Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: SchulzStefan on July 06, 2018, 11:58:49 AM

Title: suspicious IP
Post by: SchulzStefan on July 06, 2018, 11:58:49 AM

Good day,

does anybody know the IP 37.49.224.226 ?

I've attempts on my systems all day long. No customer of me, would like to block.

regards,
stefan

Title: Re: suspicious IP
Post by: Stefano on July 06, 2018, 12:40:34 PM

geektools.com -> insert IP and the captcha code, you're done

Title: Re: suspicious IP
Post by: mmccarn on July 06, 2018, 12:41:33 PM

You can get basic IP info at "ipinfo.io": https://ipinfo.io/37.49.224.226

You can check if a server is listed on DNSBL services using mxtoolbox.com: https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a37.49.224.226&run=toolpage

You can configure your SME server to automatically block misbehaving IPs using Fail2ban: https://wiki.contribs.org/Fail2ban

Title: Re: suspicious IP
Post by: SchulzStefan on July 06, 2018, 12:45:15 PM

Stefano and mmccarn,

thank you both - I did already a lookup. Fail2ban is running and configured. I just wanted to know if anybody in the community stumbled already over this IP.

Thx and regards,
stefan

Title: Re: suspicious IP
Post by: Stefano on July 06, 2018, 02:10:40 PM

sincerely I don't care, I manage more than 2 dozens of servers.. ;-)

Title: Re: suspicious IP
Post by: ReetP on July 06, 2018, 03:46:16 PM

If it is blocked then why worry over one IP?

I have truck loads of IPs banging away, and they in turn get blocked.

Just worry about the ones that get through....

FYI new Geoip reveals

geoiplookup 37.49.224.226
GeoIP Country Edition: NL, Netherlands
GeoIP City Edition, Rev 1: NL, N/A, N/A, N/A, N/A, 52.382401, 4.899500, 0, 0
GeoIP ASNum Edition: AS199264 Estro Web Services Private Limited

Doesn't really mean anything much though.

As long as it gets blocked then move on and worry about more important things.

Title: Re: suspicious IP
Post by: mmccarn on July 07, 2018, 04:11:21 PM

I became obsessed with blocking access from known bad IPs a while ago, and dug up firehol (https://firehol.org/) - a firewall project that does for IP traffic what spam filters do for email.  That is - it monitors lists of known bad IPs and creates "ipsets" that can then be used by iptables to block traffic to or from those systems.

My notes on setting up firehol went into this post - https://forums.contribs.org/index.php?topic=53302.0 - but need significant updating.

All of "firehol" is not needed, only iprange (https://github.com/firehol/iprange), functions.common (https://raw.githubusercontent.com/firehol/firehol/master/sbin/functions.common), update-ipsets (https://raw.githubusercontent.com/firehol/firehol/master/sbin/update-ipsets), and a customized version of "install.config" pointing to wherever you put the other 3 files.  I don't have any notes on this for SME server, as I did it on EdgeOS on a ubiquiti edgerouter lite (https://www.ubnt.com/edgemax/edgerouter-lite/).