1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • Block IPs based on Locati

    From Compctech@VERT/LSNET to All on Fri Feb 28 10:47:00 2025
    I apologies if I am posting in the wrong location. I am getting a lot of login attempts from China and other Asian countries. It does not surprise me, but has anyone tried doing IP blocking by country, I don't like the idea, but with as much attempts I am getting, it's filling up my logs. I see how I can do it with UFW, but just need a good source of IP Blocks. CIDR notations would be great.

    Like I said, I hate to have to go to this extreme, but it's getting bad. Huawei Public Cloud Service is the worst one so fare.

    Sam L.
    LSNET Archive

    ---
    þ Synchronet þ LSNET Archive - Archiving Software for the Future
  • From Wilfred van Velzen@VERT to Compctech on Fri Feb 28 17:59:00 2025
    Hi Compctech,

    On 2025-02-28 10:47:03, you wrote to All:

    I apologies if I am posting in the wrong location. I am getting a lot
    of login attempts from China and other Asian countries. It does not surprise me, but has anyone tried doing IP blocking by country, I
    don't like the idea, but with as much attempts I am getting, it's
    filling up my logs. I see how I can do it with UFW, but just need a
    good source of IP Blocks. CIDR notations would be great.

    Yes you can get the IP block ranges by country at http://www.ipdeny.com/

    For example I do this in a script for some countries (not my fido machine though, because there are a lot of fido systems in russia):

    wget -q -O zone.belarus http://www.ipdeny.com/ipblocks/data/aggregated/by-aggregated.zone
    wget -q -O zone.china http://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
    wget -q -O zone.iran http://www.ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone
    wget -q -O zone.north-korea http://www.ipdeny.com/ipblocks/data/aggregated/kp-aggregated.zone
    wget -q -O zone.russia http://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone

    After this I feed the files to fail2ban with these commands:

    fail2ban-client restart --unban countries
    fail2ban-client set countries banip $(<zone.north-korea )
    fail2ban-client set countries banip $(<zone.belarus )
    fail2ban-client set countries banip $(<zone.china )
    fail2ban-client set countries banip $(<zone.iran )
    fail2ban-client set countries banip $(<zone.russia )

    And in my fail2ban config (/etc/fail2ban/jail.d/custom.local), I have this section:

    [countries]
    filter = manual
    banaction = %(banaction_allports)s
    bantime = -1
    enabled = true


    Bye, Wilfred.

    --- FMail-lnx64 2.3.2.4-B20240523
    * Origin: FMail development HQ (2:280/464)
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From paulie420@VERT/BEERS20 to Compctech on Fri Feb 28 18:26:00 2025
    I apologies if I am posting in the wrong location. I am getting a lot
    of login attempts from China and other Asian countries.

    Like I said, I hate to have to go to this extreme, but it's getting bad. Huawei Public Cloud Service is the worst one so fare.

    I invite callers from all countries - any reason to block them??? Are they bots or actual users??



    |07p|15AULIE|1142|07o
    |08.........
  • From Compctech@VERT/LSNET to Wilfred van Velzen on Fri Feb 28 18:50:00 2025
    Hi Compctech,

    On 2025-02-28 10:47:03, you wrote to All:

    Yes you can get the IP block ranges by country at http://www.ipdeny.com/

    For example I do this in a script for some countries (not my fido machine though, because there are a lot of fido systems in russia):

    wget -q -O zone.belarus http://www.ipdeny.com/ipblocks/data/aggregated/by-aggregated.zone
    wget -q -O zone.china http://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
    wget -q -O zone.iran http://www.ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone
    wget -q -O zone.north-korea http://www.ipdeny.com/ipblocks/data/aggregated/kp-aggregated.zone
    wget -q -O zone.russia http://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone

    After this I feed the files to fail2ban with these commands:

    fail2ban-client restart --unban countries
    fail2ban-client set countries banip $(<zone.north-korea )
    fail2ban-client set countries banip $(<zone.belarus )
    fail2ban-client set countries banip $(<zone.china )
    fail2ban-client set countries banip $(<zone.iran )
    fail2ban-client set countries banip $(<zone.russia )

    And in my fail2ban config (/etc/fail2ban/jail.d/custom.local), I have this section:

    [countries]
    filter = manual
    banaction = %(banaction_allports)s
    bantime = -1
    enabled = true

    Bye, Wilfred.

    --- FMail-lnx64 2.3.2.4-B20240523
    * Origin: FMail development HQ (2:280/464)
    ¨ Synchronet ¨ Vertrauen ¨ Home of Synchronet ¨
    [vert/cvs/bbs].synchro.net



    Thanks!!! I think that did it. China is the worst when coming to attempts to brake into stuff. At my last job (10+ Years ago) we setup a honeypot system that we would use to build block lists and it also reported back to a network of honeypot that would pool the IPs together. Now I am trying to remember what that honeypot net was.

    Sam L.
    LSNET Archive

    ---
    þ Synchronet þ LSNET Archive - Archiving Software for the Future
  • From Compctech@VERT/LSNET to paulie420 on Sat Mar 1 10:47:00 2025
    Re: Re: Block IPs based on Lo
    By: paulie420 to Compctech on Fri Feb 28 2025 06:26 pm

    I apologies if I am posting in the wrong location. I am getting a lot of login attempts from China and other Asian countries.

    Like I said, I hate to have to go to this extreme, but it's getting bad. Huawei Public Cloud Service is the worst one so fare.

    I invite callers from all countries - any reason to block them??? Are they bots or actual users??



    |07p|15AULIE|1142|07o
    |08.........

    I only put a block on China. It was bots that was taking up all my nodes 24/7. If I was able to narrow it down to a few ISPs, I would have just done that, but it was all over.

    Once I put the China block in place, about 95% of the bot traffic stopped.

    Sam L

    ---
    þ Synchronet þ LSNET Archive - Archiving Software for the Future
  • From Rixter@VERT/RICKSBBS to Compctech on Sat Mar 1 13:31:00 2025
    Re: Re: Block IPs based on Lo
    By: paulie420 to Compctech on Fri Feb 28 2025 06:26 pm

    I only put a block on China. It was bots that was taking up all my nodes 24/7. If I was able to narrow it down to a few ISPs, I would have just done that, but it was all over.

    Once I put the China block in place, about 95% of the bot traffic stopped.

    Sam L

    ---
    ­ Synchronet ­ LSNET Archive - Archiving Software for the Future



    Same block China and Russia.

    telnet://ricksbbs.synchro.net:23
    http://ricksbbs.synchro.net:8080
    Madison,NC

    ---
    ­ Synchronet ­ Rick's BBS telnet://ricksbbs.synchro.net:23
  • From Dumas Walker@VERT/CAPCITY2 to PAULIE420 on Sat Mar 1 11:36:00 2025
    I invite callers from all countries - any reason to block them??? Are they bot
    or actual users??

    Bots. For me, the biggest offenders are China Mobile, Chinanet (the
    biggest!), Digital Ocean, Alibaba (China, Singapore, Malaysia),
    HINET-Taiwan, CNC Group China, Korea Telecom, China Unicom, and Panchenko - Russia. All of those have multiple ranges blocked in my ip-silent.can
    file, and just about all of them are in there for bot activity -- using a
    whole lot of known IOT username and password combos to try to create more
    bots.


    * SLMR 2.1a * Happiness is a positive cash flow.
    ---
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From paul lee@VERT to Compctech on Sat Mar 1 19:05:00 2025
    I apologies if I am posting in the wrong location. I am getting a of login attempts from China and other Asian countries.

    Like I said, I hate to have to go to this extreme, but it's gettin bad. Huawei Public Cloud Service is the worst one so fare.

    I invite callers from all countries - any reason to block them??? Are t bots or actual users??



    Thats interesting, cause I have a few cool users from China @ 2oFB. Haven't notice the crazy bot traffic thats messing w/ you...



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: 2o fOr beeRS bbS>>20ForBeers.com:1337 (1:105/420)
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Rixter@VERT/RICKSBBS to Wilfred van Velzen on Thu Mar 6 10:57:00 2025
    Hi Compctech,

    On 2025-02-28 10:47:03, you wrote to All:

    Yes you can get the IP block ranges by country at http://www.ipdeny.com/

    For example I do this in a script for some countries (not my fido machine though, because there are a lot of fido systems in russia):

    wget -q -O zone.belarus http://www.ipdeny.com/ipblocks/data/aggregated/by-aggregated.zone
    wget -q -O zone.china http://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
    wget -q -O zone.iran http://www.ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone
    wget -q -O zone.north-korea http://www.ipdeny.com/ipblocks/data/aggregated/kp-aggregated.zone
    wget -q -O zone.russia http://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone

    After this I feed the files to fail2ban with these commands:

    fail2ban-client restart --unban countries
    fail2ban-client set countries banip $(<zone.north-korea )
    fail2ban-client set countries banip $(<zone.belarus )
    fail2ban-client set countries banip $(<zone.china )
    fail2ban-client set countries banip $(<zone.iran )
    fail2ban-client set countries banip $(<zone.russia )

    And in my fail2ban config (/etc/fail2ban/jail.d/custom.local), I have this section:

    [countries]
    filter = manual
    banaction = %(banaction_allports)s
    bantime = -1
    enabled = true

    Bye, Wilfred.

    --- FMail-lnx64 2.3.2.4-B20240523
    * Origin: FMail development HQ (2:280/464)
    ­ Synchronet ­ Vertrauen ­ Home of Synchronet ­
    [vert/cvs/bbs].synchro.net


    Thanks this worked great. Have a great day.
    Rixter

    telnet://ricksbbs.synchro.net:23
    http://ricksbbs.synchro.net:8080
    Madison,NC

    ---
    ­ Synchronet ­ Rick's BBS telnet://ricksbbs.synchro.net:23