retention policy

Alle Fragen, die rund um Fail2Ban (Konfiguration, Fehler, Filter...) sind.
Antworten
ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

retention policy

Beitrag von ktsaou »

Hi again,

I have created a site where I analyze all the blocklists.
You can see my analysis on blocklist.de here: http://ktsaou.github.io/blocklist-ipset ... ocklist_de

I have also added all the partial blocklists you provide (check the menu on the right of the page).

I have the following questions:

1. The Age of IPs currently listed shows that 50% of the IPs are more than 48 hours old. At the time I post this message, 48% of the IPs are listed for more than 79 hours. (http://ktsaou.github.io/blocklist-ipset ... ist_de#age)

2. This can also be confirmed from the retention of the IPs that are now de-listed. Only 20% of the IPs are removed from your list in the first 48 hours (http://ktsaou.github.io/blocklist-ipset ... #retention)

So, for some reason you do not remove IPs on 48 hours. I understand that if an attack continues, IPs may be removed later. However, I would expect that IPs should be de-listed and re-listed, which is not the case.

Check for example openbl_1d: 64% of IPs are removed after 25 hours (http://ktsaou.github.io/blocklist-ipset ... #retention). Check also the age of the IPs currently listed. Only 8% has age above 80 hours (http://ktsaou.github.io/blocklist-ipset ... nbl_1d#age).

Check also stopforumspam_1d: The pattern is very similar to openbl_1d and very different compared to yours (http://ktsaou.github.io/blocklist-ipset ... pam_1d#age).

Any ideas?

Regards,

Costa

Benutzeravatar
Martin
Beiträge: 400
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: retention policy

Beitrag von Martin »

Hi Costa,

the 48 Hours extended, after new Attacks.
An Example for 1.2.3.4
26.06.15 20:00 first Attacks come in -> End time: 28.06.15 20:00
27.06.15 10:00 the IP was reported to us again -> End time: 29.06.15 10:00

When no new Reports come in to us, the first end time is 28.06.15 20:00 o clock.
For every reported Attack to us, the 48 hours is updated and set to a new enddate (48hours after the last attack).

But all User can remove the IPs earlier over the Delist-Link, but when we get after the removing a new Attack, the IP is listen again.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

Re: retention policy

Beitrag von ktsaou »

This means that your contributors do not use your list for blocking the attackers. You receive reports for an IP while it is being listed! Like a honeypot.
If your contributors used your list, the IPs should be de-listed after 48 hours and listed again if the attacker continues.

Anyway, thanks.

ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

Re: retention policy

Beitrag von ktsaou »

Martin,

mail.txt and apache.txt are currently exactly the same and they contain the following (I have aggregated them to subnets).
These are listed for more than 10 days on each of them.

Does not seem normal...

5.9.25.65
5.9.25.66/31
5.9.25.68/30
5.9.25.72/29
5.9.25.80/30
5.9.25.84/31
5.167.64.0/21
46.118.112.135
46.227.64.0/21
50.7.240.10
77.109.139.87
82.221.99.224/28
95.134.130.182
95.141.17.0/24
95.143.192.159
96.44.142.250
96.47.224.42
96.47.225.0/24
108.62.56.0/21
113.212.69.0/24
113.212.70.0/24
173.234.225.0/24
173.234.226.0/23
176.9.219.38
176.100.75.27
176.221.42.32
178.137.16.0/24
188.95.234.6
188.143.232.0/23
188.143.235.21
192.251.226.0/24
194.71.223.0/24
194.71.224.0/23
195.254.134.10
195.254.134.194
216.151.130.0/24
216.151.137.0/24
216.151.138.0/24
216.152.249.0/24
216.152.252.0/24

ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

Re: retention policy

Beitrag von ktsaou »

Check this: 108.62.56.0/21
This is 108.62.56.0 - 108.62.63.255, i.e. 2.048 IPs...

It seems like static data...

ktsaou
Beiträge: 18
Registriert: 12. Mai 2015, 08:41

Re: retention policy

Beitrag von ktsaou »

This is the list in range notation:

5.9.25.65-5.9.25.85
5.167.64.0-5.167.71.255
46.118.112.135
46.227.64.0-46.227.71.255
50.7.240.10
77.109.139.87
82.221.99.224-82.221.99.239
95.134.130.182
95.141.17.0-95.141.17.255
95.143.192.159
96.44.142.250
96.47.224.42
96.47.225.0-96.47.225.255
108.62.56.0-108.62.63.255
113.212.69.0-113.212.70.255
173.234.225.0-173.234.227.255
176.9.219.38
176.100.75.27
176.221.42.32
178.137.16.0-178.137.16.255
188.95.234.6
188.143.232.0-188.143.233.255
188.143.235.21
192.251.226.0-192.251.226.255
194.71.223.0-194.71.225.255
195.254.134.10
195.254.134.194
216.151.130.0-216.151.130.255
216.151.137.0-216.151.138.255
216.152.249.0-216.152.249.255
216.152.252.0-216.152.252.255

Benutzeravatar
Martin
Beiträge: 400
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: retention policy

Beitrag von Martin »

Hi Costa,

i will look at this on the Weekend. The scripts was very old.
But normally, i have some comments, when a ip-range was manually blocked.
I answer you in a few days again.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

Benutzeravatar
Martin
Beiträge: 400
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: retention policy

Beitrag von Martin »

Hi,

also the IP-Range:
108.62.56.0 - 108.62.63.255
173.234.225.0 - 173.234.227.255
was blocked, because the IP-Owner is a heavy blackhat-seo Spamer and sell senuke and xrummer vps.

'113.212.69.0', '113.212.69.255' # xeex.in
'113.212.70.0', '113.212.70.255' # xeex.in
'216.151.137.0', '216.151.137.255' # xeex.in
'216.151.138.0', '216.151.138.255' # xeex.in
'216.152.252.0', '216.152.252.255' # xeex.in
'216.152.249.0', '216.152.249.255' # xeex.in
'216.151.130.0', '216.151.130.255' # xeex.in
is a upstream provider, but he dont take action against abusing customers.

'82.221.99.224', '82.221.99.239' # Fake Tor-Exits Burratino.net
There are fake-Tor-Servers:

Code: Alles auswählen

dig ANY 238.99.221.82.80.4.3.2.1.ip-port.exitlist.torproject.org -> No Entry

Code: Alles auswählen

dig ANY 238.99.221.82.443.4.3.2.1.ip-port.exitlist.torproject.org -> No Entry
hostname is tor-exit.burratino.net., but not in the Tor-Exit-Node-Liste of the torproject.org

'96.47.225.0', '96.47.225.255' #sysop@iptelligent.com
5.167.64.0', '5.167.71.255' # ertelecom.ru
'194.71.223.0', '194.71.223.255' # errsy.com
'194.71.224.0', '194.71.224.255' # errsy.com
'194.71.225.0', '194.71.225.255' # errsy.com
'46.227.64.0', '46.227.71.255' # obnetwork (httpproxy...)

And the following IPs are open Proxy-Server or makes http-Referer-Spam:
'176.9.219.38'
'46.118.112.135' # macht vod.com.au referer spam
'50.7.240.10'
'96.47.224.42'
'96.44.142.250'
'195.254.134.10'
'195.254.134.194'
'188.95.234.6'
'188.143.235.21'
'95.134.130.182'
'95.143.192.159'
'176.100.75.27'
'176.221.42.32'

These are all manually listed Ranges.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

Antworten