Hello All,

I was looking at my fail2ban setup tonight and noticed some unusual activity. Lo and behold, the IP is registered to Microsoft. What it's doing scanning my SSH port I don't know but I went looking around on Google and found a way to do it in pfSense. If you want the particulars, look at the article (URL at end of message) but look at the size of this list of domains and subdomains to block (this is from 2019 so I am sure it's out of date):

===
a-0001.a-msedge.net
a.ads1.msn.com
a.ads2.msn.com
ad.doubleclick.net
adnexus.net
adnxs.com
ads.msn.com
ads1.msads.net
ads1.msn.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
cs1.wpc.v0cdn.net statsfe1.ws.microsoft.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.appex.bing.net:443
telemetry.microsoft.com
telemetry.urs.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
vortex.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com
a.ads1.msn.com
a.ads2.msads.net
a.ads2.msn.com
a.rad.msn.com
a-0001.a-msedge.net
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
ac3.msn.com
ad.doubleclick.net
adnexus.net
adnxs.com
ads.msn.com
ads1.msads.net
ads1.msn.com
aidps.atdmt.com
aka-cdn-ns.adtech.de
a-msedge.net
apps.skype.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
b.ads1.msn.com
b.ads2.msads.net
b.rad.msn.com
bs.serving-sys.com
c.atdmt.com
c.msn.com
ca.telemetry.microsoft.com
cache.datamart.windows.com
cdn.atdmt.com
cds26.ams9.msecn.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
db3aqu.atdmt.com
db3wns2011111.wns.windows.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
ec.atdmt.com
fe2.update.microsoft.com.akadns.net
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
flex.msn.com
g.msn.com
h1.msn.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
lb1.www.ms.akadns.net
live.rads.msn.com
m.adnxs.com
m.hotmail.com
msedge.net
msftncsi.com
msnbot-207-46-194-33.search.msn.com
msnbot-65-55-108-23.search.msn.com
msntest.serving-sys.com
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
pricelist.skype.com
rad.live.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
s.gateway.messenger.live.com
s0.2mdn.net
schemas.microsoft.akadns.net
secure.adnxs.com
secure.flashtalking.com
services.wes.df.telemetry.microsoft.com
settings.data.microsof.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com.akadns.net
sO.2mdn.net
spynet2.microsoft.com
spynetalt.microsoft.com
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
ssw.live.com
static.2mdn.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com telecommand.telemetry.microsoft.com.nsatc.net telecommand.telemetry.microsoft.com.nsat?c.net
telemetry.appex.bing.net
telemetry.appex.bing.net:443
telemetry.microsoft.com
telemetry.urs.microsoft.com
ui.skype.com
v10.vortex-win.data.microsoft.com
view.atdmt.com
vortex.data.microsoft.com
vortex-bn2.metron.live.com.nsatc.net
vortex-cy2.metron.live.com.nsatc.net
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com
win10.ipv6.microsoft.com
www.msftncsi.com
dns.msftncsi.com
ipv6.msftncsi.com
win10.ipv6.microsoft.com
ipv6.msftncsi.com.edgesuite.net
a978.i6g1.akamai.net
win10.ipv6.microsoft.com.nsatc.net
en-us.appex-rf.msn.com
v10.vortex-win.data.microsoft.com
client.wns.windows.com
wildcard.appex-rf.msn.com.edgesuite.net v10.vortex-win.data.metron.life.com.nsatc.net
wns.notify.windows.com.akadns.net
americas2.notify.windows.com.akadns.net
travel.tile.appex.bing.com
any.edge.bing.com
fe3.delivery.mp.microsoft.com
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
ssw.live.com
ssw.live.com.nsatc.net
login.live.com.nsatc.net
directory.services.live.com
directory.services.live.com.akadns.net
bl3302.storage.live.com
skyapi.live.net
bl3302geo.storage.dkyprod.akadns.net
skyapi.skyprod.akadns.net
skydrive.wns.windows.com
register.mesh.com
BN1WNS2011508.wns.windows.com
settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com
OneSettings-bn2.metron.live.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
===

The URL is: https://adobosyntax.wordpress.com/2019/04/06/blocking-microsoft-traffic-in-pfse
nse/

You use the DNSBL in pfBlockerNG to do this in pfSense.

You CAN block directly via CIDR but you have to make eight seperate rules and I do not feel like doing that. <G>

-- Sean

... "When the mouse laughs at the cat, there is a hole nearby." - Nigerian proverb
... "Does anyone REALLY read these stupid quotes?" - the SysOp
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

To: Sean Dennis
Re: Dealing with Microsoft
By: Sean Dennis to All on Thu Feb 17 2022 01:46 am

From Newsgroup: Micronet.MIN_COMP

Hello All,

I was looking at my fail2ban setup tonight and noticed some unusual activity. Lo and behold, the IP is registered to Microsoft. What it's doing scanning my SSH port I don't know but I went looking around on Google and

Are you sure that's just not traffic from their antivirus software calling home or something like that. do you have a windows computer?
--- Synchronet 3.18b-Win32 NewsLink 1.113
* bbses.info - http://bbses.info - telnet://bbses.info
* Origin: Time Warp of the Future BBS - Home of League 10 (618:300/12)

On 17 Feb 22 01:46:36, Sean Dennis said the following to All:

I was looking at my fail2ban setup tonight and noticed some unusual activit Lo and behold, the IP is registered to Microsoft. What it's doing scanning SSH port I don't know but I went looking around on Google and found a way t

Its likely a botnet operating on Azure infrastructure.

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:500/24)

Hello Jas,

17 Feb 22 02:13, you wrote to me:

Are you sure that's just not traffic from their antivirus software
calling home or something like that. do you have a windows computer?

I have no Microsoft-powered computers in my posession.

This morning, I wake up to someone using an IP belonging to Microsoft Brazil trying to smack my SSH port around. I noticed a few other Brazilian IPs in there so I just blocked the whole country.

I don't know if someone was spoofing IP addresses from Microsoft but I'd rather be safe than sorry.

I am also blocking a LOT of virtual hosted systems that are just outright trying to portscan my network.

There's one problematic group called FranTech, with the company registered in Wyoming but with a .ca TLD, that has been causing issues for quite some time. I am making a dent though because they're showing up less often in my system logs.

I love pfSense. <G>

-- Sean

... Why is there so much month left at the end of the money?
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

Hello Nick,

17 Feb 22 06:37, you wrote to me:

Its likely a botnet operating on Azure infrastructure.

That too which is why I have been blocking virtual private hosts like crazy lately. It's always chasing my tail though because I'm seemingly always behind.

-- Sean

... He who always plows a straight furrow is in a rut.
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

On 17 Feb 22 10:24:54, Sean Dennis said the following to Nick Andre:

Its likely a botnet operating on Azure infrastructure.

That too which is why I have been blocking virtual private hosts like crazy lately. It's always chasing my tail though because I'm seemingly always behind.

You'll never be able to 100% block them, but I don't notice them at all with pfsense at the helm.

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:500/24)

Hello Nick,

17 Feb 22 11:19, you wrote to me:

You'll never be able to 100% block them, but I don't notice them at
all with pfsense at the helm.

I'm sure I've cut down the number quite a bit. I need to dial in fail2ban's reciditive (sp) filter a bit and that will help also. Strange that suddenly I had all of those hits from Brazil this morning but I don't have to worry about that either. *pets his pfSense box*

-- Sean

... Beauty is only skin deep but ugly goes clear to the bone.
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

To: Sean Dennis
Re: Dealing with Microsoft
By: Sean Dennis to Jas Hud on Thu Feb 17 2022 10:21 am

There's one problematic group called FranTech, with the company registered in Wyoming but with a .ca TLD, that has been causing issues for quite some time.
I am making a dent though because they're showing up less often in my system logs.

I love pfSense. <G>

-- Sean

well if you have the time to block all that shit, than go ahead. might be better to just block everything and then whitelist what you want incoming.

there's millions of scanners out there, so i just let them scan unless i see them hitting hard and then i put them in my firewall.
--- Synchronet 3.18b-Win32 NewsLink 1.113
* bbses.info - http://bbses.info - telnet://bbses.info
* Origin: Time Warp of the Future BBS - Home of League 10 (618:300/12)

Hello Jas,

17 Feb 22 17:13, you wrote to me:

there's millions of scanners out there, so i just let them scan unless
i see them hitting hard and then i put them in my firewall.

pfSense, by default, blocks all unsolicited traffic. These IPs that are showing up are scanning my SSH port.

-- Sean

... Money talks. All mine says is "goodbye."
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

On 17 Feb 22 20:27:04, Sean Dennis said the following to Jas Hud:

there's millions of scanners out there, so i just let them scan unless i see them hitting hard and then i put them in my firewall.

pfSense, by default, blocks all unsolicited traffic. These IPs that are showing up are scanning my SSH port.

Why is SSH open to the world? That should be behind OpenVPN?

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:500/24)

Hello Nick,

17 Feb 22 20:49, you wrote to me:

Why is SSH open to the world? That should be behind OpenVPN?

Because MBSE allows SSH connections, that's why. I have callers that use it.

-- Sean

... A dog accepts you as boss. A cat wants to see your resume.
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

Sean,

You use the DNSBL in pfBlockerNG to do this in pfSense.

You CAN block directly via CIDR but you have to make eight seperate
rules and I do not feel like doing that. <G>

I'll add these to my host name filter on the BBS. Besides, if they're
not going to make a 32-bit version of Windows 11, I'm sticking with
Windows 10. I can't see sacrificing a whole slew of legacy items just
to satisfy Microsoft's bottom line.

... "Does anyone REALLY read these stupid quotes?" - the SysOp

Never mind the bulletins. :P

Daryl


... Microsoft Tech Support For Legacy Windows?? FAT Chance!!
=== MultiMail/Win v0.52
--- SBBSecho 3.14-Win32
* Origin: The Thunderbolt BBS - Little Rock, Arkansas (618:250/33)

Why is SSH open to the world? That should be behind OpenVPN?

Didn't I say we NEVER talk about SSH ... it makes us angry .... remember? ;)

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:500/24)

Because MBSE allows SSH connections, that's why. I have callers that use i

^^^^^^^^^^^^^^^^^^^

Why? That's SOO dumb ... people are too much like sheep anymore. It's a friggin' BBS for God's sake.

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:500/24)

Hello T,

18 Feb 22 21:21, you wrote to me:

Why? That's SOO dumb ... people are too much like sheep anymore.
It's a friggin' BBS for God's sake.

After nearly 40 years in IT, I can say that offering a more secure connection is a good thing, even if it's a BBS. We in North America take freedom for granted and I have received calls from people who don't have that luxury and have to look over their shoulders.

So are you saying that I use GPG encrypted email is stupid too?

-- Sean

... If it looks easy, it's tough; if it looks tough, it's impossible.
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

Hello T,

18 Feb 22 21:20, you wrote to Nick Andre:

Didn't I say we NEVER talk about SSH ... it makes us angry ....
remember? ;)

Speak for yourself.

-- Sean

... If guns cause crime then pencils cause misspelled words.
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

On 18 Feb 22 21:20, T.J. Mcmillen said the following to Nick Andre:

Why is SSH open to the world? That should be behind OpenVPN?

Didn't I say we NEVER talk about SSH ... it makes us angry .... remember? ;

I forgot... its the first rule of Fight Club.

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:500/24)

Sean,

Why is SSH open to the world? That should be behind OpenVPN?

Because MBSE allows SSH connections, that's why. I have callers that
use it.

I set up a special door to advise folks of the ports for SSH and QOTD
(Quote Of The Day). Because bots were slamming it, I set the values to non-conventional. Verified Users In Good Standing can get those values
from that door...and I've noted where the SSH logon bypasses the CAPTCHA
entry.

... A dog accepts you as boss. A cat wants to see your resume.

At the very minimum. <G>

Daryl

... Does a clean house show that there's a broken computer??
=== MultiMail/Win v0.52
--- SBBSecho 3.14-Win32
* Origin: The Thunderbolt BBS - Little Rock, Arkansas (618:250/33)

Daryl Stout wrote to Sean Dennis <=-

I set up a special door to advise folks of the ports for SSH and QOTD (Quote Of The Day). Because bots were slamming it, I set the values to non-conventional. Verified Users In Good Standing can get those values from that door...and I've noted where the SSH logon bypasses the
CAPTCHA entry.

I discovered that Spectrum silently blocks port 23 so I have kept the BBS' telnet port on 10123. They also block the QOTD port. I chose to keep the
SSH port on 22 but if I moved it elsewhere, I'd have no issues, but I am not letting script kiddies dictate my hobby.

If you take a look at this webpage about blocked ports, you'll notice that Spectrum says nothing about blocking port 23 but they do:

https://www.spectrum.net/support/internet/blocked-ports

-- Sean

... How long a minute is depends on what side of the bathroom door you're on. --- MultiMail/Linux
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

To: digimaus
Re: Re: Dealing with Microsoft
By: digimaus to Daryl Stout on Sat Feb 19 2022 02:58 am

from that door...and I've noted where the SSH logon bypasses the CAPTCHA entry.

I discovered that Spectrum silently blocks port 23 so I have kept the BBS' telnet port on 10123. They also block the QOTD port. I chose to keep the SSH port on 22 but if I moved it elsewhere, I'd have no issues, but I am not letting script kiddies dictate my hobby.

If you take a look at this webpage about blocked ports, you'll notice that Spectrum says nothing about blocking port 23 but they do:

https://www.spectrum.net/support/internet/blocked-ports

i'm on spectrum and i can open up port 23. i just tested it.

it probably depends on the territory they took over. if the old guys did it, they probably do the same.
--- Synchronet 3.18b-Win32 NewsLink 1.113
* bbses.info - http://bbses.info - telnet://bbses.info
* Origin: Time Warp of the Future BBS - Home of League 10 (618:300/12)

Hello Jas,

19 Feb 22 08:57, you wrote to digimaus:

i'm on spectrum and i can open up port 23. i just tested it.

I just tested it also: "Port 23 is open on 97.95.145.58"

I'll get someone to test it for me.

it probably depends on the territory they took over. if the old guys
did it, they probably do the same.

They will also close ports if they feel they're getting attecked.

-- Sean

... With clothes the new are best; with friends the old are best.
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

On 2/18/2022 9:20 PM, T.J. Mcmillen wrote to Nick Andre:

Why is SSH open to the world? That should be behind OpenVPN?

Didn't I say we NEVER talk about SSH ... it makes us angry .... remember? ;)

LOL!!!

--- Platinum Xpress/Win/WINServer v7.0
* Origin: Omicron Thetta * Cordova TN * fidonet.winserver.org (618:100/14)