Diary of a SysAdmin

ufw and firewalld rules to block VPS bots and scrapers

Copy-and-paste rules to block ingress traffic from cheap VPS providers

ufw rules

ufw-contabo.txt
ufw-digitalocean.txt
ufw-hetzner.txt
ufw-ovh.txt

firewalld rules

firewalld-contabo.txt
firewalld-digitalocean.txt
firewalld-hetzner.txt
firewalld-ovh.txt

You probably don’t need VPS customers connecting to your boxes

Every minute I see dozens of scans, scrapes and DNS amplification attacks from providers offering cheap VPSs. I rarely see legitimate ingress traffic:

Dec 13 14:45:41,1770008933,igb0,IGB0_WAN,block,4,6,TCP-S,178.62.237.183,81.187.86.93,61000,22,out,GB,pfB_ASN_clouds_v4,81.187.0.0/16,GB_v4,mx2.arcza.net,Unknown,null,+

178.62.237.183 is controlled by a botnet using DigitalOcean, attempting to SSH into my mail server mx2.arcza.net on port 22. The customer is a small UK taxi comparison business (viewable on http://178.62.237.183), who probably has no idea what any of this means and didn’t implement fail2ban on their VPS, got hacked, and someone installed a botnet worker to attempt to hack more servers over SSH.

I’ve also seen examples from another DigitalOcean customer called Stretchoid scanning my network for things like LDAP access. Port scans are not new, and not malicious on their own. But you gain nothing allowing scrapers, DNS amplification attempts and port scanners accessing your network, and of course actual botnets. I encourage you to block cheap VPS providers too.

AWS, Azure and GCP

The three henchmen are yet to be blocked. They tend to be more expensive and less scalable for abuse. I am certain botnets have deployed off AWS at some point, but my firewall data shows nothing of the volume seen from less complex providers.

Egress?

I don’t block traffic going to any VPS cloud from my network. I know what software is running within my perimeter, so can tackle issues at application level rather than network level. It also sounds like a troubleshooting nightmare for the future.

Disclaimer

I am not saying the named networks are malicious organisations. Abuse comes from all over the Internet, including AWS, GCP and Azure, but I receive so many attacks from these networks I cannot possibly fill out enough abuse forms. Examples:

Contabo: DNS amplification pretending to be AWS:

25/11/2023 13:49:48 09F4 PACKET  00000185056A3D50 UDP Rcv 194.163.153.147 a511   Q [0001   D   NOERROR] CNAME  (17)klimentandguladze(5)10690(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:52 09F4 PACKET  00000185058F5D40 UDP Rcv 194.163.153.147 ef9e   Q [0001   D   NOERROR] CNAME  (5)10701(11)lauragstein(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:54 09F4 PACKET  000001850828A4A0 UDP Rcv 194.163.153.147 4466   Q [0001   D   NOERROR] CNAME  (24)dharanisupportprimer3236(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:55 09F4 PACKET  00000185056A3D50 UDP Rcv 194.163.153.147 050d   Q [0001   D   NOERROR] CNAME  (16)gearfactor_10709(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:55 09F4 PACKET  000001850828A4A0 UDP Rcv 194.163.153.147 f2b6   Q [0001   D   NOERROR] CNAME  (31)kingmcmshelp-schema-org-mapping(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:56 09F4 PACKET  00000185056A3D50 UDP Rcv 194.163.153.147 7209   Q [0001   D   NOERROR] CNAME  (16)azure70532xedule(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:56 09F4 PACKET  000001850828A4A0 UDP Rcv 194.163.153.147 66d8   Q [0001   D   NOERROR] CNAME  (12)p9p-suits301(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:57 09F4 PACKET  00000185056A3D50 UDP Rcv 194.163.153.147 9068   Q [0001   D   NOERROR] CNAME  (24)bashstyle-asiafoundation(2)s3(9)amazonaws(3)com(0)

Hetzner: DNS amp again

25/11/2023 13:49:39 09F4 PACKET  00000185056A3D50 UDP Rcv 95.217.207.120  ddf4   Q [0001   D   NOERROR] A      (11)yuxiangqian(5)x24hr(3)com(0)
25/11/2023 13:49:50 09F4 PACKET  00000185058F5D40 UDP Rcv 95.217.207.120  08e6   Q [0001   D   NOERROR] A      (6)hbfast(5)dns04(3)com(0)
25/11/2023 13:49:53 09F4 PACKET  00000185058F5D40 UDP Rcv 95.217.207.120  2c1e   Q [0001   D   NOERROR] A      (5)tocea(7)mynetav(3)net(0)
25/11/2023 13:49:53 09F4 PACKET  00000185058F5D40 UDP Rcv 95.217.207.120  afdf   Q [0001   D   NOERROR] A      (12)willsmythe__(6)fartit(3)com(0)
25/11/2023 13:50:02 09F4 PACKET  00000185056A3D50 UDP Rcv 95.217.207.120  72c4   Q [0001   D   NOERROR] A      (24)dataintegrationpracticum(4)qpoe(3)com(0)
25/11/2023 13:50:07 09F8 PACKET  00000185058F5D40 UDP Rcv 95.217.207.120  7eae   Q [0001   D   NOERROR] A      (9)rishav311(4)zzux(3)com(0)
25/11/2023 13:50:11 09F4 PACKET  000001850828A4A0 UDP Rcv 95.217.207.120  a1c1   Q [0001   D   NOERROR] A      (5)oak86(8)proxydns(3)com(0)
25/11/2023 13:50:14 09F4 PACKET  000001850636E4A0 UDP Rcv 95.217.207.120  0c03   Q [0001   D   NOERROR] A      (16)creativeworldbau(4)ddns(4)mobi(0)

OVH: also DNS… why would OVH contact my servers for a Google lookup?

25/11/2023 13:30:34 09F8 PACKET  0000018505FF3560 UDP Rcv 51.222.211.179  a4d0   Q [0001   D   NOERROR] TXT    (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:31:44 09F4 PACKET  00000185052F91B0 UDP Rcv 51.222.211.179  8f08   Q [0001   D   NOERROR] TXT    (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:32:53 09F4 PACKET  0000018505FF3560 UDP Rcv 51.222.211.179  d4e9   Q [0001   D   NOERROR] TXT    (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:33:49 09F4 PACKET  000001850828A4A0 UDP Rcv 51.222.211.179  3933   Q [0001   D   NOERROR] TXT    (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:40:23 09F8 PACKET  0000018507204D10 UDP Rcv 51.222.211.179  5b30   Q [0001   D   NOERROR] TXT    (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:41:28 09F8 PACKET  00000185057DA8D0 UDP Rcv 51.222.211.179  fb7b   Q [0001   D   NOERROR] TXT    (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:43:18 09F4 PACKET  00000185057DA8D0 UDP Rcv 51.222.211.179  20aa   Q [0001   D   NOERROR] TXT    (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:44:00 09F4 PACKET  00000185058F5D40 UDP Rcv 51.222.211.179  58a5   Q [0001   D   NOERROR] TXT    (3)o-o(6)myaddr(1)l(6)google(3)com(0)

DigitalOcean: botnet port 22 ssh example above to my secondary mail server.

Thanks

HackerTarget made it easy for me to get the CIDR blocks for each cloud.

There are bigger fish to fry…

Agreed. I also geo-block regions I have no expected legitimate traffic from. 22k blocked states from China for example in the last 24 hours. I do not have 22k blog readers from China sadly. Paying for threat lists is a better and more refined way.

I work for <cheap cloud>. We aren’t ‘cheap’!

  • Contabo: “Stop choosing between affordability and performance!”
    https://contabo.com/en/
  • DigitalOcean: “Whatever your vision—a SaaS app, an AI/ML business, a website, an eCommerce store—build it here using DigitalOcean’s simple, cost-effective cloud hosting services.”
    https://www.digitalocean.com/
  • OVH: “LAST CHANCE Get our deals while they last! Up to 55% off”
    https://www.ovhcloud.com/en-gb/
  • Hetzner: “Pure power at impossibly low prices
    https://www.hetzner.com/

Contrast to AWS where pricing is not a core feature of their marketing.

pfSense

If you use pfSense firewalls, pfBlocker NG can block entire ASNs automatically and you might not need these rules.