Weird traffic on server, last few days....

[sektor2111]

Thanks for sharing
Rule added 5.189.128.0 - 5.189.143.255

[MrLoathsome]

The odd traffic still continues.
As Darkelarious noted the IP it is originating from has changed.
Just a few hours ago I had some of those log lines on my test server, with about the
same amount of time between attempts. (But not exactly... Exact same IP however.)
It still seems weird to me. Does not seem like the sort of pattern
you would expect from stray traffic from another game. But who knows....

If they change the IP weekly, that will keep sector busy with his blacklist.

Update on hardware issues with my main antique server.

Replaced the motherboard today with a brand new one.
This thing was still sealed up in the original static shield bag from the factory.
Have had it sitting in a box since I got it as a backup board in 2004 or 2005.
Also had a pair of 1.4g P3-S CPU's laying around, and 4 extra never used 1gb sticks of PC133 ECC server memory.
(Other board has 1.26 P3-S's in it... Left them and the memory where it was.)

Fired the thing up, and get the exact same results. Nothing on IDE. (But it notices that a hair faster. )

Only answer is that my tricky Antec TruePower 550 has lost one of its 12v rails, or one of the lines to the MB connector, or is having
some other odd issue that would make everything else on the board(s) still work.
Gonna swap that PSU out for a brand new spare one. If that ain't it, I might have some antique parts for sale.

[sektor2111]

If they change the IP weekly, that will keep sector busy with his blacklist.

Pretty sure they are NOT unlimited in assigning IP classes. I_A_N_A doesn't accept this, is matter of patience. For me Everything is clean due to other lists doing stunts in Internet so they were already removed.

Aside, browsing some server (mine) using Host-Name not IP (couple of weeks ago), something (maybe DNS deals) triggered a connection with another sort of location hosting a non UT game right from my client. If some fancy dudes from Netherlands are busy with taking drugs rather than IT chapter, then I was banning everything from there excepting only locations where I have interest. First time I though I won't be able to join anywhere blocking that crap but I could happily join to UT anytime - that thing was like an "echo" triggered or such or a "guardian" checking what I do and making noise useless. All the time I'm blocking connections done from UT client to NON UT games. More clear, that IP which I've added at firewall was a copy-paste from client-log. You can imagine my face when I was tracking trails of that connection and I figured 0 UT in all that crap. MasterServer's database gaming list issues ? DNS problem ? Phishing ? WHO/WHAT in hell did trigger my UT-client to launch a connection to a place with 0 UT game ? Huh ?
That "braside.ru" was in Netherlands, this IP was from Netherlands too. I don't know what's wrong with those guys but I simply closed deals adding "on-fly" exceptions at moments when I need them. So there is a reversed policy, Block all Except desired, rather than blocking a few excepting the rest, and now I'm breathing relaxed.

[MrLoathsome]

Well as you know sektor2111, there are many ways to deal with this and as I mentioned I have been using that fail2ban IPTABLES enhancement
service on my server for years to deal with this sort of thing "on the fly". Once again I think we are on the same page, or at least the same chapter.
Your master server database error/fuckup idea sounds like the most likely answer at this point.
(If they are hackers, they are very bad at it.....)

I will keep a eye on my logs, and if this activity persists will write some new rule of my own to deal with it. Or think of a way to tighten up
my hardware firewall to block it.

Good news is that I now have the amount of log files to look at that I have grown accustomed to.

**Last off-topic update on my little hardware issue.

It was the PSU. Should have tested that earlier.
Plugged my little PSU tester into it, and the ONLY light that comes on is the +5VSB indicator.
Nothing on 3.3v, 12v, 5v + or -. Sort of amazed those boards even POST'ed up with that.

The first thing I did when the brand new box fired up with the old HDD in it, was to plug in one
of the spare drives I was gonna clone, and I cloned it. DD ran for about 3-4 hours.
Tossed the cloned drive into a different case with the original motherboard/cpus, and it booted right
up. Only setting I had to reset was the local static IP on the NIC card.

Now I got 2 nearly identical server boxes up and running. One of them is currently cloning that boot drive onto my 3rd 120gb HDD which
I will keep ready as a spare for either. It will boot em both. And I didn't have to reinstall the OS or anything else. Yay!
Popped new CMOS batteries in both of them. The old one is now refurbished and the new one is still new.

Note: If any of you ever see a used SuperMicro motherboard for sale that matches any CPU's/Memory you have
laying around, buy that sucker.

The board that has been running for 12 years looks just like the brand new one. Both my 2 main desktops are also on
SuperMicro boards. They are socket 478 desktop systems at least 8 years old. Test server is on another old SM board. All run like they are new.
I checked them all close this last week after Barbie reminded me of the bulging capacitor issue that plagued motherboards
in the past. Seen that on almost every brand of motherboards before at some point, except SuperMicro boards.
These things are bulletproof. If you see one, buy it.

[-=SoP=-axewound]

If you are interested in blocking countries or zones by IP address using IPTables on your linux server take a look at this script: http://www.cyberciti.biz/faq/block-enti ... -iptables/

Here is a CIDR listing of addresses by zone you can use: http://www.ipdeny.com/ipblocks/data/countries/

[JackGriffin]

This. Best thing you'll ever do. Block liberally and without mercy.

"Let's play some Unreal!" said no Chinese person ever. Why do I keep seeing their IP's

[papercoffee]

"Let's play some Unreal!" said no Chinese person ever. Why do I keep seeing their IP's

Because you didn't listen, they say "Ret's pray some Unlear!" ...I know, it can be confusing.

[JackGriffin]

You mother FUCKER. I swear to you I am now looking at a monitor splattered with fresh coffee. I *just* cleaned this desk last night and now it's got coffee drops all over it. I almost spit my teeth out too you cunt. Posts like that need a [HUMOROUS] tag!

[Syntax-Error]

Hey guys...

Fail2Ban rocks, but there's a nice addition to those tools as well: Portsentry

https://sourceforge.net/projects/sentrytools/


Can block detected portscans and stuff...
Very convenient...