JowettTalk traffic.

[Forumadmin]

I was interested to see that we had 708 people(IPs) on line today at the same time. The system does not include known BOTS in that figure so might include a machine trying to crawl JT, which is not being used by real person. So I did some analysis.

Interestingly some of those machines were in Singapore where the current GrandPrix is taking place!

Note that I now have a very agressive and dynamically cooperating firewall in place which blocks all the IPS in over half the world's countries, plus it blocks all the IPS from known crawlers and hackers that is held in daily updated lists held by a few organisations, plus it blocks any IP using any known exploits, plus it blocks IPs that fail a few times so might be trying to overload the website. Plus I and many other administrators regularly observe logs and update our rules to stop any new exploits and inform all other administrators of the results. This firewall has been present for over 10 years but recently underwent a full review and update.

I will undertake further analysis when time permits but I have Amy's dog to walk and a grand prix to watch.

[Nick Webster]

As a matter of interest, although I can still access JT using my steam driven PC I have been unable to get in (despite what I imagine is the same IP) on my Android tablet, because it is flagged up as an insecure site. I can see it but the page is locked some time mid September with no later postings. No chance of logging on because the tablet prevents me.

Nick

[Forumadmin]

Nick,
What browser is the Android tablet using?
You get an error (NET::ERR_CERT_DATE_INVALID.) on Chrome and Android if you are trying to get to www.jowett.net and not jowett.net.
The reason being that these two websites are different and the certificate used by jowett.net is not valid for www.jowett.net
Many websites choose to make the two synonomous and share the same certificate, but I have not for the new server.
You might find that SSL checker on www.jowett.net shows that certificate has expired which is why you get that error.
whereas
https://www.sslshopper.com/ssl-checker. ... jowett.net shows the certificate is OK for jowett.net

This might help:
https://support.google.com/chrome/threa ... rect?hl=en

[Forumadmin]

I have undertaking more analysis of the so called guests who are on line. They are mainly new Bots having the ability to generate multiple attacks from a block of IP addresses. WhoIS analysis shows they are emanating from multiple countries (GE, US, JP) but owned by the same Chinese company, tencent.com. I have now blocked these 400 offending IP but also all the IPs owned by the company or the IP provider of its services. This often has IP ranges of a million IP addresses. Sorry if you are using the same IP provider that this company uses as you will now be blocked!
All these IPs had been reported to the blacklisting company that I subscribe to, but my updating method is limited to 100,000 IPs per day, so is taking time to catch up. It has only been going for 20 days. I am looking into paying for a more timely service or developing a rule to block such attacks on JT. I have already implemented my own rules ( as well as those used by many other websites) on attacks on the website but these attackers are using known forum webpages so look like genuine users to the existing exploit rules. The probes do not get anything of value to them as I can see where they are trying to go and so far they are using fairly simple exploits. The sensitive and valuable parts of the website and JT are well protected.

[Nick Webster]

Hello Keith,
I'm using Chrome and sometimes DuckDuckgo. Anyway, armed with your info I am into the forum. Even when I manually changed from www.jowett.net to jowett, never the less, I had a bit of a job stopping the browser writing in www just to be helpful. Perhaps something to do with cache or shortcut. I expect I can tidy up and sort it out. Thanks,

Nick (not-a-bot)

[Keith Clements]

Just to let you know JT looks up IPs of users registering or posting and blocks them if they are on various blacklists.
I will try to improve the system by actively looking at the session table in JT and block bad actors as soon as they try to access JT. This will put extra load on the server so I may have to be a bit more intelligent if the system slows down too much. Another approach would be to allow through known good IPs who have previously had a session with JT.

As you may have realised this has all come about by the server suffering loading issues over the last year due to increased exploits by bad actors.

There are many initiatives being explored by many companies to reduce attacks and their consequences. As a result many websites and services will start to break. You already see this with email not being delivered because Microsoft decides someone is bad. Microsoft now insists that people must use the latest authentication methods (perhaps to get people to use their software).
Here is one webmaster taking things seriously.
https://www.exxosforum.co.uk/forum/

If you read the topic in the link about Microsoft accounts you will note that having your forum hosted by somebody else can give issues as that host might either get blacklisted or that host might blacklist you or one of the services you rely on. Hence why I host JT both on a Gcloud instance where I am only dependent (temporarily) on one instance in the Google cloud (but there is a back-up instance) AND my home server where I am only dependent (temporarily) on BT and Openreach both of whom I can switch to go to cable, 5G or other providers should either service cease or become difficult.

Such considerations are often overlooked by website and service providers where they use many elements of software and hardware each of which is subject to change. When one link breaks or needs updating or becomes unaffordable or non-competitive you will either be stuck with what you have or have a broken service. It may be easier to sub contract the initial hassle but you might lose control very rapidly once locked into a poor contract.

Hence my use of OPEN SOURCE SOFTWARE and openly available alternatives to service platforms. The Jowett website is not just the Forum as it provides other quite complex services such as Member Services with its Members Map feature, video and Archive Search facilities. So getting one provider to provide all these tailored services was not possible.

[Keith Clements]

Andrew Jackson reported he was unable to access JT. Some investigation showed that the IP address he had been using had been blacklisted by the new firewall.
If this happens to you it is likely you had a '404 Not found error' when trying to access a page on JT or somewhere else on the server such as jowett.net or jowett.org. Currently the firewall assumes you are trawling and so blocks you from accessing the server again.
Please try to record when this happens with the page you were trying to get to and let me know.

At some stage I will relax some of the rules used by the firewall. I needed to reduce the recent rise in unwanted attention to the site so the rules have a low threshold.

I am investigating how to add IP addresses known to be good by JT into the whitelist of the firewall. This should override any automatic blacklisting the firewall performs. JT records the IP that you registered on and the IP of your last visit, so I have something to work on.

To give you some idea of the problem: in addition to the countries blacklisted, and all the known hackers in the non-blacklisted countries (currently approching half a million) my firewall has detected and blocked 1465 other IP addresses which I hope are not genuine users, but some may be valid and should be whitelisted which is what I need to correct.

[Keith Clements]

I have removed from the blacklist four IPs that came from fixed line Internet Service Providers that were not reported as being abusive and were detected and blocked by my firewall. This was after feeding the 1465 blacklisted IPs detected by my system into the abuseipdb database which provides me a huge amount of information on each IP. I used a bit of human intelligence to decide which ones were possibly not malicious and probably were genuine users.

I also wrote some code to query the JT database to see if any of the abusive IPs were in its database. None were, so those 4 users had not registered and had not a current session with JT.

Getting one false positive and possibly another 4 out of 1465 'abusive' IPs is not bad for the firewall. But it could be better so when I get time I will make the JT check more timely so that a registered user on a new IP address who makes a poor access is not blacklisted. Note those 4 may have been malicious as they might have been using their home computer to hack my system. But if they come back and try again they will be blocked.

I have found a few bad links in JT so will try to make them good as they may have caused the '404 Not found' errors.

[Keith Clements]

One reason for some of the '404 Not found' errors was the pre-2006 website had not been transferred to the new jowett.net server, only the jowett.org server.
This new server hosts separate domains rather than sharing the same filespace as in the previous server.
The pre-2006 website could be accessed on the previous server either with https://jowett.org/jowettnet or by https://jowett.net/jowettorg/jowettnet . But after the move it could only be accessed using https://jowett.org/jowettnet . Any links to https://jowett.net/jowettorg/jowettnet would fail.
I have now copied the files from jowett.org to jowett.net as a temporary solution.
The pre 2006 JT is available now on https://jowett.net/jowettorg/oldjowetttalk/ as well as https://jowett.org/oldjowetttalk/
and pre 2006 website is available now on https://jowett.net/jowettorg/jowettnet/ as well as https://jowett.org/jowettnet/

Please note that many of the links on those old sites are broken!!!! A job for another day.

Maintaining integrity across the many moves and changes of technology of the website since 1999 has always been an issue. Luckily I have not used proprietary software in JowettTalk since it is very difficult to migrate to a new system. I know I used to do it for a living!

The old facilities still remain so that any valuable information is not lost, it just may be difficult to find. But I am working on that.

[Keith Clements]

Getting a stable,secure platform to build a new web service whilst beating back the hoards from the gates is taking some time.
After helping Harry and his race team yesterday at Thruxton race circuit I am back to analysing the logs of blacklisted IPs.

134 new possible exploits have been thwarted by detecting the intruders after they got through the initial three lines of defence, namely the google firewall, the server's firewall and the intrusion detection system. But I have reinstated 4 of those 'intruders' as they may have inadvertently tripped my own security system.

If those 4 did have a genuine interest I hope they come back. They were from 3 different countries.

[Forumadmin]

I have added this error message to the domains when a web page is not found. I had thought about adding the ability to input the user's IP to alert the webmaster, but this could easily be defeated by a clever BOT and I would get a deluge of requests for reinstatement.

No content here and you are forbidden access.

You may have been permanently banned from all domains on this server!

Do not trawl this server. There is a strong firewall in place.

If you came here by mistake, then the server may have banned your machine for subsequent access.

Please use another machine and try again or find a way of contacting the webmaster who may be able to reinstate your machine's access.

In your email message to the webmaster please state the IP address of the machine you are trying to use.

You can use whatsmyip.com to find your IP address.

[Forumadmin]

Over the last few months I have identified a persistent hacker trying to register on JT. They have used different IP addresses every time so my process of banning the IP address was not good enough. So analysis of the IP addresses being used showed they came from one Internet Service Provider, MEVSPACE, registered in Poland. Abuseipdb showed they had thousands of known bad IPs but these had not yet been transferred to my firewall. So I did a manual approach by using abuseipdb to find all the IPs registered to that ISP (about 10000) and banned the lot using CIDR notation that groups clusters of IPs together. The hacker always registered with an email address with a .ru domain so he was probably Russian. If he or his artificial intelligence BOT is reading this he will probably be a bit cleverer next time!
As well as these IP version 4 address sets I also banned some IPV6 sets which contain a vastly greater number of addresses. IPv4 has about 4.29 billion addresses 2^{32}, while IPv6 has about 340 undecillion addresses 2^{128}.

Just thought I would let you know what goes on when I am not under Jowetts.