On 11/16/23 10:56 AM, Paul Kudla wrote:
Ok a few things about IP blocks
If they are portable they can move from country to country ??
without any real notice.
the ip that triggered all this says it is allocated from NL
(Neatherlands) but physicaly exists in Hawii ?
No list will ever be 100% acurate
I did find this link that displays by country but then you have to
click the country understanding that some sub nets are split out by
class "A" / "B" & "C"
A whole class "A" for example can be split into many subclasses thus
point difference ranges to different countries.
https://www.nirsoft.net/countryip/
maybe write a python program to grab and make a table of ip addresses
?
it has a link to download a csv so some kind of loop striping out the
country links would probably be ok and then download the csv file and
create a full csv file.
then use that for your firewall keeping in mind it needs to be
updated regularly.
I did look around as arin net is responsible for all of this but
could not find a list there either.
https://www.arin.net/reference/
Airn Net is mainly responsible for allocating blocks but not really
responsible for where they might get used.
same with other whois databases around the globe.
also note IPV6 is also out there now and adds a whole new layer to
all of this.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca
On 11/16/2023 9:31 AM, Brendan Kearney wrote:
On 11/16/23 9:05 AM, Nick Lockheart wrote:
Are there publicly available lists of IP ranges
by region?
There's no reason for any IP outside of North
America to be contacting Postfix
on Submission (587) or IMAP, since these are
employee only services.
If not for mobile phones, we could really close
it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla
wrote:
Good day to all .....
Just adding to the conversation with how I
had to deal with this
years ago.
Basically hacks to any server are an issue
today but it is cat &
mouse
trying to track all of this.
That being said using the reported ip
address below, I patched
postfix
to log the ip address in one syslog pass
(to id the sasl user account
+
ip etc)
Along with the above dovecot logging is
verbose (dovecot already does
all access in one line - ie ip address,
username (email address) etc)
combining the two I run my own ip address
firewall tracking system
based
on the syslogging in real time.
For Example :
__________________________________________________________________________
# ipinfo 104.156.155.21
IP Status for :
104.156.155.21
IP Status : IPv4
NS Lookup (Forward) :
104.156.155.21
NS Lookup (Reverse) : None
IP Blacklisted Status : Found
104.156.155. for
104.156.155.21
[D] {Asterisk}
Last Program : sshd
Ip Location Info for :
104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not
exist for this ip ?)
__________________________________________________________________________
basically the ip address block was found in
my firewall so something,
someone etc has tried to hack one of my
servers
in the case of scom.ca i run an asterisk
server and since the
asterisk
is noted someone tried hacking that one as
well.
Basically i run a database that tracks and
updates all firewall in
real
time.
Running FreeBSD I use PF and asterisk is
linux based so i use the
iptables and update every 10 minutes.
Only time now a days I get involved if a
customer calls and complains
they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email
servers (and anything
attached
to the internet) really need to run some
sort of automated ip
firewall
when username password hacks occur, no
reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA
Internet Services Inc.)
Scom.ca Internet Services <http://
www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael
Peddemors,
<mich...@linuxmagic.com> wrote:
There is a network claiming to
be a security company,
however the
activity appears to be a little
more malicious, and
appears to be
attempting buffer overflows
against POP-SSL
services.. (and other
attacks).
https://www.abuseipdb.com/check/
104.156.155.21
Just thought it would be worth
mentioning, you might
want to keep an
eye
out for traffic from this
company...
Might want to make up your own
mind, or maybe someone
has more
information, but enough of a red
flag, that thought
it warranted
posting
on the list.
Not sure yet if it is Dovecot,
or the SSL libraries
they are
attempting
to break, but using a variety of
SSL/TLS methods and
connections...
They are not interested in dovecot per
se. They scan for
TLS vulnerabilities,
mostly.
Anyone with more information?
NetRange: 104.156.155.0 -
104.156.155.255
CIDR: 104.156.155.0/24
NetName: ACDRESEARCH
NetHandle: NET-104-156-155-
0-1
Parent: NET104 (NET-104-
0-0-0-0)
NetType: Direct
Allocation
OriginAS:
Organization: Academy of
Internet Research Limited
Liability
Company
(AIRLL)
RegDate: 2022-01-07
Updated: 2022-01-07
Ref: https://
rdap.arin.net/registry/ip/
104.156.155.0
OrgName: Academy of
Internet Research Limited
Liability
Company
OrgId: AIRLL
Address: #A1- 5436
Address: 1110 Nuuanu Ave
City: Honolulu
StateProv: HI
PostalCode: 96817
Country: US
RegDate: 2021-10-15
Updated: 2022-11-06
Ref: https://
rdap.arin.net/registry/
entity/AIRLL
--
See also shadowserver.org, census.io,
stretchoid, etc. All
of them allegedly
reputable, all of them supposedly with
opt-out mechanisms,
and all of them are
blocked for not asking permission.
Ymmv.
Regards
Simon
_______________________________________________
dovecot mailing list -
- dovecot@dovecot.org
To unsubscribe send an email to
dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-
le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-
le...@dovecot.org
i have some rather old IpToCountry.csv files from a now
defunct site. it mapped IP allocations to country and
included the RIR, date assigned, etc. this data is a few
years old as the site was taken down and there is probably
a lot of new or updated info. a GeoDB subscription may be
useful in the case you are looking at.
brendan
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
the info i have is the ARIN, APNIC, etc registry (RIR) info about where the
allocation was made, but does not go to the next layer about
who the allocation was made to.
dn: ipNetworkNumber=104.0.0.0,c=US,ou=GeoLocation,dc=bpk2,dc=com
description: /12
ipnetmasknumber: 255.240.0.0
ipnetworknumber: 104.0.0.0
l: United States
objectclass: ipNetwork
objectclass: top
i am not sure how often things change in terms of allocations moving from geo
location, but i could see that who the allocations are made to could
move more frequently.
the csv i downloaded had the CIDR notation in the allocation. example:
"0","16777215","iana","410227200","ZZ","ZZZ","Reserved"
through a bash script, i converted that to ldif:
dn: ipNetworkNumber=0.0.0.0,c=ZZ,ou=GeoLocation,dc=bpk2,dc=com
ipnetworknumber: 0.0.0.0
ipnetmasknumber: 255.0.0.0
l: Reserved
description: /8
objectclass: ipnetwork
objectclass: top
and added it to my DIT for reference. if i could use the info for geofencing
in my firewall, i would but the integration between tools does not exit.
would be nice.
arin in only on RIR, and has allocated 57,609 of the total 162,988 records in
the csv i have. having the data from the other RIRs helps with a more
holistic view of all allocations. i do have a IPv6 version of the csv, but
have not parsed that yet. some questions about how i would store the IPs
come to mind, and never got answered.
brendan
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
