Posted

From reviewing web logs:

78.153.140.151 - - [02/May/2025:05:10:43 +0000] "GET /.env.xml HTTP/1.1" 404 3793 "-" "More Firefox 1.5.0.9 user agents strings -->>"

Perhaps if you’re going to source from a list of UAs, you shoud look at the list first and remove anything that doesn’t look like a UA. But thanks for making me laugh.

That’s the usual dreck from hostglobalplus, though. They’re one of my personal shoot-on-sight providers, so as soon as I see them in my logs I firewall off the whole netblock

Author
Categories Network security

Posted

Sleep has been pretty difficult for the last couple of weeks. It’s moderate effort to get to sleep, but if something wakes me up (like having to go to the bathroom) after a certain hour, I’m pretty much up for the day. This getting older business sucks sometimes.

One of my personal servers started losing disks in a hurry as I was reinstalling an OS — two in an hour. I think the RAID controller is gone. When I have some time with my better half outside the house (its full fans are loud) I will try to drop the “failed” disks back in and route around the failed RAID controller.

I also have a smaller server (in every respect, sadly — from 64GB DDR4 and 12TB of RAID10 down to 32GB DDR4 and 2GB of RAID1), so I’ve thrown PVE8 onto that and am building a couple of VMs on it. One’s a utility VM I’ll use for work, so I am more device-independent when I’m around the house. It’s a pain to unplug my work laptop and take it to another area of the house, but if I do most of the work on the VMs, I can grab the spare laptop and use that, instead.

My hope is that I can get the more powerful one up and going, as that could handle argus, too. I’ll probably move that to my virtualisation server at OVH, as it’s got enough room to make space for it.

Today’s a write-off for progress on mapping or tagging. Hopefully I’ll get some time on Sunday.

Author
Categories Personal

Posted

I’m trying another approach to mapping the address spaces (IPv4 and IPv6 now). It’s more or less the same process as before, but different classification criteria, and different grouping criteria. Single IPs are the order of the day, rather than ranges, and it’s all about confirmed contacts from each IP. I don’t know what it will turn up, but it’s interesting to see the patterns forming so quickly.

You can check out the IP ranges observed so far if you’re curious.

Note that these lists are not exhaustive. If I’m unsure about an entry (if it’s a bot, real person, etc.), I don’t add it.

I just noticed that I’m so in the habit of locking down ssh to my jumphost that I did it on my listeners, so I don’t have any ssh brute-force data yet. Oops. Unfiltered now, so expect to see some ssh brute force tags in the ranges above in the next day or two.

Author
Categories Personal

Posted

Well, not so much afraid, but I have set up a naked ForgeJo server in France. It’s secure, but has no firewall blocks. It’s got a decently large git repo on board for bots to get lost in. I don’t have a lot of tolerance for bots on my personal or work sites. I care little enough about the info here that I’m happy to let the bots slurp it all up. Besides, it’s just a mirror of the Rust programming language repository from GitHub.

I’ll also use the ForgeJo instance for my own deeply-public info (probably reworks of data files). I don’t have a ton of personal use for git these days.

The server is a little KS-C from OVH. CAD20 per month for the next three months will hold me over until I can spin up another virtualisation server. As usual, the day after I buy in, a better one comes online for a comparable price. The next one I get has to have vRack access, though — I need it to properly handle the netblocks across multiple servers in clustered mode. One node in Canada, the other in France.

The reason for the French node is to get a sense of how threats differ between geographic locations. The “conventional wisdom” is that they don’t at all “because the Internet is global”, but I’ve already proven that wrong to my satisfaction. Some threats are shared, but others are significantly different. That latter category is the much larger one, too.

Author
Categories Personal

Posted

Part one of many.

Google publishes JSON files with IP ranges for various services, including Google cloud. They don’t see fit to include all of the ranges, though. They’ve chosen to populate RDNS for at least one of those ranges I’ve found, so there is very little question that it’s an omission. With Google, it’s safe to assume that all such omissions are intentional. With the number of employees they have and their alleged intelligence, this situation should properly be utterly impossible as an accident. They’re just too smart, right?

The problem when you tell people they’re the smartest is that they wind up doing incredibly stupid things, thinking that it’s invisible to everyone else. It’s not invisible, Google. We see you, and we’re judging you. The judgement is that you’re trying to be sneaky for whatever reason.

I don’t purchase Google services. Google isn’t good enough. This is one more reason why.

Author
Categories Personal