*client calls in*

Me: good morning, how can I help you?
Client: my ip is blocked, could you unblock it for me?
Me: certainly! What's your ip address? Then I'll have a look.
Client: I'm not giving you my ip?! That's too privacy sensitive.
Me: 😶
Me: 😶
Me: 😶
Me: sir, I'm very keen on my privacy myself but without that information I can't do much for you 😬
Client: ah so you're refusing to help me?
Me: not like that, it's just very hard to lift an ip block for me when I don't know the ip address.
Client: you just don't want to help, fine.

*click*

😶

My company just blocked devRant ip...

Well, now I need to use my own mobile data to procrastinate

> Customer calls
Her: I have over 5k 404 request to [insertwebsite]/autodiscover/autodiscover.xml
Me: Sound like a missconfigured exchangeserver/client. Let me have a look.
> Takes a look and can confirm the IP and the owner of that IP
Me: It looks like someone/something from xxx.xxx.xxx.xxx is failing to resolve autodiscover.[insertdomain].com
and defaults to @ record on the zone. Do you happend to know to whom that IP belongs?
Her: No, and I dont care, just block it. I do not like the 404 that shows up on the summary.
Me: Alright
> Blocks the IP in the firewall.

>>> Fast forward to next day >>>

> Someone calls, it is the same girl
Her: I cant reach my website! Infact, I cant reach anything! WHYYYYYY!!!
> I remember, blocking that IP yesterday...
Me: Oh, can you please visist "minip.se" (whatismyip.com, swedish version) and tell me what you see?
Her: Yes, it is xxx.xxx.xxx.xxx
Me: Do you remember that IP that you request that I block yesterday?
> I can hear the shame coming from the phone.
> Turn out that her collegues did'nt have any mail delivered to them from the time I blocked their IP
> Her boss is really mad
> Atleast she had a cute voice

Another story on the spirit of wk93. TL;DR I DOS'd the whole campus network for some beers.

In highschool teachers had this blackboard system (a sort of moodle) and we used to have really lazy teachers who only read the PowerPoint presentations and made us take notes. One day I was fed up with their bullshit and figured these lazy ass professors wouldn't "teach" crap as soon as there was no internet connection...so the race was on...

10 minutes before the bell rang a friend and I managed to break in into a computer lab, I booted up Kali and searched for the access points, 3 routers through the building all with CISCO OS.

I figured they had all the default configs, time was running out so I decided to Smurf the three access points with the lab's IP range, scheduled an automatic shutdown in 2 hours and blocked the PC. The bell rang and as predicted, no internet, no class, my friends and I used that free time to go to a bar (on a Monday afternoon).

Funny side note, since the 3 routers were down the whole network collapsed, no cameras, no access control, no faculty network or any network. We kept doing it and every time we did campus security would be desperately searching for someone with a black hoodie.

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Reinstalled my dedicated server and realized (afterwards) that I just erased my entire openvpn/mysql auth setup and I don't have an entirely working copy.

FUCK.

Okay, nothing I can do about that afterwards, setup csf right away, monitored the auth log for a minute and noticed one ip which had just connected and found it weird somehow. Blocked the ip.

Then, one second later, as my console stopped responding and that ip address suddenly looked veeeery familiar, I realized I just blocked myself. (the blocks persist across reboots)

😐

Went to the control panel and hit the reinstall button. Confirmed, and two seconds later I realized I could just have connected to any of my own fucking vpn services to unblock myself.

What in the living fuck is wrong with me @_@

Apparently they didn't want to hear about my vulnerabilities I found because they blocked my IP address.

Seriously? I just wanted to do a disclosure of potential exploits / security issues

And BAM. Wrote a quick'n dirty little php script which works with loads of shell_exec calls to block all ip addresses belonging to an ASN number.

For example: If I get Facebook's ASN number and use it as parameter for this script with a custom name (for the iptables chain), the script creates a chain called the custom name, adds all ip addresses/ranges it got from the whois lookup (on the ASN number) with DROP to iptables and then it adds that chain to the INPUT and OUTPUT chains.

I've done some tests and can indeed genuinely not reach Facebook at all anymore, Microsoft is entirely blocked out as well already 💜

For fucks sack I just created my server and fail2ban already blocked 6 IP addresses dafuq is going on on the internet 😓

I managed to take down an entire school network with one VPN.

In short, I ran a personal VPN and eventually the System Administrators at my old school managed to pick it up as unknown traffic. For some reason, they managed to block the port but not the IP so I changed the port to 443 and their automatic system blocked port 443 on their entire network essentially rendering HTTPS useless for a few hours.

I never got approached about it but my school invested in a new IT team.

Long rant ahead.. so feel free to refill your cup of coffee and have a seat 🙂

It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.

So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).

So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.

Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.

So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.

Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?

Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching 😂), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.

Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.

So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.

Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.

In a moment of boredom I decided to pen test the new system I've been writing on the live server. Ran sqlmap but forgot to proxy my connection.

DDOS protection kicked in and blocked the entire offices connection to the server, had to drive home quickly to use my home internet to un-blacklist my office ip. 😂

thought I'd type:netstat -atn on my server and the result was a bit scary, found a Russian IP address with state of: FIN_WAIT1
Either Fail2ban was closing his connection or that dude was able to access my server :/

Checked /var/log/auth.log
and found this for his IP: Failed password for root from ----- port 37635 ssh2

I hope I'm still safe :)

Instantly disable password login and make it only SSH
but now I need to carry my SSH keys or else I'm blocked out lol

My school just tried to hinder my revision for finals now. They've denied me access just today of SSHing into my home computer. Vim & a filesystem is soo much better than pen and paper.

So I went up to the sysadmin about this. His response: "We're not allowing it any more". That's it - no reason. Now let's just hope that the sysadmin was dumb enough to only block port 22, not my IP address, so I can just pick another port to expose at home. To be honest, I was surprised that he even knew what SSH was. I mean, sure, they're hired as sysadmins, so they should probably know that stuff, but the sysadmins in my school are fucking brain dead.

For one, they used to block Google, and every other HTTPS site on their WiFi network because of an invalid certificate. Now it's even more difficult to access google as you need to know the proxy settings.

They switched over to forcing me to remote desktop to access my files at home, instead of the old, faster, better shared web folder (Windows server 2012 please help).

But the worst of it includes apparently having no password on their SQL server, STORING FUCKING PASSWORDS IN PLAIN TEXT allowing someone to hijack my session, and just leaving a file unprotected with a shit load of people's names, parents, and home addresses. That's some super sketchy illegal shit.

So if you sysadmins happen to be reading this on devRant, INSTEAD OF WASTING YOUR FUCKING TIME BLOCKING MORE WEBSITES THAN THEIR ARE LIVING HUMANS, HOW ABOUT TRY UPPING YOUR SECURITY, PASSWORDS LIKE "", "", and "gryph0n" ARE SHIT - MAKE IT BETTER SO US STUDENTS CAN ACTUALLY BROWSE MORE FREELY - I THINK I WANT TO PASS, NOT HAVE EVERY OTHER THING BLOCKED.

Thankfully I'm leaving this school in 3 weeks after my last exam. Sure, I could stay on with this "highly reputable" school, but I don't want to be fucking lied to about computer studies, I don't want to have to workaround your shitty methods of blocking. As far as I can tell, half of the reputation is from cheating. The students and sysadmins shouldn't have to have an arms race between circumventing restrictions and blocking those circumventions. Just make your shit work for once.

**On second thought, actually keep it like that. Most of the people I see in the school are c***s anyway - they deserve to have half of everything they try to do censored. I won't be around to care soon.**

So my previous alma mater's IT servers are really hacked easily. They run mostly in Microsoft Windows Server and Active Directory and only the gateway runs in Linux. When I checked the stationed IT's computer he was having problems which I think was another intrusion.

I asked the guy if I can get root access on the Gateway server. He was hesitant at first but I told him I worked with a local Linux server before. He jested, sent me to the server room with his supervision. He gave me the credentials and told me "10 minutes".

What I did?

I just installed fail2ban, iptables, and basically blocked those IP ranges used by the attacker. The attack quickly subsided.

Later we found out it was a local attack and the attacker was brute forcing the SSH port. We triaged it to one kid in the lobby who was doing the brute forcing connected in the lobby WiFi. Turns out he was a script kiddie and has no knowledge I was tracking his attacks via fail2ban logs.

Moral of lesson: make sure your IT secures everything in place.

Worst one I’ve seen so far is when I was working for my previous community another developer joined to help me, without the permission of me or the other lead developer he pushed a client-side update. We didn’t think it was a big deal, but once we began reviewing the code it became a big deal... he had placed our SQL credentials into that file that every client downloads. All the person had to do was open the file and could connect to our SQL which contained 50k+ players info, primarily all in-game stuff except IPs which we want to protect at all costs.

Issue becomes, what he was trying to do required the games local database on the client-side, but instead he tried connecting to it as an external database so he decided to copy server-side code and used on the client.

Anyways, the database had a firewall that blocked all connections except the server and the other lead dev and myself. We managed to change the credentials and pull the file away before any harm was done to it, about 300 people had downloaded the file within an hours period, but nothing happened luckily. IP to the DB, username, password, etc, were all changed just to keep it protected.

So far this is the worst, hopefully it doesn’t get worse than this :/

Often I hear that one should block spam email based on content match rather than IP match. Sometimes even that blocking Chinese ranges in particular is prejudiced and racist. Allow me to debunk that after I've been looking at traffic on port 25 with tcpdump for several weeks now, and got rid of most of my incoming spam too.

There are these spamhausen that communicate with my mail server as much as every minute.
- biz-smtp.com
- mailing-expert.com
- smtp-shop.com

All of them are Chinese. They make up - rough guess - around 90% of the traffic that hits my edge nodes, if not more.

The network ranges I've blocked are apparently as follows:
- 193.106.175.0/24 (Russia)
- 49.64.0.0/11 (China)
- 181.39.88.172 (Ecuador)
- 188.130.160.216 (Russia)
- 106.75.144.0/20 (China)
- 183.227.0.0/16 (China)
- 106.75.32.0/19 (China)
.. apparently I blocked that one twice, heh
- 116.16.0.0/12 (China)
- 123.58.160.0/19 (China)

It's not all China but holy hell, a lot of spam sure comes from there, given how Golden Shield supposedly blocks internet access to the Chinese citizens. A friend of mine who lives in China (how he got past the firewall is beyond me, and he won't tell me either) told me that while incoming information is "regulated", they don't give half a shit about outgoing traffic to foreign countries. Hence all those shitty filter bag suppliers and whatnot. The Chinese government doesn't care.

So what is the alternative like, that would block based on content? Well there are a few solutions out there, namely SpamAssassin, ClamAV and Amavis among others. The problem is that they're all very memory intensive (especially compared to e.g. Postfix and Dovecot themselves) and that they must scan every email, and keep up with evasion techniques (such as putting the content in an image, or using characters from different character sets t̾h̾a̾t̾ ̾l̾o̾o̾k̾ ̾s̾i̾m̾i̾l̾a̾r̾).

But the thing is, all of that traffic comes from a certain few offending IP ranges, and an iptables rule that covers a whole range is very cheap. China (or any country for that matter) has too many IP ranges to block all of them. But the certain few offending IP ranges? I'll take a cheap IP-based filter over expensive content-based filters any day. And I don't want to be shamed for that.

!dev

And again...

Our ISP doesn’t say it blocks any port on our Business Fixed IP. Currently I’m trying to access port 25 for SMTP. Guess what? Indeed port blocked. Called them “The port is open”, I visit a port checked, the same thing “Port Closed”

Always the fucking same thing. Every fcking time. These are just criminals. Lastly I removed their router, that they mentions was the only working router in our house and our signal from the other router, not provided by them was much better. They blocked the hotspots because we removed the router then. Guess what? On their site is an option Enable Hotspot on your home router (this enables your access to hotspots). Just pressed it. Haaa they can’t acces my router to set that up and it works.

In our second home, we have another ISP, Proximus, first they did difficult to come and install everything. Because in the appartment the previous owners didn’t pay the bills. After a week or so someone came to install it. Because they cut the cables couldn’t do it myself. Ok it worked for some time. After 3-4 months by once I can’t access the camera there, strange. My uncle went there and there was no internet. Neither TV. But we never received any invoice. Because they didn’t send them. We contacted them, no response. My father sends them an email, with politic people in copy and by once they called to say they will turn it back and scrap the invoices that were not send. They said no technician needed to come, as it’s second home. Guess what, next day a message came “We will arrive in less than an hour”
My uncle went. They did nothing, only restart the modem.
There still was no internet after two days after they came. We called back, response was: “There wasn’t anyone.” Yeah right, we have proof of a technicial that passed (Local Video). By once the internet worked.
Now 4 months later, still didn’t receive any invoice, neither via post or email.

Fuck those criminals, called ISPs

he: checkout my crazy FUD hack (a token stealer which turned out to be far more malicious than i anticipated)
me: executes it (yes in a VM)
windows defender: lemme delet this
he: ooh i forgot the word stub in there. microsoft detects that lemme fix that sends new file
me: here we go aga..
ms defender: nononono virus 117% delet this
he: i forgot it still!!

later i deactivated ms defender and analysed the traffic of the vm. in addition to stealing my fake tokens he also tried to read my Firefox/chrome history, IP.
when i asked him (2 days later) what this was all about in his "educational only" "token stealer" he threatened to
a) publish my IP
b) publish my browser history and with that my real name and address
b.0) when i asked him for proof he said he knows that my real name is "Roman Gräf" and i live in Frankfurt. (btw i do live in Frankfurt and that is in the profile of the discord server where he found me and i have the same username on discord as i have here)
c) to kill my machine and all my projects
got bored, blocked him, shut VM down.

Network Security at it's best at my school.
So firstly our school has only one wifi AP in the whole building and you can only access Internet from there or their PCs which have just like the AP restricted internet with mc afee Webgateway even though they didn't even restrict shuting down computers remotely with shutdown -i.
The next stupid thing is cmd is disabled but powershell isn't and you can execute cmd commands with batch files.
But back to internet access: the proxy with Mcafee is permanently added in these PCs and you don't havs admin rights to change them.
Although this can be bypassed by basically everone because everyone knows one or two teacher accounts, its still restricted right.
So I thought I could try to get around. My first first few tries failed until I found out that they apparently have a mac adress wthitelist for their lan.
Then I just copied a mac adress of one of their ARM terminals pc and set up a raspberry pi with a mac change at startup.
Finally I got an Ip with normal DHCP and internet but port 80 was blocked in contrast to others like 443. So I set up an tcp openvpn server on port 443 elsewhere on a server to mimic ssl traffic.
Then I set up my raspberry pi to change mac, connect to this vpn at startup and provide a wifi ap with an own ip address range and internet over vpn.
As a little extra feature I also added a script for it to act as Spotify connect speaker.
So basically I now have a raspberry pi which I can plugin into power and Ethernet and an aux cable of the always-on-speakers in every room.
My own portable 10mbit/s unrestricted AP with spotify connect speaker.
Last but not least I learnt very many things about networks, vpns and so on while exploiting my schools security as a 16 year old.

Crazy... Hm, that could qualify for a *lot*.

Craziest. Probably misusage or rather "brain damaged" knowledge about HTTP.

I've seen a lot of wild things when devs start poking standards, but the tip of the iceberg was someone trying to use UTF-8 in headers...

You might have guessed it - German umlauts. :(

Coz yeah. Fucktard loved writing everything in german, so why not write custom header names in german.

The fun thing is: It *can* work, though the usual sane thing is to keep it in ASCII range for the obvious reason that using UTF-8 (or ISO-8859-1, which is *not* ASCII) is a gamble you gonna loose.

The fun game was that after putting in a much needed load balancer between services for monitoring / scaling etc suddenly *something* seemed off.

It took me 2 days and a lot of Wireshark hoola hooping to find out why, cause the header was used for device detection aka wether it's a bot or not. Or in the german term the dev used: "Geräte-Art".

As the fallback was to assume a bot, but only rate limit based on IP, only few managed to achieve the necessary rate limit to get blocked.

So when I say *something* seemed off, I really mean a spooky kind of "sometimes IP blocked for seemingly no reason at all".

Fun stuff. The dev btw germanized everything. Untangling the code base was a lot of non fun. -.-

I hate IT managers, how on earth some become ant form of manager is beyond myself.

I have a server with a hardware firewall. A client, based in the UK, with French offices is saying the server blocking their new French IP. I white-listed their IP address, still no luck.

That was a week ago.

After 4 international phone calls and nearly 30 emails I resolved the "issue".

Their so called "IT Manager" sent over the wrong IP. Instead of it starting with 46.* he sent over an IP starting 42.*, which was in fact being correctly blocked.

Suffice to say I charged the client a lot of money for the wasted time and international rate calls.

It took me 30min to figure out why jenkins couldn't connect to my repo even though i was sure i got the configuration right this time. As it turned out fail2ban blocked my ip and made all subsequent attempts fail...

Samsung Smart TV becomes Samsung Dumb TV.

Welcome back dear readers, to the next installment of my Raspberry Pi / Pi Hole / MitM box adventure!

For those of you who are new to this story, I'm a long experience programmer who knows very little about his home network or networking in general and has constantly been going over his 250GB data plan because 'rona, and thus, wants answers to "where is the data going".

So, I got the Pi, codenamed Mini-Beowolf, positioned between the modem and router... worked some fuckin systemd.networkd magic (which was sort of easy... but was hard cause I'm new to it) and viola, this son of a bitch passes through the ethernet and doesn't even show up on the router. Fu-King Beastly, I love it.

Now to static IP all my devices so I fire up my trusty TP-Link admin portal. I should add here... I've visited this admin about a total of 10 minutes prior to this when I set this wifi router up and just let it do DHCP.

So I'm getting to know my admin portal... I've got most of my devices connected to reserved IPs... and I find this one fuckin device reporting as "localhost".

Now, I've got a MAMP install... but it hasn't been running. But still I thought for sure it was just MAMP run a bit amok.

But no... it was my fucking Samsung "Smart" TV. That piece of shit is, and apparently has been reporting its device name as, sure as shit, fucking "localhost"... PROBABLY FOR YEARS.

Now, IDK how that didn't cause me any major problems over the years, and I read quite a few forums about people who it did mess up their network. So I resolved to rename the Samsung TV device.

I found the spot in the network settings of the TV... I changed the name from the pick list of rooms in a house like "Living Room" and "Bed Room", then I tried entering my own device name. But no matter what I picked, or no matter how many times I restarted/reset that TV the network name is ALWAYS "localhost".

Even though somehow my network survived this long... I'm not standing for that shit.

My Samsung TV is now blocked COMPLETELY at the router level. (After I ran one last factory reset and update)

The kicker? That Pi I built has a Samsung SSD... so I'm blocking Samsung WITH FUCKING SAMSUNG.

Needless to say, these are likely among my last Samsung purchases.

Join me next time when I FINALLY try to turn Pi Hole on and then get a tcpdump (or some other lesser output from the tcp stream) going.

"Our system has detected that this message is[nl]421-4.7.0 suspicious due to the very low reputation of the sending IP address"

Oh shit..

Note to self: Don't test on production servers. Gmail has now blocked my ass.

It all started with an undelivereable e-mail.

New manager (soon-to-be boss) walks into admin guy's office and complains about an e-mail he sent to a customer being rejected by the recipient's mail server. I can hear parts of the conversation from my office across the floor.

Recipient uses the spamcop.net blacklist and our mail was rejected since it came from an IP address known to be sending mails to their spamtrap.

Admin guy wants to verify the claim by trying to find out our static public IPv4 address, to compare it to the blacklisted one from the notification.
For half an hour boss and him are trying to find the correct login credentials for the telco's customer-self-care web interface.
Eventually they call telco's support to get new credentials, it turned out during the VoIP migration about six months ago we got new credentials that were apparently not noted anywhere.

Eventually admin guy can log in, and wonders why he can't see any static IP address listed there, calls support again. Turns out we were not even using a static IP address anymore since the VoIP change. Now it's not like we would be hosting any services that need to be publicly accessible, nor would all users send their e-mail via a local server (at least my machine is already configured to talk directly to the telco's smtp, but this was supposedly different in the good ol' days, so I'm not sure whether it still applies to some users).

In any case, the e-mail issue seems completely forgotten by now: Admin guy wants his static ip address back, negotiates with telco support.
The change will require new PPPoE credentials for the VDSL line, he apparently received them over the phone(?) and should update them in the CPE after they had disabled the login for the dynamic address. Obviously something went wrong, admin guy meanwhile having to use his private phone to call support, claims the credentials would be reverted immediately when he changed them in the CPE Web UI.

Now I'm not exactly sure why, there's two scenarios I could imagine:
- Maybe telco would use TR-069/CWMP to remotely provision the credentials which are not updated in their system, thus overwriting CPE to the old ones and don't allow for manual changes, or
- Maybe just a browser issue. The CPE's login page is not even rendered correctly in my browser, but then again I'm the only one at the company using Firefox Private Mode with Ghostery, so it can't be reproduced on another machine. At least viewing the login/status page works with IE11 though, no idea how badly-written the config stuff itself might be.

Many hours pass, I enjoy not being annoyed by incoming phone calls for the rest of the day. Boss is slightly less happy, no internet and no incoming calls.

Next morning, windows would ask me to classify this new network as public/work/private - apparently someone tried factory-resetting the CPE. Or did they even get a replacement!? Still no internet though.
Hours later, everything finally back to normal, no idea what exactly happened - but we have our old static IPv4 address back, still wondering what we need it for.

Oh, and the blacklisted IP address was just the telco's mail server, of course. They end up on the spamcop list every once in a while.

tl;dr: if you're running a business in Germany that needs e-mail, just don't send it via the big magenta monopoly - you would end up sharing the same mail servers with tons of small businesses that might not employ the most qualified people for securing their stuff, so they will naturally be pwned and abused for spam every once in a while, having your mailservers blacklisted.

I'm waiting for the day when the next e-mail will be blocked and manager / boss eventually wonder how the 24-hours-outage did not even fix aynything in the end...

Fuck these fucking youtube ads! I got blocked on youtube and cant play any video on desktop unless i disable adblocker. Shits so fucking LAME. Fuck off. Switching over to brave browser now and never looking back. Fuck off chrome.

Get fucked google. Now Google dropped to the last place for me from cloud providers. I'll prioritize the pedophille childfucker bill gates Azure cloud over GCP Now! Fuck Off. Shove ur ads into someone elses ass just how bill gates shoves his dick into childrens assholes on the epstein island!

Brave browser found a solution to all this fuckertry! It has built in adblockers for everything including built in vpn IP cloaker trace blocker and so much more for privacy and data integrity. Playing yt videos on brave browser works like a charm with no fucking ads or extensions installed! Everything is the same like chrome including layout development etc, minus ads tracking and data harvesting!

Before:
AWS > GCP > Azure > OCI

After:
AWS > Azure > OCI > GCP

Google ur now worse than a pedophile azure. Deserved to get spot #3 now. Shitheads

Fuck Gitlab that now collab with google.
Now my fucking ip got blocked

I really, really need some help here.

We have a service provider that is utter shit. Due to their shittyness we have a server to which our customers point their domains and then we forward the request to our shitty provider. This worked well until our provider blocked our server's IP.

They can't come up with a reasonable explanation as to why it's happening, and even though they've whitelisted our IP it keeps happening. I've tried changing the server's IP, but it takes 5 minutes and we're blocked again. Probably some traffic that they deem fishy.

Does anyone have any good or bad idea on how to work around this fuckery? The server at our provider is running PHP, so I'm thinking if I can set up some sketchy tunnel or something, but even then it might be caught on a lower level.

I'm really, really grateful for any ideas or advice. Even of the shitty kind.

Had to use the pfsense's url in my Default Gateway which is 172.0.1.1 from our school.

Before was:
Youtube-blocked
Facebook-blocked
#anime tags -blocked
#porn tags - blocked
up to 100kbps download speed
After:
All uncensored Websites!
1Mbps download speed

Unfortunately the Network Admin found my IP and slowed down my download speed. I can search R-18 links but I don't want to be caught in his SquidProxy log. so I'm still lucky to browse my animu website.

Just upgraded to Win 10. Windows update keeps sucking my bandwidth. Stopped windows update and BITS, set to manual, yet keeps popping up. Finally blocked windows update's IP via Firewall. Now oddly satisfied..

!rant but wondering,
this time I did not get my self blocked out of my server lol
But I have set up nginx to receive url then redirect to another server, my question is:

I ran tracert on the url but it ended on the nginx server, is there a way I can find out if my nginx IP is forwarding?

I have a webservice on server z, and nginx on server x, tracert end at server x, so does dev tools in chrome/firefox they show host ip header as server x. Is there a way where I can trace my call to server x if it is forwarded to another server?

I know I'm forwarding it, but if someone wants to know, can they?

So a client came today to me saying his domain that I setup some time ago isn't working on a specific russian internet provider, checked everything and then came across a blogpost stating cloudflare IPs are blocked. Researched further and it came out that those fucking retards from the "Federal Tax Service of the Russian" blocked a ton of cloudflare IPs because russian online casinos used them like a year ago.

Then checked another domain he had a problem with and the godaddy IPs were also banned - even more extreme they were banned for like 14 incidents, what the fuck, had to create a new account to get a new ip/nameservers assigned from cloudflare, jesus fucking christ.

I just spent hours making my own email-receipt sending system. My ip got blocked because of a misconfigured server. I had to reconfigure it and when it's finally working I realise that Stripe already have a built in feature for this.

I'm crying in a corner, slowly dying inside.

Lmao I got ip-blocked from lemmings.world.

!rant

I need to quickly test how my web app works on mobile

PROBLEM: some of my features require https. I can test from my pc on localhost just fine, since localhost works.

From Android, however, those features are blocked, since I reach my webapp with my IP address; it is not localhost so Chrome raises a middle finger when I try to access the camera from an unsecured website -and rightly so.

I really need to get these tests done, how am I supposed to do?

I install an SSL certificate on my pc?!?
I disable Chrome security checks on my Android?!? (is that even possible?)
I install bluestacks real quick and hope everything works fine?!?

Wwyd?

Haven't been reading Dilbert for other a month but finally got around to it today. I read it through an app I made that downloads all the comics from the site.

Well apparently the downloader downloaded too much/too fast. It seems my IP is now blocked....

Wonder if it's temporary. O well... I got VPNs...

Is there a way to dynamically change your IP address while scraping website so that you don't get blocked cojstantly

Hi fellow devRanters, I need some advice on how to detect web traffic coming from bad/malicious bots and block them.

I have ELK (Elastic) stack set up to capture the logs from the sites, I have already blocked the ones that are obviously bad (bad user-agent, IP addresses known for spamming etc). I know you can tell by looking at how fast/frequently they crawl the site but how would I know if I block the one that's causing the malicious and non-human traffic? I am not sure if I should block access from other countries because I think the bots are from local.

I am lost, I don't know what else I can do - I can't use rate limiting on the sites and I can't sign up for a paid service cause management wants everything with the price of peanuts.

Rant:

Someone asked why I can't just read through the logs (from several mid-large scale websites) and pick out the baddies.

*facepalm* Here's the gigabytes log files.

Okay, so, I have a functional snort agent instance, and it's spewing out alerts in it's "brilliant" unified2 log format.

I'm able to dump the log contents using the "u2spewfoo" utility (wtf even is that name lol... Unified2... something foo) but... It gives me... data. With no actual hint as to *what* rule made it log this. What is it that it found?

All I see are IDs and numbers and timings and stuff... How do I get this

(Event)
sensor id: 0 event id: 5540 event second: 1621329398 event microsecond: 388969
sig id: 366 gen id: 1 revision: 7 classification: 29
priority: 3 ip source: *src-ip* ip destination: *my-ip*
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0
mpls label: 0 vland id: 0 policy id: 0

into information like "SYN flood from src-ip to destination-ip"