Hi Ralph
Thank for taking a look.
On 12/12/2023 12:23, Ralph Corderoy wrote:
Hi Tim,
Beginning of last week I became aware of a lot of connection to and
from <some sub domain>.dreamsinheels.com
Where are these showing up?
I have been using a program called Garkstat (commandline version is
darkstat (https://unix4lyfe.org/darkstat/) and it has an output like
below (I have removed Mac Address column):
98.159.234.100 chrysippo.dreamsinheels.com 377,452,876
8,790,117,140 9,167,570,016 2 days, 18 hrs, 38 mins, 35 secs
98.159.234.101 reformidans.dreamsinheels.com 231,512,992
4,458,161,590 4,689,674,582 3 days, 21 hrs, 18 mins, 8 secs
98.159.234.54 posset.dreamsinheels.com 196,503,575
3,748,136,401 3,944,639,976 2 days, 2 hrs, 41 mins, 11 secs
98.159.234.72 pecunias.dreamsinheels.com 207,944,151
3,507,655,611 3,715,599,762 2 days, 3 hrs, 6 mins, 12 secs
98.159.234.157 aliquod.dreamsinheels.com 132,080,873
2,002,741,007 2,134,821,880 11 hrs, 53 mins, 38 secs
98.159.234.20 iustitiam.dreamsinheels.com 87,937,813
1,906,705,751 1,994,643,564 21 hrs, 14 mins, 53 secs
From what I have been able to find out is that 98.159.234.?? is the IP
address from the dreamsinheels.com section of the domain name. While the
subdomain.dreamsinheels.com all seem to come from the same
185.151.130.148 ip address but they use various port number around the
42000 to 49500 area. I guess I have around 30 sub domains so far
I have not been able to block the connection, all the sub domains seem
to be coming from 185.151.30.148
While I don't seem to have a list of live connections it is still making
connections, I checked and they are showing in Wireshark when I monitor
traffic
Can anybody help with some advise please on how best to block this
access please.
If it's a single IP address then add it to the already existing
blacklist?
Here is a sample of one of the rules I have come up with:
-A ufw-user-logging-output -p tcp -d 185.151.30.148 --dport 42474 -s
185.151.30.148 --sport 42474 -m limit --limit 3/min --limit-burst 10 -j
LOG --log-prefix "[UFW BLOCK] "
I don't know how to chnage the single port to any port.
Have a skim of https://wiki.archlinux.org/title/Uncomplicated_Firewall
for ideas on the kind of thing that can be done.
I will be reading it trying to make a move forward
Tim H
--
Next meeting: Online, Jitsi, Tuesday, 2024-01-02 20:00
Check to whom you are replying
Meetings, mailing list, IRC, ... http://dorset.lug.org.uk
New thread, don't hijack: mailto:dorset@mailman.lug.org.uk