Re: [gentoo-user] spam - different IP's

[Grant Taylor]

On 2/5/21 6:57 AM, William Kenworthy wrote:

Use fail2ban to target active abusers using your logs. (recommended)


I've had extremely good luck using Fail2Ban in a distributed 
configuration* such that when one of my servers bans an IP, my other 
servers also (almost) immediately ban the same IP.


*I'm using Fail2Ban's (null / reject) "route" option.  I have BGP 
sessions between my servers synchronizing the banned routes.


Leverage the cloud with something like: 
http://iplists.firehol.org/?ipset=firehol_level1 (loaded to shorewall 
with ipset:hash) to preemptively ban via blacklists - recommended. 
There are many good blacklists out there - this one is a meta-list 
and has fast and responsive updates.


That's an option.

I personally have some trouble swallowing the pill that is other 
people's ban lists.  --  It's one thing with adding to a spam score. 
It's another when IPs are out and out blocked.


Aside:  Make use of Fail2Ban's ignore feature to white list (or ignore 
problems from) known good IPs.


Snort (in IDS mode triggering a fail2ban rule) is a bit heavier 
resource-wise but quite useful.  Snort in IPS mode is better, but it 
can impact throughput. (if you are commercial, consider a licence to 
get the latest rules as soon as they are created/needed.)


Another option in the same vein is to use the IPTables variants of the 
Snort rules.




--
Grant. . . .
unix || die

Re: [gentoo-user] spam - different IP's

[William Kenworthy]

On 5/2/21 6:10 pm, Michael wrote:
> On Friday, 5 February 2021 01:48:09 GMT Adam Carter wrote:
>> On Thu, Feb 4, 2021 at 6:07 PM Adam Carter  wrote:
>>> On Thursday, February 4, 2021,  wrote:
 I'm perplex with this entry in apache log.
 I'm sure it was done by same person as the timing is very sequential and
 same file-name request, but how they were able to lunch an attack from a
 different IP's different geographical locations.
 Can they spoof an IP?
>>> Probably just different instances of the same bot scanning for
>>> vulnerabilities. I imagine you will keep seeing that log from many
>>> different ips
>> FWIW i'm seeing the same traffic. Here's some numbers;
>>
>> $ zgrep -ic wlwmanifest.xml access.log*
>> access.log:16
>> access.log-20210110.gz:0
>> access.log-20210117.gz:0
>> access.log-20210124.gz:34
>> access.log-20210131.gz:0
> Bot herders have acquired many geographically dispersed IP addresses to run 
...
> Depending on your server's IP address featuring on some target list, the 
> volume of calls can become quite high.  Trying to manually block the bots is 
> a 
> tedious and ineffective task, because the professionals will add yet one more 
> compromised IP address to their herd faster than you can block them.  A 
> scripted honeypot to automatically block typical mass scans, e.g. for 
> wordpress installations, would be more effective.

Use fail2ban to target active abusers using your logs. (recommended)

Leverage the cloud with something like:
http://iplists.firehol.org/?ipset=firehol_level1 (loaded to shorewall
with ipset:hash) to preemptively ban via blacklists - recommended. 
There are many good blacklists out there - this one is a meta-list and
has fast and responsive updates.

Snort (in IDS mode triggering a fail2ban rule) is a bit heavier
resource-wise but quite useful.  Snort in IPS mode is better, but it can
impact throughput. (if you are commercial, consider a licence to get the
latest rules as soon as they are created/needed.)

or use all of them at the same time :)

BillK

Re: [gentoo-user] spam - different IP's

[Michael]

On Friday, 5 February 2021 01:48:09 GMT Adam Carter wrote:
> On Thu, Feb 4, 2021 at 6:07 PM Adam Carter  wrote:
> > On Thursday, February 4, 2021,  wrote:
> >> I'm perplex with this entry in apache log.
> >> I'm sure it was done by same person as the timing is very sequential and
> >> same file-name request, but how they were able to lunch an attack from a
> >> different IP's different geographical locations.
> >> Can they spoof an IP?
> > 
> > Probably just different instances of the same bot scanning for
> > vulnerabilities. I imagine you will keep seeing that log from many
> > different ips
> 
> FWIW i'm seeing the same traffic. Here's some numbers;
> 
> $ zgrep -ic wlwmanifest.xml access.log*
> access.log:16
> access.log-20210110.gz:0
> access.log-20210117.gz:0
> access.log-20210124.gz:34
> access.log-20210131.gz:0

Bot herders have acquired many geographically dispersed IP addresses to run 
their reconnaissance scripts from.  When you block one subnet or ISP block, 
they will usually popup in the logs almost immediately from another ISP in the 
same or different country.  Their calls seem to coordinate with evening or day 
time hours in their respective countries of origin.

Script kiddies tend to use mobile IPs, indicating they're using their phone or 
SIM as a modem.  When you block them they don't come back at least until their 
PAYG phone contract runs out.

There may also be state agents, but I would think it unlikely you'll find 
their fingerprints on your apache logs. :p

Depending on your server's IP address featuring on some target list, the 
volume of calls can become quite high.  Trying to manually block the bots is a 
tedious and ineffective task, because the professionals will add yet one more 
compromised IP address to their herd faster than you can block them.  A 
scripted honeypot to automatically block typical mass scans, e.g. for 
wordpress installations, would be more effective.

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] spam - different IP's

[Adam Carter]

On Thu, Feb 4, 2021 at 6:07 PM Adam Carter  wrote:

> On Thursday, February 4, 2021,  wrote:
>
>> I'm perplex with this entry in apache log.
>> I'm sure it was done by same person as the timing is very sequential and
>> same file-name request, but how they were able to lunch an attack from a
>> different IP's different geographical locations.
>> Can they spoof an IP?
>>
>>
> Probably just different instances of the same bot scanning for
> vulnerabilities. I imagine you will keep seeing that log from many
> different ips
>

FWIW i'm seeing the same traffic. Here's some numbers;

$ zgrep -ic wlwmanifest.xml access.log*
access.log:16
access.log-20210110.gz:0
access.log-20210117.gz:0
access.log-20210124.gz:34
access.log-20210131.gz:0

Re: [gentoo-user] spam - different IP's

[bobwxc]

在 2021/2/4 下午1:22, the...@sys-concept.com 写道:

I'm perplex with this entry in apache log.
I'm sure it was done by same person as the timing is very sequential and same 
file-name request, but how they were able to lunch an attack from a different 
IP's different geographical locations.
Can they spoof an IP?

This is very common.
If someone intentionally attacks, they usually have an IP pool to avoid 
being blocked.
Also ISP sometimes give dynamic IP to users, cause IP changes of normal 
users.


And one suggestion, just put part of an IP to the list, use '*' to 
replace some fields

to avoid information leakage

--
bobwxc
F645 5C7A 08E8 A637 24C6  D59E 36E9 4EAB B53E 516B




OpenPGP_signature
Description: OpenPGP digital signature

Re: [gentoo-user] spam - different IP's

[William Kenworthy]

Check the IP's on https://www.abuseipdb.com/ or similar, or do a
hostname and whois lookup

The 3 IP's I checked all come from the same organisation/location
(secureserver.net in the US) ...

BillK


On 4/2/21 3:07 pm, Adam Carter wrote:
> On Thursday, February 4, 2021,  > wrote:
>
> I'm perplex with this entry in apache log. 
> I'm sure it was done by same person as the timing is very
> sequential and same file-name request, but how they were able to
> lunch an attack from a different IP's different geographical
> locations.
> Can they spoof an IP?
>
>
> Probably just different instances of the same bot scanning for
> vulnerabilities. I imagine you will keep seeing that log from many
> different ips 
>
>  
>
> 173.201.196.206 - - [03/Feb/2021:19:17:47 -0700] "GET
> /wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 195.70.43.234 - - [03/Feb/2021:19:18:24 -0700] "GET
> /wordpress/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 198.38.92.110 - - [03/Feb/2021:19:21:18 -0700] "GET
> /new/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.62.208.141 - - [03/Feb/2021:19:21:20 -0700] "GET
> /en/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 64.62.206.242 - - [03/Feb/2021:19:21:34 -0700] "GET
> /web/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 184.168.46.171 - - [03/Feb/2021:19:22:11 -0700] "GET
> /home/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.63.196.23 - - [03/Feb/2021:19:23:41 -0700] "GET
> /www/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 203.205.21.159 - - [03/Feb/2021:19:23:57 -0700] "GET
> /staging/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 66.113.226.191 - - [03/Feb/2021:19:25:42 -0700] "GET
> /news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 148.72.232.107 - - [03/Feb/2021:19:26:06 -0700] "GET
> /news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 35.208.134.190 - - [03/Feb/2021:19:26:22 -0700] "GET
> /shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 160.153.153.30 - - [03/Feb/2021:19:26:50 -0700] "GET
> /main/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 192.241.230.24 - - [03/Feb/2021:19:27:50 -0700] "GET
> /v2/wp-includes/wlwmanifest.xml HTTP/1.1" 403 199
> 66.113.221.43 - - [03/Feb/2021:19:28:37 -0700] "GET
> /website/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 2.50.180.72 - - [03/Feb/2021:19:28:48 -0700] "GET
> /portal/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 104.236.82.97 - - [03/Feb/2021:19:29:39 -0700] "GET
> /2019/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.63.197.91 - - [03/Feb/2021:19:30:46 -0700] "GET
> /1/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 103.27.61.222 - - [03/Feb/2021:19:30:57 -0700] "GET
> /store/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 184.168.152.18 - - [03/Feb/2021:19:31:14 -0700] "GET
> /wp2/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 184.168.193.129 - - [03/Feb/2021:19:31:24 -0700] "GET
> /blogs/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
>

Re: [gentoo-user] spam - different IP's

[Adam Carter]

On Thursday, February 4, 2021,  wrote:

> I'm perplex with this entry in apache log.
> I'm sure it was done by same person as the timing is very sequential and
> same file-name request, but how they were able to lunch an attack from a
> different IP's different geographical locations.
> Can they spoof an IP?
>
>
Probably just different instances of the same bot scanning for
vulnerabilities. I imagine you will keep seeing that log from many
different ips



> 173.201.196.206 - - [03/Feb/2021:19:17:47 -0700] "GET
> /wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 195.70.43.234 - - [03/Feb/2021:19:18:24 -0700] "GET 
> /wordpress/wp-includes/wlwmanifest.xml
> HTTP/1.1" 404 196
> 198.38.92.110 - - [03/Feb/2021:19:21:18 -0700] "GET
> /new/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.62.208.141 - - [03/Feb/2021:19:21:20 -0700] "GET
> /en/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 64.62.206.242 - - [03/Feb/2021:19:21:34 -0700] "GET
> /web/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 184.168.46.171 - - [03/Feb/2021:19:22:11 -0700] "GET
> /home/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.63.196.23 - - [03/Feb/2021:19:23:41 -0700] "GET
> /www/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 203.205.21.159 - - [03/Feb/2021:19:23:57 -0700] "GET 
> /staging/wp-includes/wlwmanifest.xml
> HTTP/1.1" 404 196
> 66.113.226.191 - - [03/Feb/2021:19:25:42 -0700] "GET
> /news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 148.72.232.107 - - [03/Feb/2021:19:26:06 -0700] "GET
> /news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 35.208.134.190 - - [03/Feb/2021:19:26:22 -0700] "GET
> /shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 160.153.153.30 - - [03/Feb/2021:19:26:50 -0700] "GET
> /main/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 192.241.230.24 - - [03/Feb/2021:19:27:50 -0700] "GET
> /v2/wp-includes/wlwmanifest.xml HTTP/1.1" 403 199
> 66.113.221.43 - - [03/Feb/2021:19:28:37 -0700] "GET 
> /website/wp-includes/wlwmanifest.xml
> HTTP/1.1" 404 196
> 2.50.180.72 - - [03/Feb/2021:19:28:48 -0700] "GET 
> /portal/wp-includes/wlwmanifest.xml
> HTTP/1.1" 404 196
> 104.236.82.97 - - [03/Feb/2021:19:29:39 -0700] "GET
> /2019/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.63.197.91 - - [03/Feb/2021:19:30:46 -0700] "GET
> /1/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 103.27.61.222 - - [03/Feb/2021:19:30:57 -0700] "GET 
> /store/wp-includes/wlwmanifest.xml
> HTTP/1.1" 404 196
> 184.168.152.18 - - [03/Feb/2021:19:31:14 -0700] "GET
> /wp2/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 184.168.193.129 - - [03/Feb/2021:19:31:24 -0700] "GET 
> /blogs/wp-includes/wlwmanifest.xml
> HTTP/1.1" 404 196
>
>

Re: [gentoo-user] spam - different IP's

[thelma]

On 2/3/21 10:22 PM, the...@sys-concept.com wrote:
> I'm perplex with this entry in apache log.  
> I'm sure it was done by same person as the timing is very sequential and same 
> file-name request, but how they were able to lunch an attack from a different 
> IP's different geographical locations.
> Can they spoof an IP? 
> 
> 173.201.196.206 - - [03/Feb/2021:19:17:47 -0700] "GET 
> /wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 195.70.43.234 - - [03/Feb/2021:19:18:24 -0700] "GET 
> /wordpress/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 198.38.92.110 - - [03/Feb/2021:19:21:18 -0700] "GET 
> /new/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.62.208.141 - - [03/Feb/2021:19:21:20 -0700] "GET 
> /en/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 64.62.206.242 - - [03/Feb/2021:19:21:34 -0700] "GET 
> /web/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 184.168.46.171 - - [03/Feb/2021:19:22:11 -0700] "GET 
> /home/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.63.196.23 - - [03/Feb/2021:19:23:41 -0700] "GET 
> /www/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 203.205.21.159 - - [03/Feb/2021:19:23:57 -0700] "GET 
> /staging/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 66.113.226.191 - - [03/Feb/2021:19:25:42 -0700] "GET 
> /news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 148.72.232.107 - - [03/Feb/2021:19:26:06 -0700] "GET 
> /news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 35.208.134.190 - - [03/Feb/2021:19:26:22 -0700] "GET 
> /shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 160.153.153.30 - - [03/Feb/2021:19:26:50 -0700] "GET 
> /main/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 192.241.230.24 - - [03/Feb/2021:19:27:50 -0700] "GET 
> /v2/wp-includes/wlwmanifest.xml HTTP/1.1" 403 199
> 66.113.221.43 - - [03/Feb/2021:19:28:37 -0700] "GET 
> /website/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 2.50.180.72 - - [03/Feb/2021:19:28:48 -0700] "GET 
> /portal/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 104.236.82.97 - - [03/Feb/2021:19:29:39 -0700] "GET 
> /2019/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 50.63.197.91 - - [03/Feb/2021:19:30:46 -0700] "GET 
> /1/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 103.27.61.222 - - [03/Feb/2021:19:30:57 -0700] "GET 
> /store/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 184.168.152.18 - - [03/Feb/2021:19:31:14 -0700] "GET 
> /wp2/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
> 184.168.193.129 - - [03/Feb/2021:19:31:24 -0700] "GET 
> /blogs/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196

Correction: should be "launch" 

[gentoo-user] spam - different IP's

[thelma]

I'm perplex with this entry in apache log.  
I'm sure it was done by same person as the timing is very sequential and same 
file-name request, but how they were able to lunch an attack from a different 
IP's different geographical locations.
Can they spoof an IP? 

173.201.196.206 - - [03/Feb/2021:19:17:47 -0700] "GET 
/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
195.70.43.234 - - [03/Feb/2021:19:18:24 -0700] "GET 
/wordpress/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
198.38.92.110 - - [03/Feb/2021:19:21:18 -0700] "GET 
/new/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
50.62.208.141 - - [03/Feb/2021:19:21:20 -0700] "GET 
/en/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
64.62.206.242 - - [03/Feb/2021:19:21:34 -0700] "GET 
/web/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
184.168.46.171 - - [03/Feb/2021:19:22:11 -0700] "GET 
/home/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
50.63.196.23 - - [03/Feb/2021:19:23:41 -0700] "GET 
/www/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
203.205.21.159 - - [03/Feb/2021:19:23:57 -0700] "GET 
/staging/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
66.113.226.191 - - [03/Feb/2021:19:25:42 -0700] "GET 
/news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
148.72.232.107 - - [03/Feb/2021:19:26:06 -0700] "GET 
/news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
35.208.134.190 - - [03/Feb/2021:19:26:22 -0700] "GET 
/shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
160.153.153.30 - - [03/Feb/2021:19:26:50 -0700] "GET 
/main/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
192.241.230.24 - - [03/Feb/2021:19:27:50 -0700] "GET 
/v2/wp-includes/wlwmanifest.xml HTTP/1.1" 403 199
66.113.221.43 - - [03/Feb/2021:19:28:37 -0700] "GET 
/website/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
2.50.180.72 - - [03/Feb/2021:19:28:48 -0700] "GET 
/portal/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
104.236.82.97 - - [03/Feb/2021:19:29:39 -0700] "GET 
/2019/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
50.63.197.91 - - [03/Feb/2021:19:30:46 -0700] "GET 
/1/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
103.27.61.222 - - [03/Feb/2021:19:30:57 -0700] "GET 
/store/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
184.168.152.18 - - [03/Feb/2021:19:31:14 -0700] "GET 
/wp2/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
184.168.193.129 - - [03/Feb/2021:19:31:24 -0700] "GET 
/blogs/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196