Tomáš Pospíšek's Notizblock

deinstalling ibus

ibus was installed by default on my Debian bullseye laptop. live-task-localisation depends on it and I'm guessing that live-task-localisation was installed because I installed from an USB Stick.

I'm using Xfce as a desktop, konsole as a terminal and KeePassXC to manage passwords.

Even while doing nothing ibus is infrequently using CPU and of course memory. Do I need ibus? I don't know, but I don't think so. I do not need to enter chinese or other characters that are "exotic" to me.

So I deinstalled ibus via aptitude while running the desktop. aptitude deinstalled the following packages along:

ibus-m17n ibus dconf-cli python3-ibus-1.0 gir1.2-ibus-1.0
ibus-data ibus-gtk ibus-gtk3 im-config libibus-1.0-5
libm17n-0 libotf0 m17n-db

Then I killed all ibus* daemons running on my system by using systemctl --user stop ... or kill -HUP ....

After that konsole and KeePassXC would not receive any keyboard inputs any more. It seems as if those programs (probably along with other programs that I wasn't running at the time), dynamically detect the presence of ibus and use it as keyboard input if available.

Restarting KeePassXC fixed the second problem and starting a new konsole fixed the other.

However, be aware that when killing ibus while running konsole you might risk loosing the work you are currently doing in it (or in any other X11 console or possibly in other programs). So it's better so save your work before killing ibus. Because I had some open work in console I did the copy/paste trick to save open files in vim and terminate other sessions. Mind you that it might be tricky to copy/paste "special" characters that you need, such as CTRL-D, Escape and such.

Tomáš Pospíšek, 2021-08-01

smtp bruteforcing

The default settings of fail2ban are to ban an IP if it incorrectly authenticates 5 times within 10 minutes.

We are seeing one bruteforcing attempt every 3 minutes. The IPs where the attempts are coming from are wideely distributed over the address space. However we do block IPs that try sustainedly.

Watching the log it feels like there is at least one actor that has access to a very large number of IPs that is continually bruteforcing us, that is aware of fail2ban's default settings and is scanning with a frequency that makes sure that he's flaying under the radar of fail2ban's default settings (5 attempts per 10min).

It's also interesting to see what happens when you report an IP:

From: Tomas Pospisek
To: abuse@...
Subject: 192.168.0.1 bruteforcing SMTP auth

Hello,

the IP mentioned in the email subject has been bruteforcing SMTP auth on our server. I have blacklisted it.

2020-02-21 00:29:53 SMTP protocol error in "AUTH LOGIN" H=(UF2RIBjOt) [192.168.0.1] AUTH command used when not advertised
[...etc...]

Please let me know when you have stopped that IP from bruteforcing us so that I can remove it from the blacklist again.

Thanks,
*t

Good citizens of the internet

who as net date comment
greenserver.io AS9009 45.133.116.0/24 2021-07-02 terminated VPS and customer within a day

Bad citizens of the internet

who as net date comment
ovh.ca AS16276 198.50.252.24/29 2021-07-02 reply with arbitrary blueprint mail asking you to jump through some arbitrary process
quadranet.com AS8100 104.129.0.0/18 2021-07-02 reply with blueprint mail but no reply if action was taken
chinanet.cn.net AS4134 104.129.0.0/18 2021-07-02 no reply, spam contact jsabuse@189.cn bounces/is full
fastlink.net AS46664 156.96.154.0/23 2021-07-16 no reply
Viet Speet Ltd AS135905 103.155.80.0/23 2021-07-09 no reply
ehostidc.co.kr AS45382 27.255.75.0/24 2021-07-09 no reply
vietserver.vn AS63737 103.167.90.0/23 2021-07-09 no reply
microsoft.com AS8075 40.124.0.0/16 2021-07-09 reply with blueprint mail asking you to jump through some arbitrary process
hostglobal.plus AS202306 109.237.100.0/22 2021-07-09 no reply

Tomáš Pospíšek, 2021-07-17

The next two articles:

Articles