Currently Viewing Posts Tagged “ip address”

Report the bad IP address to the AbuseIPDB

I have a VPS on DigitalOcean.  Web server is Nginx web server. I checked the web server log files, including an access log and error log.

The error log always gives information about the strange activities from some IP address.

2019/03/17 03:08:02 [error] 781#781: *140434 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //com/.zip HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//com/.zip"
2019/03/17 03:08:04 [error] 781#781: *140451 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //com/..zip HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//com/..zip"
2019/03/17 03:08:06 [error] 781#781: *140452 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //www.yinfor.com/..zip HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//www.yinfor.com/..zip"
2019/03/17 03:08:07 [error] 781#781: *140453 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //com/.rar HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//com/.rar"
2019/03/17 03:08:08 [error] 781#781: *140454 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //com/..rar HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//com/..rar"
2019/03/17 03:08:10 [error] 781#781: *140456 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //www.yinfor.com/..rar HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//www.yinfor.com/..rar"
2019/03/17 06:10:41 [error] 781#781: *145806 access forbidden by rule, client: 192.99.35.63, server: www.yinfor.com, request: "GET /wp-content/uploads/2019/03/settings_auto.php HTTP/1.1", host: "www.yinfor.com"
2019/03/17 13:21:35 [error] 781#781: *160016 access forbidden by rule, client: 139.99.121.91, server: www.yinfor.com, request: "GET /.htaccess?c=askjhGQVFcrwqevq&q=ZWNobyA0Mzc0NTc1NDc7 HTTP/1.1", host: "www.yinfor.com"
2019/03/17 13:22:21 [error] 781#781: *160124 access forbidden by rule, client: 139.99.121.91, server: www.yinfor.com, request: "GET /.well-known.zip HTTP/1.1", host: "www.yinfor.com"
2019/03/17 13:22:22 [error] 781#781: *160125 access forbidden by rule, client: 139.99.121.91, server: www.yinfor.com, request: "GET /.well-known.tar.gz HTTP/1.1", host: "www.yinfor.com"
2019/03/17 13:22:22 [error] 781#781: *160126 access forbidden by rule, client: 139.99.121.91, server: www.yinfor.com, request: "GET /.well-known.gz HTTP/1.1", host: "www.yinfor.com"

You can see the URL requested is so strange. Actually, I banned these IP address already. So the Nginx server recorded the access forbidden log.

I am not banning these IP address, but also want to report it to the AbusedIPDB.

When finding a bad IP address, I will sign in the AbuseIPDB site and report it.

Please enter the information of the behave and the details of the IP log.

 

AbuseIPDB is not just a reporting tool. The registered users can also use its API to check the IP if it is bad or spam IP. It works with Fail2Ban.

Protect Proftpd server by restricting IP address allowed

There are so many hackers or what ever name for them, want to login ftp server of my VPS server.
The one of the most simplest way is to deny all IP address except specific IP address.
The FTP server running on VPS is Proftpd.
To do the limitation, just edit /etc/proftpd.conf
Add the following in the end.

Order allow,deny
Allow from 96.49., 64.180., 24.81.
Deny from all

Continue reading “Protect Proftpd server by restricting IP address allowed”

How to block SSH connection per IP address

I have any VPS which is hosted on Burst.net.

The openssh server running on it. When I checked the error log. I saw a lot of log in errors as below.

It is clear that the hacker want to connect this VPS through SSH as root. They tried different password, different port. All were blocked by PAM system.

sshd-error-login-try

To save the cost of these connection and PAM. I choose the way to block them per IP address.

Continue reading “How to block SSH connection per IP address”

The results of PAM-abl

Web, as a wild place, is not a safe playground to me. I have a server, got so many attacking everyday. It is only two small sites running on it.

What can I do? I have to protect myself by my computer skills.

I install and enabled PAM_abl black list function for SSH security.
Now four days passed. Let us see how the result.

pam_abl_ip_blocking

One IP tried 424 times to login.

The other tried more than one thousand times.

I have to say, it is a good tool to protect my SSH server and save a lot of resource.

Continue reading “The results of PAM-abl”

How to stop access by country IP blocks

You may be tired of deleting spams or spammer account from your site. Sometimes your site is in the list of spammer. And also most of time the spammer are coming from the following top 10 countries.
1. Korea
2. China
3. India
4. Russia
5. Turkey
6. Viet Nam
7. Ukraine
8. Brazil
9. Venezuela
10. Pakistan
How to stop them?

Continue reading “How to stop access by country IP blocks”

IP Ports and Protocols

The following IP Ports and Protocols are excerpted from Networking Fundamentals.
Port number – Protocols name
20 – File Transfer Protocol (FTP) data
21 – File Transfer Protocol (FTP) control
23 – Telnet
25 – Simple Mail Transfer Protocol (SMTP)
53 – Domain Name Service (DNS)
80 – HyperText Transfer Protocol (HTTP)
110 – Post Office Protocol version 3 (POP3)
119 – Network News Transport Protocol (NNTP)
139 – NetBIOS Session Service
143 – Internet Message Access Protocol (IMAP)
161 – Simple Network Management Protocol (SNMP)
Common protocols include TCP, UDP and ICMP. There are actually a great number of protocols, but these three are the most prevalent. TCP is used to handle the underlying data streams for web, email, news and almost every other popular network application. That does not mean that UDP and ICMP are not important however.

Continue reading “IP Ports and Protocols”

IP Address Banned in hMailServer

I mentioned about spammer want to send spams through my email server. I have to ban some IP address range.
It is very easy to config it in hMailServer administration interface.
The following image is the screen shoot after setup.
Please notice the IP range:
Ban IP 1: 61.64.64.0 – 61.64.255.255
Ban IP 2: 61.62.4.0 – 61.62.11.255
These two IP ranges are subset of the IP address of So-Net. I just banned part of their IP.
The default setting is accept all IP address with priority 10.
I added these Ban IP with priority 30. So I don’t need to change the default IP address range.
ip-address-ban

You must be noticed that a special IP address. It belongs to Defender Technologies Group, LLC. I think it is a ISP or hosting company in USA.

Continue reading “IP Address Banned in hMailServer”

Spam Emails from So-Net

Recently, my email server got very heavy load of spams.
Just see a very short log file, lots from the IP address of SONET-TW (Sony Network Taiwan Limited).
I googled it and found it is a ISP company provide ADSL internet access service.
Because of so many load of server, I have to ban the IP address range as following:

61.64.64.0 – 61.64.255.255

The spammers try to send spams through my email server. I turn off the open relay. They still try and try.
Even the server gave the 530 back. They doesn’t give up.

Continue reading “Spam Emails from So-Net”

  • Archives