updated changelog; added incident report

136aaffb · Tobias Fiebig · 19789262 · 136aaffb · 136aaffb · 136aaffb
Commit 136aaffb authored 3 years ago by Tobias Fiebig
--- a/changelog/changelog.md
+++ b/changelog/changelog.md
@@ -11,6 +11,10 @@ New entries go to the top of the 'Changes' section and have the following form:
 ```

 # Changes
+## Wed Jan 12 11:29:35 UTC 2022
+- *Change by:* Tobias Fiebig
+- *Description:* Additional firewall rules to prevent bogons from reaching the Internet after Hetzner issued AbuseID:9D18EC:1B, see [report](reports/1641987055.md).
+
 ## Thu Jan  6 22:42:45 UTC 2022
 - *Change by:* Tobias Fiebig
 - *Description:* 

--- a/changelog/reports/1641987055.md
+++ b/changelog/reports/1641987055.md
+# Abuse Message [AbuseID:9D18EC:1B]: PortscanOutLevel: Portscan detected from 168.119.67.118
+
+## Description
+Around Wed Jan 12 02:55:21 2022, Hetzner recorded outbound traffic from vcr000
+to rfc1918 addresses. Hetzner suspects an attack.
+
+## Resolution
+An investigation revealed that this was related to Hetzner forwarding inbound
+traffic with src addr in 10.0.0.0/8 and our servers reacted benign. To mitigate
+this in the future, additional outbound firewall rules were added:
+```
+domain (ip) {
+    table filter chain OUTPUT {
+        outerface enp196s0 daddr (10.0.0.0/8 192.168.0.0/24 172.16.0.0/12) REJECT;
+    }
+}
+```
+Documentation has been adjusted and Hetzner informed.
--- a/hosts/vcrNNN.bbb.tbm.tudelft.nl/install23.md
+++ b/hosts/vcrNNN.bbb.tbm.tudelft.nl/install23.md
@@ -87,6 +87,12 @@ domain (ip) {
    }
 }

+domain (ip) {
+    table filter chain OUTPUT {
+        outerface enp196s0 daddr (10.0.0.0/8 192.168.0.0/24 172.16.0.0/12) REJECT;
+    }
+}
+
 ```

 # Install BBB