.com
    sls.update.microsoft.com.akadns.net
    sO.2mdn.net
    spynet2.microsoft.com
    spynetalt.microsoft.com
    sqm.df.telemetry.microsoft.com
    sqm.telemetry.microsoft.com
    sqm.telemetry.microsoft.com.nsatc.net
    ssw.live.com
    static.2mdn.net
    statsfe1.ws.microsoft.com
    statsfe2.update.microsoft.com.akadns.net
    statsfe2.ws.microsoft.com
    survey.watson.microsoft.com
    telecommand.telemetry.microsoft.com telecommand.telemetry.microsoft.com.nsatc.net telecommand.telemetry.microsoft.com.nsat­c.net
    telemetry.appex.bing.net
    telemetry.appex.bing.net:443
    telemetry.microsoft.com
    telemetry.urs.microsoft.com
    ui.skype.com
    v10.vortex-win.data.microsoft.com
    view.atdmt.com
    vortex.data.microsoft.com
    vortex-bn2.metron.live.com.nsatc.net
    vortex-cy2.metron.live.com.nsatc.net
    vortex-sandbox.data.microsoft.com
    vortex-win.data.microsoft.com
    watson.live.com
    watson.microsoft.com
    watson.ppe.telemetry.microsoft.com
    watson.telemetry.microsoft.com
    watson.telemetry.microsoft.com.nsatc.net
    wes.df.telemetry.microsoft.com
    win10.ipv6.microsoft.com
    www.msftncsi.com
    dns.msftncsi.com
    ipv6.msftncsi.com
    win10.ipv6.microsoft.com
    ipv6.msftncsi.com.edgesuite.net
    a978.i6g1.akamai.net
    win10.ipv6.microsoft.com.nsatc.net
    en-us.appex-rf.msn.com
    v10.vortex-win.data.microsoft.com
    client.wns.windows.com
    wildcard.appex-rf.msn.com.edgesuite.net v10.vortex-win.data.metron.life.com.nsatc.net
    wns.notify.windows.com.akadns.net
    americas2.notify.windows.com.akadns.net
    travel.tile.appex.bing.com
    any.edge.bing.com
    fe3.delivery.mp.microsoft.com
    fe3.delivery.dsp.mp.microsoft.com.nsatc.net
    ssw.live.com
    ssw.live.com.nsatc.net
    login.live.com.nsatc.net
    directory.services.live.com
    directory.services.live.com.akadns.net
    bl3302.storage.live.com
    skyapi.live.net
    bl3302geo.storage.dkyprod.akadns.net
    skyapi.skyprod.akadns.net
    skydrive.wns.windows.com
    register.mesh.com
    BN1WNS2011508.wns.windows.com
    settings-win.data.microsoft.com
    settings.data.glbdns2.microsoft.com
    OneSettings-bn2.metron.live.com.nsatc.net
    watson.telemetry.microsoft.com
    watson.telemetry.microsoft.com.nsatc.net
    ===

    The URL is: https://adobosyntax.wordpress.com/2019/04/06/blocking-microsoft-traffic-in-pfse
    nse/

    You use the DNSBL in pfBlockerNG to do this in pfSense.

    You CAN block directly via CIDR but you have to make eight seperate rules and I do not feel like doing that. <G>

    -- Sean

    ... "When the mouse laughs at the cat, there is a hole nearby." - Nigerian proverb
    ... "Does anyone REALLY read these stupid quotes?" - the SysOp
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Jas Hud@618:300/12 to Sean Dennis on Thu Feb 17 02:13:30 2022
    To: Sean Dennis
    Re: Dealing with Microsoft
    By: Sean Dennis to All on Thu Feb 17 2022 01:46 am

    From Newsgroup: Micronet.MIN_COMP

    Hello All,

    I was looking at my fail2ban setup tonight and noticed some unusual activity. Lo and behold, the IP is registered to Microsoft. What it's doing scanning my SSH port I don't know but I went looking around on Google and

    Are you sure that's just not traffic from their antivirus software calling home or something like that. do you have a windows computer?
    --- Synchronet 3.18b-Win32 NewsLink 1.113
    * bbses.info - http://bbses.info - telnet://bbses.info
    * Origin: Time Warp of the Future BBS - Home of League 10 (618:300/12)
  • From Nick Andre@618:500/24 to Sean Dennis on Thu Feb 17 06:37:18 2022
    On 17 Feb 22 01:46:36, Sean Dennis said the following to All:

    I was looking at my fail2ban setup tonight and noticed some unusual activit Lo and behold, the IP is registered to Microsoft. What it's doing scanning SSH port I don't know but I went looking around on Google and found a way t

    Its likely a botnet operating on Azure infrastructure.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (618:500/24)
  • From Sean Dennis@618:618/1 to Jas Hud on Thu Feb 17 10:21:17 2022
    Hello Jas,

    17 Feb 22 02:13, you wrote to me:

    Are you sure that's just not traffic from their antivirus software
    calling home or something like that. do you have a windows computer?

    I have no Microsoft-powered computers in my posession.

    This morning, I wake up to someone using an IP belonging to Microsoft Brazil trying to smack my SSH port around. I noticed a few other Brazilian IPs in there so I just blocked the whole country.

    I don't know if someone was spoofing IP addresses from Microsoft but I'd rather be safe than sorry.

    I am also blocking a LOT of virtual hosted systems that are just outright trying to portscan my network.

    There's one problematic group called FranTech, with the company registered in Wyoming but with a .ca TLD, that has been causing issues for quite some time. I am making a dent though because they're showing up less often in my system logs.

    I love pfSense. <G>

    -- Sean

    ... Why is there so much month left at the end of the money?
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Sean Dennis@618:618/1 to Nick Andre on Thu Feb 17 10:24:54 2022
    Hello Nick,

    17 Feb 22 06:37, you wrote to me:

    Its likely a botnet operating on Azure infrastructure.

    That too which is why I have been blocking virtual private hosts like crazy lately. It's always chasing my tail though because I'm seemingly always behind.

    -- Sean

    ... He who always plows a straight furrow is in a rut.
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Nick Andre@618:500/24 to Sean Dennis on Thu Feb 17 11:19:28 2022
    On 17 Feb 22 10:24:54, Sean Dennis said the following to Nick Andre:

    Its likely a botnet operating on Azure infrastructure.

    That too which is why I have been blocking virtual private hosts like crazy lately. It's always chasing my tail though because I'm seemingly always behind.

    You'll never be able to 100% block them, but I don't notice them at all with pfsense at the helm.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (618:500/24)
  • From Sean Dennis@618:618/1 to Nick Andre on Thu Feb 17 12:18:11 2022
    Hello Nick,

    17 Feb 22 11:19, you wrote to me:

    You'll never be able to 100% block them, but I don't notice them at
    all with pfsense at the helm.

    I'm sure I've cut down the number quite a bit. I need to dial in fail2ban's reciditive (sp) filter a bit and that will help also. Strange that suddenly I had all of those hits from Brazil this morning but I don't have to worry about that either. *pets his pfSense box*

    -- Sean

    ... Beauty is only skin deep but ugly goes clear to the bone.
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Jas Hud@618:300/12 to Sean Dennis on Thu Feb 17 17:13:38 2022
    To: Sean Dennis
    Re: Dealing with Microsoft
    By: Sean Dennis to Jas Hud on Thu Feb 17 2022 10:21 am

    There's one problematic group called FranTech, with the company registered in Wyoming but with a .ca TLD, that has been causing issues for quite some time.
    I am making a dent though because they're showing up less often in my system logs.

    I love pfSense. <G>

    -- Sean

    well if you have the time to block all that shit, than go ahead. might be better to just block everything and then whitelist what you want incoming.

    there's millions of scanners out there, so i just let them scan unless i see them hitting hard and then i put them in my firewall.
    --- Synchronet 3.18b-Win32 NewsLink 1.113
    * bbses.info - http://bbses.info - telnet://bbses.info
    * Origin: Time Warp of the Future BBS - Home of League 10 (618:300/12)
  • From Sean Dennis@618:618/1 to Jas Hud on Thu Feb 17 20:27:04 2022
    Hello Jas,

    17 Feb 22 17:13, you wrote to me:

    there's millions of scanners out there, so i just let them scan unless
    i see them hitting hard and then i put them in my firewall.

    pfSense, by default, blocks all unsolicited traffic. These IPs that are showing up are scanning my SSH port.

    -- Sean

    ... Money talks. All mine says is "goodbye."
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Nick Andre@618:500/24 to Sean Dennis on Thu Feb 17 20:49:52 2022
    On 17 Feb 22 20:27:04, Sean Dennis said the following to Jas Hud:

    there's millions of scanners out there, so i just let them scan unless i see them hitting hard and then i put them in my firewall.

    pfSense, by default, blocks all unsolicited traffic. These IPs that are showing up are scanning my SSH port.

    Why is SSH open to the world? That should be behind OpenVPN?

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (618:500/24)
  • From Sean Dennis@618:618/1 to Nick Andre on Thu Feb 17 21:03:20 2022
    Hello Nick,

    17 Feb 22 20:49, you wrote to me:

    Why is SSH open to the world? That should be behind OpenVPN?

    Because MBSE allows SSH connections, that's why. I have callers that use it.

    -- Sean

    ... A dog accepts you as boss. A cat wants to see your resume.
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Daryl Stout@618:250/33 to Sean Dennis on Thu Feb 17 15:49:00 2022
    Sean,

    You use the DNSBL in pfBlockerNG to do this in pfSense.

    You CAN block directly via CIDR but you have to make eight seperate
    rules and I do not feel like doing that. <G>

    I'll add these to my host name filter on the BBS. Besides, if they're
    not going to make a 32-bit version of Windows 11, I'm sticking with
    Windows 10. I can't see sacrificing a whole slew of legacy items just
    to satisfy Microsoft's bottom line.

    ... "Does anyone REALLY read these stupid quotes?" - the SysOp

    Never mind the bulletins. :P

    Daryl


    ... Microsoft Tech Support For Legacy Windows?? FAT Chance!!
    === MultiMail/Win v0.52
    --- SBBSecho 3.14-Win32
    * Origin: The Thunderbolt BBS - Little Rock, Arkansas (618:250/33)
  • From T.J. Mcmillen@618:500/24 to Nick Andre on Fri Feb 18 21:20:41 2022
    Why is SSH open to the world? That should be behind OpenVPN?

    Didn't I say we NEVER talk about SSH ... it makes us angry .... remember? ;)

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (618:500/24)
  • From T.J. Mcmillen@618:500/24 to Sean Dennis on Fri Feb 18 21:21:16 2022
    Because MBSE allows SSH connections, that's why. I have callers that use i
    ^^^^^^^^^^^^^^^^^^^

    Why? That's SOO dumb ... people are too much like sheep anymore. It's a friggin' BBS for God's sake.

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (618:500/24)
  • From Sean Dennis@618:618/1 to T.J. Mcmillen on Fri Feb 18 21:50:10 2022
    Hello T,

    18 Feb 22 21:21, you wrote to me:

    Why? That's SOO dumb ... people are too much like sheep anymore.
    It's a friggin' BBS for God's sake.

    After nearly 40 years in IT, I can say that offering a more secure connection is a good thing, even if it's a BBS. We in North America take freedom for granted and I have received calls from people who don't have that luxury and have to look over their shoulders.

    So are you saying that I use GPG encrypted email is stupid too?

    -- Sean

    ... If it looks easy, it's tough; if it looks tough, it's impossible.
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Sean Dennis@618:618/1 to T.J. Mcmillen on Fri Feb 18 21:52:37 2022
    Hello T,

    18 Feb 22 21:20, you wrote to Nick Andre:

    Didn't I say we NEVER talk about SSH ... it makes us angry ....
    remember? ;)

    Speak for yourself.

    -- Sean

    ... If guns cause crime then pencils cause misspelled words.
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Nick Andre@618:500/24 to T.J. Mcmillen on Fri Feb 18 22:09:09 2022
    On 18 Feb 22 21:20, T.J. Mcmillen said the following to Nick Andre:

    Why is SSH open to the world? That should be behind OpenVPN?

    Didn't I say we NEVER talk about SSH ... it makes us angry .... remember? ;

    I forgot... its the first rule of Fight Club.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (618:500/24)
  • From Daryl Stout@618:250/33 to Sean Dennis on Fri Feb 18 05:00:00 2022
    Sean,

    Why is SSH open to the world? That should be behind OpenVPN?

    Because MBSE allows SSH connections, that's why. I have callers that
    use it.

    I set up a special door to advise folks of the ports for SSH and QOTD
    (Quote Of The Day). Because bots were slamming it, I set the values to non-conventional. Verified Users In Good Standing can get those values
    from that door...and I've noted where the SSH logon bypasses the CAPTCHA
    entry.

    ... A dog accepts you as boss. A cat wants to see your resume.

    At the very minimum. <G>

    Daryl

    ... Does a clean house show that there's a broken computer??
    === MultiMail/Win v0.52
    --- SBBSecho 3.14-Win32
    * Origin: The Thunderbolt BBS - Little Rock, Arkansas (618:250/33)
  • From digimaus@618:618/1 to Daryl Stout on Sat Feb 19 02:58:29 2022
    Daryl Stout wrote to Sean Dennis <=-

    I set up a special door to advise folks of the ports for SSH and QOTD (Quote Of The Day). Because bots were slamming it, I set the values to non-conventional. Verified Users In Good Standing can get those values from that door...and I've noted where the SSH logon bypasses the
    CAPTCHA entry.

    I discovered that Spectrum silently blocks port 23 so I have kept the BBS' telnet port on 10123. They also block the QOTD port. I chose to keep the
    SSH port on 22 but if I moved it elsewhere, I'd have no issues, but I am not letting script kiddies dictate my hobby.

    If you take a look at this webpage about blocked ports, you'll notice that Spectrum says nothing about blocking port 23 but they do:

    https://www.spectrum.net/support/internet/blocked-ports

    -- Sean

    ... How long a minute is depends on what side of the bathroom door you're on. --- MultiMail/Linux
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Jas Hud@618:300/12 to digimaus on Sat Feb 19 08:57:59 2022
    To: digimaus
    Re: Re: Dealing with Microsoft
    By: digimaus to Daryl Stout on Sat Feb 19 2022 02:58 am

    from that door...and I've noted where the SSH logon bypasses the CAPTCHA entry.

    I discovered that Spectrum silently blocks port 23 so I have kept the BBS' telnet port on 10123. They also block the QOTD port. I chose to keep the SSH port on 22 but if I moved it elsewhere, I'd have no issues, but I am not letting script kiddies dictate my hobby.

    If you take a look at this webpage about blocked ports, you'll notice that Spectrum says nothing about blocking port 23 but they do:

    https://www.spectrum.net/support/internet/blocked-ports


    i'm on spectrum and i can open up port 23. i just tested it.

    it probably depends on the territory they took over. if the old guys did it, they probably do the same.
    --- Synchronet 3.18b-Win32 NewsLink 1.113
    * bbses.info - http://bbses.info - telnet://bbses.info
    * Origin: Time Warp of the Future BBS - Home of League 10 (618:300/12)
  • From Sean Dennis@618:618/1 to Jas Hud on Sat Feb 19 12:47:43 2022
    Hello Jas,

    19 Feb 22 08:57, you wrote to digimaus:

    i'm on spectrum and i can open up port 23. i just tested it.

    I just tested it also: "Port 23 is open on 97.95.145.58"

    I'll get someone to test it for me.

    it probably depends on the territory they took over. if the old guys
    did it, they probably do the same.

    They will also close ports if they feel they're getting attecked.

    -- Sean

    ... With clothes the new are best; with friends the old are best.
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From ROBERT WOLFE@618:100/14 to T.J. Mcmillen on Sat Feb 26 06:56:50 2022
    On 2/18/2022 9:20 PM, T.J. Mcmillen wrote to Nick Andre:

    Why is SSH open to the world? That should be behind OpenVPN?

    Didn't I say we NEVER talk about SSH ... it makes us angry .... remember? ;)

    LOL!!!

    --- Platinum Xpress/Win/WINServer v7.0
    * Origin: Omicron Thetta * Cordova TN * fidonet.winserver.org (618:100/14)