Someone is using Amazon EC2 instances to try to flood my little Forgejo server with bogus and repeating requests. Added these IP addresses to my firewall. Le sigh.
According to #crowdsec all IP addresses are aggressive SEO crawlers. That doesn't feel right. They hammer on my server, requesting the same URLs again and again. Anyway, blocked them and my server is happy. Wasn't that much of a problem anyway.
My little mail server happily deals with around 1000+ new distinct IPv4 addresses from various Russian and Chinese controlled botnets trying to brute-force SASL logins every day since around 10 days. They are added via #crowdsec to my firewall automagically. 13000 IP addresses blocked and adding more every day. Keep on going, botnets. #SlavaUkraini
I like the term "enshitification" -- to me it describes where we've been for about 17 years. are we emerging from it? are we entering the age of deshitification?
to me it means no longer typing into tiny little shitboxes for writing. this is no way to treat a human being.
@wurzbacher I get your point but I think it's fair to say the decentralization of the different coding project and their current healthy maintenance coupled with things like @cloudron or @yunohost or even managed hosting of fedi apps makes the whole thing much easier to handle. Add to that #crowdsec and it's doable? 😅
Thinking about rolling out #crowdsec on the 7-node #BareMetal#Kubernetes cluster hosting https://mstdn.dk and various other services like DNS, SMTP, IMAP and a bunch of other websites. Seems like a really solid project and much needed replacement for the aging, Python-based #fail2ban. Will keep you posted as I figure it out.
And another little attack wave on my mail server. The screenshot shows the number of failed attempts to post spam per IP (99% refused by my mail server because the hostname was fake). Now all blocked with #crowdsec for a few days.
Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. I recently tracked down and interviewed a Russian hacker responsible for a series of particularly aggressive crypto spam campaigns this month that prompted several large #Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.
A big thank you to @renchap for help with this research.
Large part of my work is in the infrastructure security sector and I think I can help at least with some of these challenges you described:
there are databases of IP addresses and subnets that are known to run dumb, persistent scanners, bruteforcers etc - these should be blocked right away at the firewall level and that’s the first line of defense; the lists are usually updated every hour or daily
more sophisticated spam/hacking teams cycle their IP addresses, use Tor or set up dedicated infrastructure for your campaign only, but then so are the intrusion detection tools - #Wazuh and #Crowdsec are two solutions I have been using a lot that will allow you to block an IP address instantly when a suspicious pattern is detected in your logs, which basically allows you to block them on the spot
These tools deal with HTTP server logs or application logs, so you can usually do whatever kind of matching you can come up with and write custom signatures such as “a 10 characters long alphanumeric usernames created from the same IP over 15 minutes”. They are not silver bullets as any such tool can be bypassed by a sufficiently resourced and sophisticated team, but they significantly increase the cost of the campaign for the attacker.
I don’t have any Mastodon instances but have implemented them for Pleroma, NextCloud and many other solutions, so happy to help with deployment for your Mastodon instance if interested.
Schritt-für-Schritt Anleitung zur Einrichtung von #CrowdSec, einem OpenSource-Tool zur Absicherung von Servern gegen schädliche Zugriffe aus dem Internet.