Re: [Dorset] Firewall question

2023-12-12 Thread Tim 

Hi Ralph

Thank for taking a look.

On 12/12/2023 12:23, Ralph Corderoy wrote:

Hi Tim,


Beginning of last week I became aware of a lot of connection to and
from .dreamsinheels.com

Where are these showing up?
I have been using a program called Garkstat (commandline version is 
darkstat (https://unix4lyfe.org/darkstat/) and it has an output like 
below (I have removed Mac Address column):


98.159.234.100     chrysippo.dreamsinheels.com      377,452,876     
8,790,117,140     9,167,570,016     2 days, 18 hrs, 38 mins, 35 secs
98.159.234.101     reformidans.dreamsinheels.com      231,512,992     
4,458,161,590     4,689,674,582     3 days, 21 hrs, 18 mins, 8 secs
98.159.234.54     posset.dreamsinheels.com      196,503,575 
3,748,136,401     3,944,639,976     2 days, 2 hrs, 41 mins, 11 secs
98.159.234.72     pecunias.dreamsinheels.com      207,944,151     
3,507,655,611     3,715,599,762     2 days, 3 hrs, 6 mins, 12 secs
98.159.234.157     aliquod.dreamsinheels.com      132,080,873     
2,002,741,007     2,134,821,880     11 hrs, 53 mins, 38 secs
98.159.234.20     iustitiam.dreamsinheels.com      87,937,813     
1,906,705,751     1,994,643,564     21 hrs, 14 mins, 53 secs


From what I have been able to find out is that 98.159.234.?? is the IP 
address from the dreamsinheels.com section of the domain name. While the 
subdomain.dreamsinheels.com all seem to come from the same 
185.151.130.148 ip address but they use various port number around the 
42000 to 49500 area. I guess I have around 30 sub domains so far

I have not been able to block the connection, all the sub domains seem
to be coming from 185.151.30.148
While I don't seem to have a list of live connections it is still making 
connections, I checked and they are showing in Wireshark when I monitor 
traffic

Can anybody help with some advise please on how best to block this
access please.

If it's a single IP address then add it to the already existing
blacklist?

Here is a sample of one of the rules I have come up with:

-A ufw-user-logging-output -p tcp -d 185.151.30.148 --dport 42474 -s 
185.151.30.148 --sport 42474 -m limit --limit 3/min --limit-burst 10 -j 
LOG --log-prefix "[UFW BLOCK] "


I don't know how to chnage the single port to any port.


Have a skim of https://wiki.archlinux.org/title/Uncomplicated_Firewall
for ideas on the kind of thing that can be done.


I will be reading it trying to make a move forward

Tim H

--
 Next meeting: Online, Jitsi, Tuesday, 2024-01-02 20:00
 Check to whom you are replying
 Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
 New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Re: [Dorset] Firewall question

2023-12-12 Thread Ralph Corderoy 
Hi Tim,

> Beginning of last week I became aware of a lot of connection to and
> from .dreamsinheels.com

Where are these showing up?

> I have not been able to block the connection, all the sub domains seem
> to be coming from 185.151.30.148
...
> Can anybody help with some advise please on how best to block this
> access please.

If it's a single IP address then add it to the already existing
blacklist?

Have a skim of https://wiki.archlinux.org/title/Uncomplicated_Firewall
for ideas on the kind of thing that can be done.

-- 
Cheers, Ralph.

-- 
  Next meeting: Online, Jitsi, Tuesday, 2024-01-02 20:00
  Check to whom you are replying
  Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
  New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk