Risc OS Servers on-line

In another topic, I stated that I had Risc OS servers on-line with public (WAN) IP addresses port forwarded to LAN addresses and the popular response was that such servers would be hacked and compromised within seconds (or perhaps, minutes).

That is not my experience. I have servers which have been on-line for years. A couple with the same address and port.

I do see the occaisional hack attempt, but non work because nobody seems to know how to hack a Risc OS server – even if they could tell that it is RiscOS! My servers disquise any responses, if at all posible.

As my experience is vastly different to that stated by others on here, let me pass on my setup to see if it helps anyone else.
______________________________________________

Firstly I use a top quality business Internet provider. Say, AAISP and/or Zen.

I use a top quality router which can handle two, multi IP, WAN connections simultaneously – a DrayTek 2860.

I mostly have webservers running on non-standard high numbered ports (>1000), although WebJames on port 80 does seem to be robust enough to put on-line.

I mostly have my servers accessed by IP address, not by domain name. And in the cases where access is by domain name, I never combine that with port 80.

I try not to have public links on other peoples servers and where somebody creates a link, I change my server addresss and/or port to invalidate the link. I do, extensively, use links from one of my servers to another.

I only use TCP ports. UDP is an uncontrolled nightmare.

I never use any port numbers below 1000 (with the exception of 80). So no nameservers or email, etc.

Webservers always silently drop any connection attempts to the home page (except for webjames which returns a simulated 404 error). Other pages use hard to guess page names. Invalid page addresses silently drop the connection.

So, a typical web page address might be http://01.02.03.04:7068/cgi-request/page-request?option=123

I also use TCP protocols other than HTTP, but they follow similar rules. In a number of cases, the client to such servers might not expect a response any case. I use Wget to send messages from one server to another. Wget does not complain if it does not get a reply. If I want to PUT a file on another server, I no longer use FTP ¹, I now use Wget to send a message saying the file is ready, come and get it

I use port forwarding to make my servers visible on the Internet.

¹ I do still have !Deltanet running on a Pi 4 with Aemulor, but not currently being used.

such servers would be hacked and compromised within seconds (or perhaps, minutes).

Hack attempts would be within minutes. As long as your setup resists such things, you’re okay…for now. ;)

But just note, no IoT gizmos. They’re a nightmare of obsolescence and bugs.

I never use any port numbers below 1000

Ah, that’s why you don’t see what’s going on. Botnet scripts aren’t likely to waste time port scanning, they’ll go for easy pickings. With port 23 and 80 exposed, it’s a rather different story. Though WebJames is pretty solid here. As is, thankfully, my own server.

not by domain name

Domain name isn’t really relevant. I think the bots simply scan a block of IP addresses, and if yours replies, then it’ll get clobbered until the bot runs out of things to do.

So, a typical web page address might by

The prime difference between a server that’s there for your use, and one that can be of use to others. ;)

such servers would be hacked and compromised within seconds (or perhaps, minutes).

Hack attempts would be within minutes. As long as your setup resists such things, you’re okay…for now. ;)

So, a typical web page address might be

The prime difference between a server that’s there for your use, and one that can be of use to others. ;)

But I am not seeing any attempts for days at a time.

Oh my god, please reread what I wrote, specifically the part about you not using standard ports and hack-bots not so likely to go looking for what ports you might be using.

Also, please allow me to drop here a copy of my connection log for today…

Linetask started - port 0, socket 18, on Thursday 17 March 2022 at 00:37:31.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 01:36:54.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 01:36:58.
Linetask started - port 1, socket 76, on Thursday 17 March 2022 at 01:37:13.
Linetask started - port 0, socket 76, on Thursday 17 March 2022 at 01:37:16.
Linetask started - port 0, socket 76, on Thursday 17 March 2022 at 01:37:19.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 01:43:58.
Linetask started - port 0, socket 40, on Thursday 17 March 2022 at 02:00:12.
Linetask started - port 0, socket 40, on Thursday 17 March 2022 at 02:00:16.
Linetask started - port 0, socket 40, on Thursday 17 March 2022 at 02:00:19.
Linetask started - port 0, socket 40, on Thursday 17 March 2022 at 02:00:21.
Linetask started - port 1, socket 84, on Thursday 17 March 2022 at 02:00:40.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 02:34:04.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 02:34:07.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 02:34:10.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 02:34:13.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 02:34:16.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 02:47:25.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 02:47:28.
Linetask started - port 0, socket 84, on Thursday 17 March 2022 at 04:10:58.
Linetask started - port 0, socket 84, on Thursday 17 March 2022 at 04:11:01.
Linetask started - port 0, socket 84, on Thursday 17 March 2022 at 04:11:04.
Linetask started - port 0, socket 84, on Thursday 17 March 2022 at 04:11:07.
Linetask started - port 0, socket 84, on Thursday 17 March 2022 at 04:11:10.
Linetask started - port 0, socket 57, on Thursday 17 March 2022 at 05:36:30.
Linetask started - port 0, socket 57, on Thursday 17 March 2022 at 05:36:33.
Linetask started - port 0, socket 57, on Thursday 17 March 2022 at 05:36:36.
Linetask started - port 0, socket 57, on Thursday 17 March 2022 at 05:36:40.
Linetask started - port 0, socket 57, on Thursday 17 March 2022 at 05:36:43.
Linetask started - port 0, socket 86, on Thursday 17 March 2022 at 05:51:53.
Linetask started - port 0, socket 86, on Thursday 17 March 2022 at 05:51:56.
Linetask started - port 0, socket 86, on Thursday 17 March 2022 at 05:51:59.
Linetask started - port 0, socket 86, on Thursday 17 March 2022 at 05:52:03.
Linetask started - port 0, socket 86, on Thursday 17 March 2022 at 05:52:06.
Linetask started - port 0, socket 15, on Thursday 17 March 2022 at 05:58:53.
Linetask started - port 0, socket 15, on Thursday 17 March 2022 at 05:58:56.
Linetask started - port 0, socket 15, on Thursday 17 March 2022 at 05:58:58.
Linetask started - port 0, socket 15, on Thursday 17 March 2022 at 05:59:01.
Linetask started - port 1, socket 77, on Thursday 17 March 2022 at 05:59:33.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 06:07:17.
Linetask started - port 1, socket 81, on Thursday 17 March 2022 at 06:07:52.
Linetask started - port 2, socket 46, on Thursday 17 March 2022 at 06:07:53.
Linetask started - port 1, socket 81, on Thursday 17 March 2022 at 06:07:55.
Linetask started - port 0, socket 46, on Thursday 17 March 2022 at 06:07:58.
Linetask started - port 1, socket 81, on Thursday 17 March 2022 at 06:07:59.
Linetask started - port 1, socket 81, on Thursday 17 March 2022 at 06:08:03.
Linetask started - port 1, socket 81, on Thursday 17 March 2022 at 06:08:06.
Linetask started - port 1, socket 23, on Thursday 17 March 2022 at 06:08:31.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 06:09:06.
Linetask started - port 1, socket 48, on Thursday 17 March 2022 at 06:09:40.
Linetask started - port 0, socket 22, on Thursday 17 March 2022 at 06:15:54.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 07:19:02.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 07:47:59.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 08:17:04.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 08:17:07.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 08:17:10.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 08:17:13.
Linetask started - port 1, socket 41, on Thursday 17 March 2022 at 08:17:48.
Linetask started - port 0, socket 53, on Thursday 17 March 2022 at 08:21:36.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 08:21:45.
Linetask started - port 0, socket 7, on Thursday 17 March 2022 at 08:54:00.
Linetask started - port 1, socket 53, on Thursday 17 March 2022 at 08:54:01.
Linetask started - port 0, socket 53, on Thursday 17 March 2022 at 08:55:14.
Linetask started - port 0, socket 53, on Thursday 17 March 2022 at 09:33:39.
Linetask started - port 0, socket 53, on Thursday 17 March 2022 at 09:33:42.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 10:35:15.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 10:35:20.
Linetask started - port 1, socket 22, on Thursday 17 March 2022 at 10:35:54.
Linetask started - port 0, socket 22, on Thursday 17 March 2022 at 10:35:57.
Linetask started - port 1, socket 41, on Thursday 17 March 2022 at 10:36:31.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 11:11:49.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 11:11:54.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 11:11:57.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 11:12:00.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 11:12:04.
Linetask started - port 0, socket 59, on Thursday 17 March 2022 at 11:12:10.
Linetask started - port 0, socket 59, on Thursday 17 March 2022 at 11:12:13.
Linetask started - port 0, socket 59, on Thursday 17 March 2022 at 11:12:17.
Linetask started - port 0, socket 59, on Thursday 17 March 2022 at 11:12:20.
Linetask started - port 0, socket 59, on Thursday 17 March 2022 at 11:12:23.
Linetask started - port 0, socket 82, on Thursday 17 March 2022 at 11:12:44.
Linetask started - port 0, socket 82, on Thursday 17 March 2022 at 11:12:48.
Linetask started - port 0, socket 82, on Thursday 17 March 2022 at 11:12:51.
Linetask started - port 0, socket 82, on Thursday 17 March 2022 at 11:12:54.
Linetask started - port 0, socket 82, on Thursday 17 March 2022 at 11:12:57.
Linetask started - port 0, socket 38, on Thursday 17 March 2022 at 11:17:33.
Linetask started - port 0, socket 38, on Thursday 17 March 2022 at 11:17:36.
Linetask started - port 0, socket 38, on Thursday 17 March 2022 at 11:17:39.
Linetask started - port 0, socket 38, on Thursday 17 March 2022 at 11:17:42.
Linetask started - port 0, socket 38, on Thursday 17 March 2022 at 11:17:45.
Linetask started - port 0, socket 82, on Thursday 17 March 2022 at 11:36:30.
Linetask started - port 0, socket 82, on Thursday 17 March 2022 at 11:36:33.
Linetask started - port 0, socket 61, on Thursday 17 March 2022 at 11:36:38.
Linetask started - port 0, socket 60, on Thursday 17 March 2022 at 11:36:44.
Linetask started - port 0, socket 60, on Thursday 17 March 2022 at 11:36:49.
Linetask started - port 0, socket 46, on Thursday 17 March 2022 at 11:54:44.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 11:54:50.
Linetask started - port 1, socket 84, on Thursday 17 March 2022 at 11:54:50.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 11:54:54.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 12:07:59.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 12:08:01.
Linetask started - port 1, socket 46, on Thursday 17 March 2022 at 12:08:34.
Linetask started - port 1, socket 46, on Thursday 17 March 2022 at 12:08:36.
Linetask started - port 1, socket 46, on Thursday 17 March 2022 at 12:08:39.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 12:09:53.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 12:16:06.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 12:16:09.
Linetask started - port 0, socket 45, on Thursday 17 March 2022 at 12:16:15.
Linetask started - port 0, socket 88, on Thursday 17 March 2022 at 12:40:23.
Linetask started - port 0, socket 26, on Thursday 17 March 2022 at 12:53:56.
Linetask started - port 0, socket 26, on Thursday 17 March 2022 at 13:14:47.
Linetask started - port 0, socket 26, on Thursday 17 March 2022 at 13:14:51.
Linetask started - port 0, socket 26, on Thursday 17 March 2022 at 13:14:53.
Linetask started - port 0, socket 26, on Thursday 17 March 2022 at 13:14:56.
Linetask started - port 0, socket 26, on Thursday 17 March 2022 at 13:15:00.
Linetask started - port 0, socket 16, on Thursday 17 March 2022 at 13:41:53.
Linetask started - port 0, socket 77, on Thursday 17 March 2022 at 13:41:58.
Linetask started - port 1, socket 19, on Thursday 17 March 2022 at 13:42:32.
Linetask started - port 1, socket 15, on Thursday 17 March 2022 at 13:42:37.
Linetask started - port 1, socket 30, on Thursday 17 March 2022 at 13:42:43.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 13:48:48.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 13:48:51.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 13:48:54.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 13:48:57.
Linetask started - port 0, socket 34, on Thursday 17 March 2022 at 13:49:00.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 14:16:50.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 15:12:58.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 15:13:01.
Linetask started - port 1, socket 31, on Thursday 17 March 2022 at 15:13:15.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 15:13:18.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 15:13:20.
Linetask started - port 0, socket 31, on Thursday 17 March 2022 at 15:53:49.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 15:53:55.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 15:54:10.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 15:54:30.
Linetask started - port 0, socket 41, on Thursday 17 March 2022 at 15:54:33.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 16:07:58.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 16:08:01.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 16:08:06.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 16:08:09.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 16:08:12.
Linetask started - port 0, socket 36, on Thursday 17 March 2022 at 16:42:31.
Linetask started - port 1, socket 39, on Thursday 17 March 2022 at 16:42:49.
Linetask started - port 0, socket 36, on Thursday 17 March 2022 at 16:43:08.
Linetask started - port 1, socket 39, on Thursday 17 March 2022 at 16:43:25.
Linetask started - port 0, socket 36, on Thursday 17 March 2022 at 16:43:42.
Linetask started - port 1, socket 39, on Thursday 17 March 2022 at 16:44:35.
Linetask started - port 0, socket 43, on Thursday 17 March 2022 at 17:46:23.
Linetask started - port 0, socket 36, on Thursday 17 March 2022 at 18:42:59.
Linetask started - port 0, socket 36, on Thursday 17 March 2022 at 18:44:15.
Linetask started - port 0, socket 36, on Thursday 17 March 2022 at 18:55:15.
Linetask started - port 0, socket 36, on Thursday 17 March 2022 at 18:55:17.
Linetask started - port 0, socket 36, on Thursday 17 March 2022 at 18:55:22.
Linetask started - port 0, socket 29, on Thursday 17 March 2022 at 18:55:29.
Linetask started - port 0, socket 29, on Thursday 17 March 2022 at 18:55:33.
Linetask started - port 0, socket 30, on Thursday 17 March 2022 at 18:56:45.
Linetask started - port 0, socket 30, on Thursday 17 March 2022 at 18:56:48.
Linetask started - port 1, socket 39, on Thursday 17 March 2022 at 18:56:48.
Linetask started - port 0, socket 39, on Thursday 17 March 2022 at 18:56:50.
Linetask started - port 1, socket 30, on Thursday 17 March 2022 at 18:56:51.
Linetask started - port 0, socket 94, on Thursday 17 March 2022 at 19:14:42.
Linetask started - port 0, socket 94, on Thursday 17 March 2022 at 19:14:45.
Linetask started - port 0, socket 94, on Thursday 17 March 2022 at 19:14:50.
Linetask started - port 1, socket 93, on Thursday 17 March 2022 at 19:15:27.
Linetask started - port 0, socket 93, on Thursday 17 March 2022 at 19:15:30.
Linetask started - port 0, socket 65, on Thursday 17 March 2022 at 19:57:08.
Linetask started - port 0, socket 65, on Thursday 17 March 2022 at 19:57:10.
Linetask started - port 0, socket 65, on Thursday 17 March 2022 at 19:57:12.
Linetask started - port 1, socket 69, on Thursday 17 March 2022 at 19:57:45.
Linetask started - port 1, socket 69, on Thursday 17 March 2022 at 19:57:48.
Linetask started - port 1, socket 74, on Thursday 17 March 2022 at 19:58:26.
Linetask started - port 0, socket 78, on Thursday 17 March 2022 at 19:58:33.
Linetask started - port 0, socket 20, on Thursday 17 March 2022 at 19:58:37.
Linetask started - port 0, socket 20, on Thursday 17 March 2022 at 19:58:40.
Linetask started - port 0, socket 20, on Thursday 17 March 2022 at 19:58:42.
Linetask started - port 0, socket 58, on Thursday 17 March 2022 at 19:58:49.
Linetask started - port 0, socket 65, on Thursday 17 March 2022 at 20:09:09.

That’s not even 24 hours, it’s midnight to a little after 8pm.

I suppose it might be a good idea to report the caller IP address and country code (if available). I’ll add that, if I remember and/or can be bothered. Doing something else right now.
Edit: Realised it was the LineTask that does this, not the controller module, so I don’t need to restart the server. Just tweak the LineTask and it’ll take effect from now. ;-)

Linetask started - port 0, socket 21, IP 192.168.1.11 (ZZ), on Thursday 17 March 2022 at 20:30:26.

Don’t rely on non standard ports. I’ve got an inbound ssh tunnel open on a high port number and here are the blocked addresses (which means multiple connection attempts) since last night’s backup – just 15 hours. If it had been port 22, there would be hundreds.

> 1647490204|100|4|101.51.233.15
> 1647490303|100|4|94.20.131.49
> 1647493389|100|4|119.115.105.58
> 1647493392|100|4|82.156.19.77
> 1647493952|100|4|43.129.233.180
> 1647494762|100|4|190.252.173.155
> 1647495221|100|4|180.76.117.230
> 1647497965|100|4|43.129.177.236
> 1647500436|100|4|1.15.230.125
> 1647501269|100|4|37.79.216.10
> 1647502268|100|4|43.154.154.202
> 1647502498|100|4|43.128.51.93
> 1647503463|100|4|161.35.84.23
> 1647504590|100|4|189.100.73.39
> 1647505012|100|4|43.154.191.19
> 1647505053|100|4|43.154.51.86
> 1647508254|100|4|162.0.237.28
> 1647509190|100|4|222.186.19.207
> 1647509509|100|4|103.226.139.222
> 1647512134|100|4|43.155.66.156
> 1647520084|100|4|43.130.227.3
> 1647520084|100|4|178.154.205.230
> 1647521108|100|4|88.18.63.188
> 1647521698|100|4|206.189.55.226
> 1647522710|100|4|167.94.138.120
> 1647523344|100|4|165.232.65.109
> 1647523500|100|4|43.154.99.157
> 1647523510|100|4|64.225.110.42
> 1647523774|100|4|106.74.128.220
> 1647525144|100|4|111.67.193.142
> 1647529794|100|4|156.251.172.210
> 1647532927|100|4|119.91.77.222
> 1647535447|100|4|102.219.33.98
> 1647536870|100|4|185.58.6.118
> 1647540778|100|4|98.230.118.177
> 1647541488|100|4|160.251.83.114
> 1647541728|100|4|104.131.34.185
> 1647542396|100|4|196.1.242.238
> 1647542738|100|4|43.155.111.154
> 1647542773|100|4|40.113.243.220
> 1647544393|100|4|165.22.57.146
> 1647544810|100|4|161.35.215.176

Hey, if anybody is bored, we could play spot!

*MiniBBS_BlackListShow
16++ IP addresses have been blacklisted, the most recent 16 are recorded.
  111.118.106.143  (15) 
  217.119.134.178  (4) 
  98.159.95.130    (78) 
  211.118.211.232  (22) 
  109.117.165.70   (4) 
  78.38.23.226     (34) 
  105.96.11.148    (4) 
  49.172.197.79    (4) 
  114.33.88.104    (22) 
  24.193.205.179   (4) 
  118.163.199.186  (22) 
  111.17.199.103   (48) 
  211.132.81.175   (4) 
  175.107.5.8      (19) 
  114.35.219.87    (48) 
  175.127.32.40    (4) 
  (note: the blacklist table only holds 16 entries)
*

It only holds sixteen entries as once an IP has been exhausted, another one will take over, so a circular list will suffice.
The number in brackets is how many times the connection was silently dropped. 98.159.95.130 really didn’t get the message. It’s Bel Air Internet in California. Probably somebody’s smart fridge got hacked.

Oh, and the number of connection attempts since the server came online? I was reading the wrong stat. It’s 1,688,365. The server has been active for 2,306,330 minutes (1601 days, 14 hours, and 50 minutes). Thus “averaging” around once every two minutes (but as you see above, it tends to come in bursts).

Current country block list: CN, RU, VN, KG, EG, IN, IL, PH, SG, RO.

So those connections are with these countries blocked.

[and, frankly, I have no idea how the F to cater for country-scale blocking in an IPv6 world]

My black list is currently 43997 entries and gained another 42 in 15 hours, so there are no shortage of bots trying every port out there.
Looking at the auth log, just in the last hour I have:-

Mar 17 19:06:08 RPi-S sshd[22306]: Failed password for invalid user node from 165.22.57.146 port 37402 ssh2
Mar 17 19:11:03 RPi-S sshd[22704]: Failed password for invalid user hagenlocher from 165.22.57.146 port 54902 ssh2
Mar 17 19:12:05 RPi-S sshd[22770]: Failed password for invalid user zimbra from 161.35.215.176 port 51730 ssh2
Mar 17 19:13:15 RPi-S sshd[22854]: Failed password for invalid user he from 165.22.57.146 port 60096 ssh2
Mar 17 19:13:53 RPi-S sshd[22904]: Failed password for invalid user jin from 47.254.22.23 port 54028 ssh2
Mar 17 19:16:53 RPi-S sshd[23069]: Failed password for invalid user root from 43.155.116.235 port 53590 ssh2
Mar 17 19:20:12 RPi-S sshd[23452]: Failed password for invalid user mrgreen from 161.35.215.176 port 42934 ssh2
Mar 17 19:21:21 RPi-S sshd[23531]: Failed password for invalid user deepthi from 103.143.249.217 port 38700 ssh2
Mar 17 19:21:56 RPi-S sshd[23557]: Failed password for invalid user root from 43.155.116.235 port 40006 ssh2
Mar 17 19:22:12 RPi-S sshd[23593]: Failed password for invalid user anisa from 103.94.169.26 port 44190 ssh2
Mar 17 19:22:16 RPi-S sshd[23599]: Failed password for invalid user nb from 179.38.57.63 port 40490 ssh2
Mar 17 19:23:49 RPi-S sshd[23748]: Failed password for invalid user scan from 64.227.140.119 port 44996 ssh2
Mar 17 19:26:00 RPi-S sshd[23982]: Failed password for invalid user jasmina from 103.143.249.217 port 60916 ssh2
Mar 17 19:26:16 RPi-S sshd[24004]: Failed password for invalid user iot from 103.94.169.26 port 51324 ssh2
Mar 17 19:27:54 RPi-S sshd[24112]: Failed password for invalid user casanova from 64.227.140.119 port 47352 ssh2
Mar 17 19:27:58 RPi-S sshd[24182]: Failed password for invalid user root from 115.110.230.18 port 35768 ssh2
Mar 17 19:29:00 RPi-S sshd[24187]: Failed password for invalid user jesse from 179.38.57.63 port 60338 ssh2
Mar 17 19:30:14 RPi-S sshd[24368]: Failed password for invalid user carlos from 103.94.169.26 port 53890 ssh2
Mar 17 19:30:22 RPi-S sshd[24380]: Failed password for invalid user schejbal from 64.227.140.119 port 52348 ssh2
Mar 17 19:32:42 RPi-S sshd[24538]: Failed password for invalid user cintia from 179.38.57.63 port 37938 ssh2
Mar 17 19:33:15 RPi-S sshd[24584]: Failed password for invalid user alice from 119.29.136.43 port 36310 ssh2
Mar 17 19:33:19 RPi-S sshd[25337]: Failed password for invalid user root from 115.110.230.18 port 46016 ssh2
Mar 17 19:35:27 RPi-S sshd[25502]: Failed password for invalid user root from 3.137.22.41 port 51610 ssh2
Mar 17 19:37:46 RPi-S sshd[25605]: Failed password for invalid user zc from 119.29.136.43 port 53338 ssh2
Mar 17 19:41:13 RPi-S sshd[25234]: Failed password for invalid user lb from 119.29.136.43 port 37776 ssh2
Mar 17 19:42:00 RPi-S sshd[25261]: Failed password for invalid user amsftp from 20.206.70.126 port 39730 ssh2
Mar 17 19:43:19 RPi-S sshd[25381]: Failed password for invalid user uftp from 106.74.128.161 port 52880 ssh2
Mar 17 19:43:51 RPi-S sshd[25415]: Failed password for invalid user fma from 154.209.88.152 port 59406 ssh2
Mar 17 19:45:53 RPi-S sshd[25645]: Failed password for invalid user kmj from 106.74.128.161 port 54560 ssh2
Mar 17 19:49:20 RPi-S sshd[25785]: Failed password for invalid user rabbitmq from 106.74.128.161 port 54428 ssh2
Mar 17 19:50:55 RPi-S sshd[25848]: Failed password for invalid user root from 164.90.192.64 port 41454 ssh2
Mar 17 19:54:29 RPi-S sshd[26262]: Failed password for invalid user master from 172.245.210.116 port 38648 ssh2
Mar 17 19:55:26 RPi-S sshd[26375]: Failed password for invalid user root from 198.12.227.59 port 42446 ssh2
Mar 17 19:58:35 RPi-S sshd[26498]: Failed password for invalid user root from 193.8.4.43 port 38018 ssh2
Mar 17 19:58:42 RPi-S sshd[26577]: Failed password for invalid user popuser from 172.245.210.116 port 40716 ssh2

My black list is currently 43997 entries

Okay, you win. 😂

Point is, anyway, that it’s 🏴‍☠️ out there.

(if you’re using RISC OS, that’s a skull and crossbones flag)

I do see the occaisional hack attempt, but non work because nobody seems to know how to hack a Risc OS server – even if they could tell that it is RiscOS! My servers disquise any responses, if at all posible.

That is because a “reconnaissance” phase (the initial phase of an attack) is to identify interesting systems and, in many cases these days, such a phase is automated and based on IP CIDR that “could be potentially interesting” because owned by x or y.

Given that RISC OS is a “clinically dead” OS (aka our community count no more than ~350 / 400 users at the best), it’s generally not targeted directly, because making an exploit for it would be just a waste of time and resources. Also because RISC OS old network stack is as slow as an old flooded Ford, so not even useful to run a DDoS over a 3rd target ;)

In terms of actual security, when I have tested RISC OS, it has felt victim of every single attempt and, btw, without even crashing (as we often joke about). If needed I may make some videos (without revealing the sources, but they are so banal that any one with a bit of grey matter and coding skillz could figure them out). Mind, if I do that, most likely few kids out there may start getting excited at the idea of running some scans to find RISC OS systems out there (just using NMAP can trace down RISC OS machines fairly accurately because YES NMAP does indeed has the finger print of RISC OS network stack up to RISC OS 5.24 included)

But I am not seeing any attempts for days at a time.

That, again, is simply because a) what you are sharing is of no interest to those people, b) Your IAP (internet access provider) is already running an IPS (Intrusion Prevention System) before your router (in the end if you are in a residential connection range, you should not have control of who can connect to your router, unless you have initiated that connection first, it’s called contrack) and c) it may also be a false positive of your logging system reporting an hack attempt as a regular user btw ;) (this in the end is the intent of most hacks)

Block List based on IPs: they can work for some IPs, but not for all (a lot of these GeoIP maps are not even updated correctly) and, if a malicious user wants to hide their identity it’s as simple as drinking a glass of water these days: Use TOR network and then (to evade even those systems that trace TOR exit points) access a proxy chain of proxy servers. All it’s required to do this in a rock solid way is to run a TOR routing VM in front of a Kali Linux VM and use proxychains from Kali directly.

But, if someone is a bit more skilled then, they can leave rats in Caffe/Bars/Pub routers and use them to route their traffic to the target system, this will appear to be a perfectly valid proper national IP (except it’s being accessed from wherever in the world) and yes you do not need to go to Britain to inject a rat in a router at the Duke of Something pub, because they can use Shodan to trace all vulnerable devices around the planet and then exploit them in the comfort of their bedroom wherever they are in the world (or again by using TOR/Proxy chains).

But, let’s say one wants to target any RISC OS user (because this someone must be extremely bored and ran out of more fun ideas), so all they have to do is access one of those old mailing list still accessible in various ways and then send a malicious zip file with a simple malicious BBC BASIC file called !Boot to the address of one (or all these people) and wait for the first one to click on the zip file to open it via !SparkFS… in less than a second that malicious user will own the victim computer and the game is done.

Given that all RISC OS systems have a UniBoot thingy, to ensure the malware gets loaded every time it can be hidden in many ways and infect a script in the UniBoot to ensure to load the malware gets reloaded every single time.

b) Your internet access provider is already running an Intrusion Prevention System before your router

I suspect that is probably the case, which is one reason why I use them.

You will probably have noted that this is the item at the top of my list above.