Lonnie, Thank you. I installed and enabled. Within 24 hours two hosts had been banned. What is more interesting however is that it uncovered (and blocked) one host that was also trying to connect to another port, which had been forwarded (by UPnP) to an internal server (QNAP NAS) that had BitTorrent running on it. I didn't know (or had forgotten) that I had BitTorrent enabled, so I went and turned off that service in the QNAP...
Jan 5 12:33:22 pbx daemon.info racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. Jan 5 12:33:31 pbx daemon.info racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. Jan 5 12:33:32 pbx daemon.info racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. Jan 5 12:33:32 pbx daemon.info racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. Jan 5 12:33:40 pbx daemon.info racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. Jan 5 12:33:41 pbx daemon.info racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. Jan 5 12:33:42 pbx daemon.info racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. Jan 5 12:33:44 pbx user.info firewall: adaptive-ban: Banned IPv4 Host: 46.249.250.46 Filter Type: racoon Jan 5 12:33:45 pbx user.info kernel: AIF:Adaptive-Ban host: IN=eth0 OUT= MAC=00:0d:b9:33:15:60:1c:e8:5d:f4:b8:22:08:00 SRC=46.249.250.46 DST=[redacted] LEN=408 TOS=0x00 PREC=0x20 TTL=116 ID=26865 PROTO=UDP SPT=500 DPT=500 LEN=388 Jan 5 14:31:24 pbx user.info kernel: AIF:Adaptive-Ban host: IN=eth0 OUT=br1 MAC=00:0d:b9:33:15:60:1c:e8:5d:f4:b8:22:08:00 SRC=46.249.250.46 DST=192.168.[redacted] LEN=134 TOS=0x00 PREC=0x20 TTL=114 ID=26907 PROTO=UDP SPT=23238 DPT=6889 LEN=114 Jan 5 14:52:21 pbx user.info kernel: AIF:Adaptive-Ban host: IN=eth0 OUT=br1 MAC=00:0d:b9:33:15:60:1c:e8:5d:f4:b8:22:08:00 SRC=46.249.250.46 DST=192.168.[redacted] LEN=145 TOS=0x00 PREC=0x20 TTL=114 ID=26929 PROTO=UDP SPT=23238 DPT=6889 LEN=125 Thanks, David On Sat, Dec 26, 2015 at 9:17 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > Added to the SVN with revision 7428... > http://sourceforge.net/p/astlinux/code/7428/ > > Lonnie > > > On Dec 25, 2015, at 10:12 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> > wrote: > > > David, > > > > Without proof, I'm thinking the IKE exchange type of 37 and 243 are just > a signature of a bot probing the IKE negotiation, something like SIPVicious > and it's 'friendly-scanner' User-Agent. > > > > The exchange types of 37 and 243 seem completely arbitrary to me. > > > > Given that, while it probably doesn't add much (if any) security to ban > these probes, it may provide some comfort (fewer logs) and is > straight-forward to do. > > > > So, I'll add a "racoon" filter option that will ban any IP that > generates a "ERROR: Invalid exchange type" regardless of the exchange type > number. > > > > It is a relatively simple addition and is not enabled by default, so why > not. Seems of common interest while googling. > > > > Lonnie > > > > > > On Dec 25, 2015, at 9:06 AM, David Kerr <da...@kerr.net> wrote: > > > >> Thanks Lonnie. Google found this... > http://serverfault.com/questions/579648/custom-filter-for-fail2ban > >> so someone else ran into the same issue and basically added a filter to > /etc/fail2ban. Do we have an equivalent? > >> > >> I'm going to be away for next week plus... so won't be able to do > anything for a while. In the meantime they have no respect for the > holidays and have started trying from a different IP... > >> > >> Dec 25 05:44:47 pbx daemon.info > >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > >> Dec 25 05:45:01 pbx > >> daemon.info > >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > >> Dec 25 05:45:16 pbx > >> daemon.info > >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > >> Dec 25 05:45:25 pbx > >> daemon.info racoon: ERROR: Invalid exchange type 243 from > 93.81.145.36[500]. > >> > >> Thanks > >> David > >> > >> On Fri, Dec 25, 2015 at 9:37 AM, Lonnie Abelbeck < > li...@lonnie.abelbeck.com> wrote: > >> Merry Christmas David, > >> > >> +1 to Michael's answer. > >> > >> Here is the same topic for pfSense... > >> > >> Topic: Somebody hacking my IPsec VPN? > >> https://forum.pfsense.org/index.php?topic=39044.0 > >> > >> Topic: Banning or throttling users making invalid connection attempts? > >> https://forum.pfsense.org/index.php?topic=72640.0 > >> (Unfortunately without any replies) > >> > >> So you are not alone, we could consider adding a "racoon" filter type > to Adaptive ban. The first concern is to make sure it is useful in > practice and not subject to false-banning for normal use. > >> > >> Possibly a look at the latest Fail2Ban to see if "racoon" has been > added. And if not wonder why. > >> > >> Clearly if you use a certificate for your IPsec server then you should > be good, but I understand the added logs are annoying. > >> > >> Lonnie > >> > >> > >> On Dec 24, 2015, at 11:24 PM, David Kerr <da...@kerr.net> wrote: > >> > >>> Firstly happy christmas to all. > >>> > >>> Now my question, should adaptive ban pick up on the following? I'm > getting attacked again but neither of these IP's are getting added to the > ban list. As far as I can tell the adaptive ban plugin is active... > >>> > >>> ENABLED=1 > >>> ADAPTIVE_BAN_FILE="/var/log/messages" > >>> ADAPTIVE_BAN_TIME=90 > >>> ADAPTIVE_BAN_COUNT=3 > >>> ADAPTIVE_BAN_TYPES="sshd asterisk lighttpd" > >>> > >>> Dec 23 20:40:09 pbx daemon.info > >>> racoon: ERROR: Invalid exchange type 37 from 129.192.165.10[4500]. > >>> Dec 23 20:40:14 pbx > >>> daemon.info > >>> ... > >> > >>> Dec 24 20:57:35 pbx daemon.info > >>> racoon: ERROR: Invalid exchange type 243 from 101.165.98.245[500]. > >> > >> > >> > ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Astlinux-users mailing list > >> Astlinux-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >> > >> Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > >> > >> > ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Astlinux-users mailing list > >> Astlinux-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >> > >> Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Astlinux-users mailing list > > Astlinux-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. >
------------------------------------------------------------------------------
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
