On Monday 02 December 2019 07:46:22 Alessandro Vesely wrote:
> On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote:
> > You might want to install iptables-persistent, otherwise you'll have
> > to roll-out your own solution.
>
> I'm not using iptables-persistent, but just looked at it out of
>
Gene Heskett wrote:
> It, iptables, did not get restarted on the fresh boot, so obviously the
> systemd manager hasn't been informed to start iptables, reloading
> from /etc/iptables/saved-rules.
You would not be having these problems were you using Shorewall...
--
John Hasler
On Mon, Dec 02, 2019 at 01:46:22PM +0100, Alessandro Vesely wrote:
> ### BEGIN INIT INFO
> # Provides: netfilter-persistent
> # Required-Start:mountkernfs $remote_fs
> # Required-Stop: $remote_fs
> # Default-Start: S
> # Default-Stop: 0 1 6
> # Short-Description: Load
On Mon, Dec 02, 2019 at 01:46:22PM +0100, Alessandro Vesely wrote:
> On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote:
> >
> > You might want to install iptables-persistent, otherwise you'll have to
> > roll-out your own solution.
>
> I'm not using iptables-persistent, but just looked at
On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote:
>
> You might want to install iptables-persistent, otherwise you'll have to
> roll-out your own solution.
I'm not using iptables-persistent, but just looked at it out of curiosity.
Its LSB:
### BEGIN INIT INFO
# Provides:
On Monday 02 December 2019 04:35:26 Andrei POPESCU wrote:
> On Du, 01 dec 19, 22:28:43, Gene Heskett wrote:
> > It, iptables, did not get restarted on the fresh boot, so obviously
> > the systemd manager hasn't been informed to start iptables,
> > reloading from /etc/iptables/saved-rules.
>
> To
On Du, 01 dec 19, 22:28:43, Gene Heskett wrote:
>
> It, iptables, did not get restarted on the fresh boot, so obviously the
> systemd manager hasn't been informed to start iptables, reloading
> from /etc/iptables/saved-rules.
To my knowledge Debian doesn't include anything like this by
On Tuesday 12 November 2019 21:35:49 Gene Heskett wrote:
> On Tuesday 12 November 2019 19:53:15 John Hasler wrote:
> > I wrote:
> > > Install Shorewall.
> >
> > Gene writes:
> > > Did, spent half an hour reading its man page, but I don't see a
> > > command that will extract and save an existing
On Tuesday 12 November 2019 20:03:12 ghe wrote:
> On 11/12/19 5:46 PM, Gene Heskett wrote:
> > Oh goody and I get to name & pick the file and its location. Now,
> > wheres a good place to put the restore in the reboot path?
>
> How about /etc? Or /etc/init.d? That's where mine is...
I've already
On Tuesday 12 November 2019 19:53:15 John Hasler wrote:
> I wrote:
> > Install Shorewall.
>
> Gene writes:
> > Did, spent half an hour reading its man page, but I don't see a
> > command that will extract and save an existing iptables setup, and a
> > later reapply of that saved data.
>
> I meant
On 11/12/19 5:46 PM, Gene Heskett wrote:
> Oh goody and I get to name & pick the file and its location. Now, wheres
> a good place to put the restore in the reboot path?
How about /etc? Or /etc/init.d? That's where mine is...
--
Glenn English
I wrote:
> Install Shorewall.
Gene writes:
> Did, spent half an hour reading its man page, but I don't see a
> command that will extract and save an existing iptables setup, and a
> later reapply of that saved data.
I meant use it instead of using Iptables directly: the package takes
care of
On Tuesday 12 November 2019 16:04:07 to...@tuxteam.de wrote:
> On Tue, Nov 12, 2019 at 12:40:45PM -0500, Gene Heskett wrote:
>
> [...]
>
> > So I have to find all that in the history and re-invent
> > a 33 line filter DROP. I'll be baqck when I've stuck a hot tater in
> > semrushes exit port.
>
>
On Tuesday 12 November 2019 14:28:38 John Hasler wrote:
> Gene writes:
> > So I had been adding iptables rules but had to reboot this morning
> > to get a baseline cups start, only to find my iptables rules were
> > all gone and the bots are DDOSing me again.
>
> Install Shorewall.
Did, spent
On Tuesday 12 November 2019 13:30:24 ghe wrote:
> Gene wrote
>
> > So I had been adding iptables rules but had to reboot this
> > morning to get a baseline cups start, only to find my iptables rules
> > were all gone and the bots are DDOSing me again. Grrr
>
> 0) Can you block them with an
On Tue, Nov 12, 2019 at 12:40:45PM -0500, Gene Heskett wrote:
[...]
> So I have to find all that in the history and re-invent
> a 33 line filter DROP. I'll be baqck when I've stuck a hot tater in
> semrushes exit port.
See iptables-save (will dump the currently active iptables to a file)
and
Gene writes:
> So I had been adding iptables rules but had to reboot this morning to
> get a baseline cups start, only to find my iptables rules were all
> gone and the bots are DDOSing me again.
Install Shorewall.
--
John Hasler
jhas...@newsguy.com
Elmwood, WI USA
Gene wrote
> So I had been adding iptables rules but had to reboot this
> morning to get a baseline cups start, only to find my iptables rules
> were all gone and the bots are DDOSing me again. Grrr
0) Can you block them with an ACL in your router/firewall? And wr mem so
the ACL will be
On Tuesday 12 November 2019 11:01:08 Lee wrote:
> On 11/11/19, Gene Heskett wrote:
> > On Monday 11 November 2019 08:33:13 Greg Wooledge wrote:
>
> ... snip ...
>
> >> I *know* I told you to look at your log files, and to turn on
> >> user-agent logging if necessary.
> >>
> >> I don't remember
On 11/11/19, Gene Heskett wrote:
> On Monday 11 November 2019 08:33:13 Greg Wooledge wrote:
... snip ...
>> I *know* I told you to look at your log files, and to turn on
>> user-agent logging if necessary.
>>
>> I don't remember seeing you ever *post* your log files here, not even
>> a single
On 11/11/19, Greg Wooledge wrote:
> On Mon, Nov 11, 2019 at 12:18:17PM -0500, Gene Heskett wrote:
>>
>> HTTP/1.1" 200 554724 "-" "Mozilla/5.0 (compatible; Daum/4.1;
>> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
>> coyote.coyote.den:80 203.133.169.54 - -
>> [11/Nov/2019:12:11:29 -0500]
Sorry Gene. Hit reply instead of reply list.
On 11/11/19 12:18 PM, Gene Heskett wrote:
On Monday 11 November 2019 08:33:13 Greg Wooledge wrote:
I have a list of ipv4's I want fail2ban to block.
Not sure that fail2ban is the best tool for the job. Where you
already have a list of IPs that
On Monday 11 November 2019 12:38:09 Greg Wooledge wrote:
> On Mon, Nov 11, 2019 at 12:18:17PM -0500, Gene Heskett wrote:
> > Only one log file seems to have useful data, the "other..." file,
> > and I have posted several single lines here, but here's a few more:
> >
> > coyote.coyote.den:80
On Mon, Nov 11, 2019 at 12:18:17PM -0500, Gene Heskett wrote:
> Only one log file seems to have useful data, the "other..." file, and I
> have posted several single lines here, but here's a few more:
>
> coyote.coyote.den:80 40.94.105.9 - -
> [11/Nov/2019:12:08:53 -0500] "GET /gene/ HTTP/1.1"
On Monday 11 November 2019 08:33:13 Greg Wooledge wrote:
> > > > I have a list of ipv4's I want fail2ban to block.
> > >
> > > Not sure that fail2ban is the best tool for the job. Where you
> > > already have a list of IPs that you want to block why not just
> > > directly create the iptables
On Mon, Nov 11, 2019 at 02:52:36PM +0100, to...@tuxteam.de wrote:
> On Mon, Nov 11, 2019 at 08:33:13AM -0500, Greg Wooledge wrote:
> > > > > I have a list of ipv4's I want fail2ban to block.
>
> [...]
>
> > I don't remember seeing you ever *post* your log files here, not even
> > a single line
On Mon, Nov 11, 2019 at 08:33:13AM -0500, Greg Wooledge wrote:
> > > > I have a list of ipv4's I want fail2ban to block.
[...]
> I don't remember seeing you ever *post* your log files here, not even
> a single line from a single instance of this bot. Maybe I missed it.
We had one sample in
> > > I have a list of ipv4's I want fail2ban to block.
> >
> > Not sure that fail2ban is the best tool for the job. Where you already
> > have a list of IPs that you want to block why not just directly create
> > the iptables rules?
>
> just did that, got most of them but semrush apparently has
On Sun, Nov 10, 2019 at 06:07:37PM -0500, Gene Heskett wrote:
> On Sunday 10 November 2019 16:07:22 to...@tuxteam.de wrote:
>
> > On Sun, Nov 10, 2019 at 10:55:03AM -0500, Gene Heskett wrote:
> > > On Sunday 10 November 2019 08:02:46 Michael wrote:
> > >
> > > Which contains such gems as this:
>
On Monday, November 11, 2019 12:07:37 AM CET, Gene Heskett wrote:
On Sunday 10 November 2019 16:07:22 to...@tuxteam.de wrote:
On Sun, Nov 10, 2019 at 10:55:03AM -0500, Gene Heskett wrote: ...
I don't see an obvious field delimiter in this. Tomas. Is it definable?
like thomas told you
On Sun, 2019-11-10 at 19:37 +, Brian wrote:
> On Sun 10 Nov 2019 at 10:26:17 -0800, Kushal Kumaran wrote:
> [...]
> > One thing you could try is to examine the iptables rule counters
> > daily/weekly. If the counters do not increase during some
> > interval,
> > then the rule is no longer
On Sunday 10 November 2019 18:07:37 Gene Heskett wrote:
> On Sunday 10 November 2019 16:07:22 to...@tuxteam.de wrote:
> > On Sun, Nov 10, 2019 at 10:55:03AM -0500, Gene Heskett wrote:
> > > On Sunday 10 November 2019 08:02:46 Michael wrote:
> > >
> > > Which contains such gems as this:
> > >
On Sunday 10 November 2019 16:07:22 to...@tuxteam.de wrote:
> On Sun, Nov 10, 2019 at 10:55:03AM -0500, Gene Heskett wrote:
> > On Sunday 10 November 2019 08:02:46 Michael wrote:
> >
> > Which contains such gems as this:
> > coyote.coyote.den:80 40.77.167.79 - -
> > [10/Nov/2019:10:44:45 -0500]
On Sunday 10 November 2019 14:37:58 Brian wrote:
> On Sun 10 Nov 2019 at 10:26:17 -0800, Kushal Kumaran wrote:
> > Brian writes:
> > > On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote:
> > >> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
> > >> > I was able, with the help
On Sun, Nov 10, 2019 at 10:55:03AM -0500, Gene Heskett wrote:
> On Sunday 10 November 2019 08:02:46 Michael wrote:
> Which contains such gems as this:
> coyote.coyote.den:80 40.77.167.79 - -
> [10/Nov/2019:10:44:45 -0500] "GET /gene/fence/18.html HTTP/1.1" 200
> 1121 "-" "Mozilla/5.0 (iPhone;
On Sun 10 Nov 2019 at 10:26:17 -0800, Kushal Kumaran wrote:
> Brian writes:
>
> > On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote:
> >
> >> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
> >>
> >> > I was able, with the help of another responder to carve up some iptables
On 11/10/19 8:55 AM, Gene Heskett wrote:
> Thats an approximate idea of my understanding how it works, but to
> gradually transit from manual reading of the logs and applying iptable
> rules to block the miscreants, the first step would seem to indicate
> training fail2ban to read the same log
Brian writes:
> On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote:
>
>> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
>>
>> > I was able, with the help of another responder to carve up some iptables
>> > rules to stop the DDOS that semrush, yandex, bingbot, and 2 or 3
On Sunday 10 November 2019 08:02:46 Michael wrote:
> On Sunday, November 10, 2019 1:39:24 PM CET, to...@tuxteam.de wrote:
> > On Sun, Nov 10, 2019 at 07:04:12AM -0500, Gene Heskett wrote:
> >> On Sunday 10 November 2019 06:19:51 to...@tuxteam.de wrote:
> >>> On Sun, Nov 10, 2019 at 06:08:52AM
On Sunday, November 10, 2019 1:39:24 PM CET, to...@tuxteam.de wrote:
On Sun, Nov 10, 2019 at 07:04:12AM -0500, Gene Heskett wrote:
On Sunday 10 November 2019 06:19:51 to...@tuxteam.de wrote:
On Sun, Nov 10, 2019 at 06:08:52AM -0500, Gene Heskett wrote:
But... you can just configure your
On Sun 10 Nov 2019 at 11:01:07 +0100, Michael wrote:
> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
>
> > I was able, with the help of another responder to carve up some iptables
> > rules to stop the DDOS that semrush, yandex, bingbot, and 2 or 3 others
> > were bound to do
On Sun, Nov 10, 2019 at 07:04:12AM -0500, Gene Heskett wrote:
> On Sunday 10 November 2019 06:19:51 to...@tuxteam.de wrote:
>
> > On Sun, Nov 10, 2019 at 06:08:52AM -0500, Gene Heskett wrote:
[...]
> > - assess client behaviour
[...]
> Humm. That would take a user-agent trigger [...]
On Sunday 10 November 2019 06:19:51 to...@tuxteam.de wrote:
> On Sun, Nov 10, 2019 at 06:08:52AM -0500, Gene Heskett wrote:
>
> [...]
>
> > But, I'm getting the impression that it has to fail before fail2ban
> > kicks in [...]
>
> No. It has to "succeed" once before fail2ban can do its job. It
On Sun, Nov 10, 2019 at 06:08:52AM -0500, Gene Heskett wrote:
[...]
> But, I'm getting the impression that it has to fail before fail2ban kicks
> in [...]
No. It has to "succeed" once before fail2ban can do its job. It is:
- assess client behaviour
- http server writes a log entry (or a set
On Sunday 10 November 2019 05:01:07 Michael wrote:
> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
> > Whats this "jail"? The beginners tut seems to assume we've all had
> > cs101 thru cs401 and Just Know all the secret handshakes bs already.
>
> no idea what you're talking
On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
Whats this "jail"? The beginners tut seems to assume we've all had cs101
thru cs401 and Just Know all the secret handshakes bs already.
no idea what you're talking about... i almost never read any tutorial, just
man pages.
On Saturday 09 November 2019 15:07:51 mick crane wrote:
> On 2019-11-09 18:01, Gene Heskett wrote:
> > On Saturday 09 November 2019 08:59:14 Michael wrote:
> >> > Rather then to use fail2ban for this, I would create un ipset
> >> > that fail2ban can populate then use that ipset in iptables.
> >>
On Sat 09 Nov 2019 at 20:07:51 +, mick crane wrote:
> I like Gene, he is trying to make something work.
The "something" is what is at issue.
> When all this stuff started there seemed to be some sort of logic to it and
> I can't say I understood much of it but the thing seems to be now that
On 2019-11-09 18:01, Gene Heskett wrote:
On Saturday 09 November 2019 08:59:14 Michael wrote:
> Rather then to use fail2ban for this, I would create un ipset that
> fail2ban can populate then use that ipset in iptables.
i agree, but:
> One advantage of this is that you can add/delete ip from
Hello,
On Sat, Nov 09, 2019 at 01:34:11PM -0500, Gene Heskett wrote:
> On Saturday 09 November 2019 10:10:53 Andy Smith wrote:
> > You've repeatedly been advised to block these bots in Apache by
> > their UserAgent. Have you tried that yet? It would be a lot simpler
> > than fail2ban or trying to
least 6 variations of their User-agent names,
maybe more. Easier to use the ip's with a broad /24
brush. They can name it anything they want, but the ip isn't phony. Hit them
with a /24 and you've got everything I've seen so far
except bytespider. They cover 2 /24 blocks.
> By the sound of i
On Saturday 09 November 2019 10:10:53 Andy Smith wrote:
> Hello,
>
> On Sat, Nov 09, 2019 at 08:43:25AM -0500, Gene Heskett wrote:
> > I've done that with the help of a previous responder and now have
> > 99% of the pigs that ignore my robots.txt blocked. semrush is
> > extremely determined and
On Saturday 09 November 2019 08:59:14 Michael wrote:
> > Rather then to use fail2ban for this, I would create un ipset that
> > fail2ban can populate then use that ipset in iptables.
>
> i agree, but:
> > One advantage of this is that you can add/delete ip from the ipset
> > without having to
On 2019-11-09, john doe wrote:
>
> Note that using IPs directly is an red herring; you need to use other
> means (UserAgent ...) to identify those bots.
Over at semrush they advise the following (with robots.txt in the top
directory of the server):
To stop SEMrushBot from crawling your site,
On 11/9/2019 2:43 PM, Gene Heskett wrote:
> On Saturday 09 November 2019 03:36:49 john doe wrote:
>
>> On 11/9/2019 8:30 AM, Gene Heskett wrote:
>>> I have a list of ipv4's I want fail2ban to block. But amongst the
>>> numerous subdirs for fail2ban, I cannot find one that looks suitable
>>> to put
Hello,
On Sat, Nov 09, 2019 at 08:43:25AM -0500, Gene Heskett wrote:
> I've done that with the help of a previous responder and now have 99% of
> the pigs that ignore my robots.txt blocked. semrush is extremely
> determined and has switched to a 4th address I've not seen before, but
> is no
Rather then to use fail2ban for this, I would create un ipset that
fail2ban can populate then use that ipset in iptables.
i agree, but:
One advantage of this is that you can add/delete ip from the ipset
without having to restart fail2ban/iptables.
RTFM
fail2ban allows you to 'unban' an ip
On Saturday 09 November 2019 04:01:32 to...@tuxteam.de wrote:
> On Sat, Nov 09, 2019 at 03:36:49AM -0500, Gene Heskett wrote:
> > On Saturday 09 November 2019 02:49:16 mett wrote:
> > > On 2019年11月9日 16:30:57 JST, Gene Heskett
wrote:
> > > >I have a list of ipv4's I want fail2ban to block. But
On Saturday 09 November 2019 03:36:49 john doe wrote:
> On 11/9/2019 8:30 AM, Gene Heskett wrote:
> > I have a list of ipv4's I want fail2ban to block. But amongst the
> > numerous subdirs for fail2ban, I cannot find one that looks suitable
> > to put this list of addresses in so the are blocked
On Sat, Nov 09, 2019 at 03:36:49AM -0500, Gene Heskett wrote:
> On Saturday 09 November 2019 02:49:16 mett wrote:
>
> > On 2019年11月9日 16:30:57 JST, Gene Heskett wrote:
> > >I have a list of ipv4's I want fail2ban to block. But amongst the
> > >numerous subdirs for fail2ban, I cannot find one
On 11/9/2019 8:30 AM, Gene Heskett wrote:
> I have a list of ipv4's I want fail2ban to block. But amongst the
> numerous subdirs for fail2ban, I cannot find one that looks suitable to
> put this list of addresses in so the are blocked forever. Can someone
> more familiar with how fail2ban works
On Saturday 09 November 2019 02:55:45 darb wrote:
> * Gene Heskett wrote:
> > I have a list of ipv4's I want fail2ban to block. But amongst the
> > numerous subdirs for fail2ban, I cannot find one that looks suitable
> > to put this list of addresses in so the are blocked forever. Can
> >
On Saturday 09 November 2019 02:49:16 mett wrote:
> On 2019年11月9日 16:30:57 JST, Gene Heskett wrote:
> >I have a list of ipv4's I want fail2ban to block. But amongst the
> >numerous subdirs for fail2ban, I cannot find one that looks suitable
> > to
> >
> >put this list of addresses in so the are
On 2019年11月9日 16:30:57 JST, Gene Heskett wrote:
>I have a list of ipv4's I want fail2ban to block. But amongst the
>numerous subdirs for fail2ban, I cannot find one that looks suitable to
>
>put this list of addresses in so the are blocked forever. Can someone
>more familiar with how fail2ban
* Gene Heskett wrote:
> I have a list of ipv4's I want fail2ban to block. But amongst the
> numerous subdirs for fail2ban, I cannot find one that looks suitable to
> put this list of addresses in so the are blocked forever. Can someone
> more familiar with how fail2ban works give me a hand?
I have a list of ipv4's I want fail2ban to block. But amongst the
numerous subdirs for fail2ban, I cannot find one that looks suitable to
put this list of addresses in so the are blocked forever. Can someone
more familiar with how fail2ban works give me a hand? These are the
ipv4 addresses
66 matches
Mail list logo
