Re: [Dorset] Firewall question

Tue, 12 Dec 2023 11:46:19 -0800 

Hi Ralph

Thank for taking a look.

On 12/12/2023 12:23, Ralph Corderoy wrote:

Hi Tim,


Beginning of last week I became aware of a lot of connection to and
from <some sub domain>.dreamsinheels.com

Where are these showing up?
I have been using a program called Garkstat (commandline version is darkstat (https://unix4lyfe.org/darkstat/) and it has an output like below (I have removed Mac Address column):
98.159.234.100     chrysippo.dreamsinheels.com          377,452,876     8,790,117,140     9,167,570,016     2 days, 18 hrs, 38 mins, 35 secs 98.159.234.101     reformidans.dreamsinheels.com      231,512,992     4,458,161,590     4,689,674,582     3 days, 21 hrs, 18 mins, 8 secs 98.159.234.54     posset.dreamsinheels.com          196,503,575 3,748,136,401     3,944,639,976     2 days, 2 hrs, 41 mins, 11 secs 98.159.234.72     pecunias.dreamsinheels.com          207,944,151     3,507,655,611     3,715,599,762     2 days, 3 hrs, 6 mins, 12 secs 98.159.234.157     aliquod.dreamsinheels.com          132,080,873     2,002,741,007     2,134,821,880     11 hrs, 53 mins, 38 secs 98.159.234.20     iustitiam.dreamsinheels.com          87,937,813     1,906,705,751     1,994,643,564     21 hrs, 14 mins, 53 secs
From what I have been able to find out is that 98.159.234.?? is the IP address from the dreamsinheels.com section of the domain name. While the subdomain.dreamsinheels.com all seem to come from the same 185.151.130.148 ip address but they use various port number around the 42000 to 49500 area. I guess I have around 30 sub domains so far 
I have not been able to block the connection, all the sub domains seem
to be coming from 185.151.30.148
While I don't seem to have a list of live connections it is still making connections, I checked and they are showing in Wireshark when I monitor traffic 
Can anybody help with some advise please on how best to block this
access please.

If it's a single IP address then add it to the already existing
blacklist?

Here is a sample of one of the rules I have come up with:
-A ufw-user-logging-output -p tcp -d 185.151.30.148 --dport 42474 -s 185.151.30.148 --sport 42474 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " 

I don't know how to chnage the single port to any port.


Have a skim of https://wiki.archlinux.org/title/Uncomplicated_Firewall
for ideas on the kind of thing that can be done.


I will be reading it trying to make a move forward

Tim H

--
 Next meeting: Online, Jitsi, Tuesday, 2024-01-02 20:00
 Check to whom you are replying
 Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
 New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Reply via email to