David, Thanks for closing the loop. That IP seems to be from a Norway cable customer.
It warms my heart to see it working. Lonnie On Jan 5, 2016, at 9:41 PM, David Kerr <da...@kerr.net> wrote: > Lonnie, > Thank you. I installed and enabled. Within 24 hours two hosts had been > banned. What is more interesting however is that it uncovered (and blocked) > one host that was also trying to connect to another port, which had been > forwarded (by UPnP) to an internal server (QNAP NAS) that had BitTorrent > running on it. I didn't know (or had forgotten) that I had BitTorrent > enabled, so I went and turned off that service in the QNAP... > > Jan 5 12:33:22 pbx daemon.info > racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. > Jan 5 12:33:31 pbx > daemon.info > racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. > Jan 5 12:33:32 pbx > daemon.info > racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. > Jan 5 12:33:32 pbx > daemon.info > racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. > Jan 5 12:33:40 pbx > daemon.info > racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. > Jan 5 12:33:41 pbx > daemon.info > racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. > Jan 5 12:33:42 pbx > daemon.info > racoon: ERROR: Invalid exchange type 243 from 46.249.250.46[500]. > Jan 5 12:33:44 pbx > user.info > firewall: adaptive-ban: Banned IPv4 Host: 46.249.250.46 Filter Type: racoon > Jan 5 12:33:45 pbx > user.info > kernel: AIF:Adaptive-Ban host: IN=eth0 OUT= > MAC=00:0d:b9:33:15:60:1c:e8:5d:f4:b8:22:08:00 SRC=46.249.250.46 > DST=[redacted] LEN=408 TOS=0x00 PREC=0x20 TTL=116 ID=26865 PROTO=UDP SPT=500 > DPT=500 LEN=388 > Jan 5 14:31:24 pbx > user.info > kernel: AIF:Adaptive-Ban host: IN=eth0 OUT=br1 > MAC=00:0d:b9:33:15:60:1c:e8:5d:f4:b8:22:08:00 SRC=46.249.250.46 > DST=192.168.[redacted] LEN=134 TOS=0x00 PREC=0x20 TTL=114 ID=26907 PROTO=UDP > SPT=23238 DPT=6889 LEN=114 > Jan 5 14:52:21 pbx > user.info > kernel: AIF:Adaptive-Ban host: IN=eth0 OUT=br1 > MAC=00:0d:b9:33:15:60:1c:e8:5d:f4:b8:22:08:00 SRC=46.249.250.46 > DST=192.168.[redacted] LEN=145 TOS=0x00 PREC=0x20 TTL=114 ID=26929 PROTO=UDP > SPT=23238 DPT=6889 LEN=125 > > Thanks, > David > > > On Sat, Dec 26, 2015 at 9:17 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> > wrote: > Added to the SVN with revision 7428... > http://sourceforge.net/p/astlinux/code/7428/ > > Lonnie > > > On Dec 25, 2015, at 10:12 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> > wrote: > > > David, > > > > Without proof, I'm thinking the IKE exchange type of 37 and 243 are just a > > signature of a bot probing the IKE negotiation, something like SIPVicious > > and it's 'friendly-scanner' User-Agent. > > > > The exchange types of 37 and 243 seem completely arbitrary to me. > > > > Given that, while it probably doesn't add much (if any) security to ban > > these probes, it may provide some comfort (fewer logs) and is > > straight-forward to do. > > > > So, I'll add a "racoon" filter option that will ban any IP that generates a > > "ERROR: Invalid exchange type" regardless of the exchange type number. > > > > It is a relatively simple addition and is not enabled by default, so why > > not. Seems of common interest while googling. > > > > Lonnie > > > > > > On Dec 25, 2015, at 9:06 AM, David Kerr <da...@kerr.net> wrote: > > > >> Thanks Lonnie. Google found this... > >> http://serverfault.com/questions/579648/custom-filter-for-fail2ban > >> so someone else ran into the same issue and basically added a filter to > >> /etc/fail2ban. Do we have an equivalent? > >> > >> I'm going to be away for next week plus... so won't be able to do anything > >> for a while. In the meantime they have no respect for the holidays and > >> have started trying from a different IP... > >> > >> Dec 25 05:44:47 pbx daemon.info > >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > >> Dec 25 05:45:01 pbx > >> daemon.info > >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > >> Dec 25 05:45:16 pbx > >> daemon.info > >> racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > >> Dec 25 05:45:25 pbx > >> daemon.info racoon: ERROR: Invalid exchange type 243 from > >> 93.81.145.36[500]. > >> > >> Thanks > >> David > >> > >> On Fri, Dec 25, 2015 at 9:37 AM, Lonnie Abelbeck > >> <li...@lonnie.abelbeck.com> wrote: > >> Merry Christmas David, > >> > >> +1 to Michael's answer. > >> > >> Here is the same topic for pfSense... > >> > >> Topic: Somebody hacking my IPsec VPN? > >> https://forum.pfsense.org/index.php?topic=39044.0 > >> > >> Topic: Banning or throttling users making invalid connection attempts? > >> https://forum.pfsense.org/index.php?topic=72640.0 > >> (Unfortunately without any replies) > >> > >> So you are not alone, we could consider adding a "racoon" filter type to > >> Adaptive ban. The first concern is to make sure it is useful in practice > >> and not subject to false-banning for normal use. > >> > >> Possibly a look at the latest Fail2Ban to see if "racoon" has been added. > >> And if not wonder why. > >> > >> Clearly if you use a certificate for your IPsec server then you should be > >> good, but I understand the added logs are annoying. > >> > >> Lonnie > >> > >> > >> On Dec 24, 2015, at 11:24 PM, David Kerr <da...@kerr.net> wrote: > >> > >>> Firstly happy christmas to all. > >>> > >>> Now my question, should adaptive ban pick up on the following? I'm > >>> getting attacked again but neither of these IP's are getting added to the > >>> ban list. As far as I can tell the adaptive ban plugin is active... > >>> > >>> ENABLED=1 > >>> ADAPTIVE_BAN_FILE="/var/log/messages" > >>> ADAPTIVE_BAN_TIME=90 > >>> ADAPTIVE_BAN_COUNT=3 > >>> ADAPTIVE_BAN_TYPES="sshd asterisk lighttpd" > >>> > >>> Dec 23 20:40:09 pbx daemon.info > >>> racoon: ERROR: Invalid exchange type 37 from 129.192.165.10[4500]. > >>> Dec 23 20:40:14 pbx > >>> daemon.info > >>> ... > >> > >>> Dec 24 20:57:35 pbx daemon.info > >>> racoon: ERROR: Invalid exchange type 243 from 101.165.98.245[500]. > >> > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Astlinux-users mailing list > >> Astlinux-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >> > >> Donations to support AstLinux are graciously accepted via PayPal to > >> pay...@krisk.org. > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Astlinux-users mailing list > >> Astlinux-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >> > >> Donations to support AstLinux are graciously accepted via PayPal to > >> pay...@krisk.org. > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Astlinux-users mailing list > > Astlinux-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > > pay...@krisk.org. > > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
