a domain hosted in the cloud somewhere has been scanning my system... pretty aggressively at times... they're a known infosec related domain but no one that
knows anything can/will confirm who the domain is and what their scans are for... supposedly they are good but we can't really tell by the available information...

so, what i've done, since i don't care to play their game, was to whip up a little script that grabbed all the log lines with that questionable domain in them... because we want to block them in the perimeter firewall, we need to know the IP of the scanner instances... apparently these scanner instances spin
up and down as necessary so grabbing the domain names and looking them up later
returns NXDOMAIN which means that idea won't work...

i noted that in the logs there were lines like

term Node 1 Telnet c87-118-38-247.dataguard.no [87.118.38.247]

so the idea now is to search out

.*badactor.invalid \[.*\]

and then cut the IP out of the [] so they can be sorted and run through uniq and then added to my firewall rules...

to do this i've modified my sbbs source code for the files containing "Hostname:" since that seems to be consistent and it makes the searching easier...

these files and lines were easily adjusted like so


ftpsrvr.c:3099: lprintf(LOG_INFO,"%04d Hostname: %s [%s]", sock, host_name, host_ip);

mailsrvr.c:1005: lprintf(LOG_INFO,"%04d %s Hostname: %s [%s]", socket, client.protocol, host_name, host_ip);

mailsrvr.c:2922: lprintf(LOG_INFO,"%04d %s Hostname: %s [%s]", socket, client.protocol, host_name, host_ip);

main.cpp:5697: lprintf(LOG_INFO,"%04d %s Hostname: %s [%s]", client_socket, client.protocol, host_name, host_ip);


but these ones are not so easily adjusted in the same manner...


services.c:1010: lprintf(LOG_INFO,"%04d %s Hostname: %s"

services.c:1391: lprintf(LOG_INFO,"%04d %s Hostname: %s"

userdat.c:2800: fprintf(fp,"; Hostname: %s\n",host);

websrvr.c:6299: lprintf(LOG_INFO,"%04d Hostname: %s", session.socket, host_name[0] ? host_name : STR_NO_HOSTNAME);


i'm not worried about userdat but would like to get services.c and websrvr.c to
use the "Hostname: domain [IP]" format... i tried adding " [%s]" and "host_ip" as i did in the ftpsrvr.c, mailsrvr.c, and main.cpp files listed above but of course the compiler complains that host_ip is not valid...

so my question is how can i get the IP output in "Hostname: badactor.invalid [www.xxx.yyy.zzz]" format in the three log lines in services.c and websrvr.c?

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Better to live with one spider than many bugs.
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: how to get the IP and the host name on the same log line
By: mark lewis to all on Thu Jun 20 2019 04:01 pm

i'm not worried about userdat but would like to get services.c and websrvr.c to use the "Hostname: domain [IP]" format... i tried adding " [%s]" and "host_ip" as i did in the ftpsrvr.c, mailsrvr.c, and main.cpp files listed above but of course the compiler complains that host_ip is not valid...

so my question is how can i get the IP output in "Hostname: badactor.invalid [www.xxx.yyy.zzz]" format in the three log lines in services.c and websrvr.c?

The variable 'host_ip' was just not valid in those contexts.

The key is to look for where the IP address is actually used/logged (in text form) before or after the code where you want to use it. In websrvr.c, I saw the use of 'session.host_ip' (in a SAFECOPY operation, so I know it's a string) - so I just used that variable instead of 'host_ip'.

In services.c, it was a little more complicated because we used a function (inet_addrtop) to convert the IP address from binary to text and store the result in 'client.addr', but that was done *after* the line you wanted to modify. So I just moved that initialization of client.addr to *before* the block of code you wanted to modify and then use 'client.addr' where you were wanting to use 'host_ip'.

digital man

Synchronet/BBS Terminology Definition #56:
REP = QWK Reply
Norco, CA WX: 68.7øF, 75.0% humidity, 10 mph E wind, 0.00 inches rain/24hrs

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

On 2019 Jun 20 13:55:12, you wrote to me:

so my question is how can i get the IP output in "Hostname:
badactor.invalid [www.xxx.yyy.zzz]" format in the three log lines in
services.c and websrvr.c?

The variable 'host_ip' was just not valid in those contexts.

yeah, that's what the compiler told me :)

The key is to look for where the IP address is actually used/logged
(in text form) before or after the code where you want to use it.

that's how i found host_ip where i did use it...

In websrvr.c, I saw the use of 'session.host_ip' (in a SAFECOPY
operation, so I know it's a string) - so I just used that variable
instead of 'host_ip'.

ahhh... i don't remember if i saw that or not...

In services.c, it was a little more complicated because we used a
function (inet_addrtop) to convert the IP address from binary to text
and store the result in 'client.addr', but that was done *after* the
line you wanted to modify.

ahhhh...

So I just moved that initialization of client.addr to *before* the
block of code you wanted to modify and then use 'client.addr' where
you were wanting to use 'host_ip'.

excellent! thanks for the update, too... this'll enable me to cut out some ugly
LOC in the scripts i've been using... it should now enable me to grab all of their IPs when they visit... i've caught over 100 of them but they still sneak in with others since my script couldn't easily root them out for the blocklist...

thanks!

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Life is the variety of spice.
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: how to get the IP and the host name on the same log line
By: mark lewis to Digital Man on Thu Jun 20 2019 06:05 pm

excellent! thanks for the update, too... this'll enable me to cut out some

No problem.

digital man

This Is Spinal Tap quote #1:
Nigel Tufnel: These go to eleven.
Norco, CA WX: 68.8øF, 75.0% humidity, 4 mph E wind, 0.00 inches rain/24hrs

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: how to get the IP and the host name on the same log line
By: mark lewis to all on Thu Jun 20 2019 04:01 pm

a domain hosted in the cloud somewhere has been scanning my system... pretty aggressively at times... they're a known infosec
term Node 1 Telnet c87-118-38-247.dataguard.no [87.118.38.247]

You may be looking for a broader solution, but why not just block the network in question?

iptables -I INPUT -s 87.118.32.0/19 -j DROP

Are they doing this from multiple networks?

---
þ Synchronet þ VA7AQD's Tavern - bbs.isurf.ca

On 2019 Jun 20 17:01:50, you wrote to me:

a domain hosted in the cloud somewhere has been scanning my system...
pretty aggressively at times... they're a known infosec [...]
term Node 1 Telnet c87-118-38-247.dataguard.no [87.118.38.247]

You may be looking for a broader solution, but why not just block the network in question?

the line given above is not the "bad actor"... it is an example only... plus the "bad actor" is hosted on a cloud network that provides VMs... i don't want to block the whole thing because i know that some other BBS operators are on the same network... that's why i've chosen to grab the IPs and add them to my block list...

Are they doing this from multiple networks?

not that i know of... all of the IPs they are using resolve to the bad actor's domain at the time the IP is in use...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... A garden is the purest of human pleasures. (F. Bacon)
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: how to get the IP and the host name on the same log line
By: mark lewis to Va7aqd on Thu Jun 20 2019 10:32 pm

the line given above is not the "bad actor"... it is an example only... plus the "bad actor" is hosted on a cloud network that
provides VMs... i don't want to block the whole thing because i know that some other BBS operators are on the same network...
that's why i've chosen to grab the IPs and add them to my block list...

Ah, fair enough... most of the blocking I do tends to be "Oh, Russia? China? buh-bye..."

Were you able to get the log management sorted to your liking?

---
þ Synchronet þ VA7AQD's Tavern - bbs.isurf.ca

On 2019 Jun 21 09:38:06, you wrote to me:

the line given above is not the "bad actor"... it is an example only...
plus the "bad actor" is hosted on a cloud network that provides VMs...
i don't want to block the whole thing because i know that some other
BBS operators are on the same network... that's why i've chosen to
grab the IPs and add them to my block list...

Ah, fair enough... most of the blocking I do tends to be "Oh, Russia? China? buh-bye..."

yeah, i do that in smaller blocks as needed depending on the attack/probe being
seen...

Were you able to get the log management sorted to your liking?

yup! it is a lot easier now to grab the domain and IP together and split them out...

sudo zgrep -E -e "^.* sestar sbbs: .*Hostname: .*BADACTORDOMAINHERE.* \
\[([0-9]{1,3}[\.]){3}[0-9]{1,3}\]" /var/log/syslog* | \
cut -d "[" -f 2 | cut -d "]" -f 1 | sort -V | uniq

that'll walk through all your syslogs, live and archived, find the BADACTORDOMAIN matches and then cut out everything except the IPs which come out in a nice sorted list...

before i was having to use -B1 on the grep line to get the line before the match and then cross my fingers that it was the line with the IP but that was a
crapshoot since the logging may have lines from other sbbs services mixed and interleaved... this new format means i won't miss any anymore :)

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Happy Holidays and a Wonderful 2009 to you and yours!
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net