WinGate Forums

[Elijah-777]

This morning, after rebooting the Server, could NOT get online.

After much anguish and checking - 4 hours of time wasted - discovered ALL my blackhole entries are GONE and replaced with this one : 0.0.0.0.0

Deleted that and back online instantly.

PROBLEM : We are scanned ALL THE TIME by evil folk. They try and login as guest and are immediately blackholed for trying to do this.

How could the vanishing of ALL these balckholed IPs happen, to then be replaced with our default gateway setting??

Is there any place the whole vanished blackhole list is kept, so i can find it in my back-up file?

Any advice on this very gratefully received...

[adrien]

Hi

the blackhole entries are stored in the windows registry, along with all WinGate settings

32 bit windows: HKEY_LOCAL_MACHINE\Software\Qbik Software\WinGate
64 bit windows: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Qbik Software\WinGate

the sub-key containing black hole entries is

Components\WinGate Network Driver\IP Ban Table

I don't know how the table would have been altered, it is normally only altered as a result of user action in the user interface. You can export/import this registry key in order to back up / restore the values.

Regards

Adrien de Croy

[Elijah-777]

Thanks Adrien - God Bless you In JESUS Alive - Amen

Yes - this is why i think that somehow the user interface got hacked <???>

i certainly DID NOT delete the very large blackhole ban list..and would NEVER have added the default gateway - just plain dumb right?

Any other idea on how such an event would occur, aside from hacking?

Could new software have done this?

Installed a new keyboard - Cyborg V7 - (for the night keyboard illumination functions) - with the software package the day before from here :

http://www.cyborggaming.com/download.htm

You might want to test this and check it, in case it has either a weird conflict or a deliberate anti-firewall function <???>

No other changes were made, but the wicked port scanners ARE intense and regularly try and login as unwelcome guests, hence the manual blackholing routine,

You might want to write a simple function that AUTOMATICALLY blackholes unauthorised guest login attempts - this would be very cool, whereby the Wingate Firewall user can choose to switch this function on or off, depending on evil scanning activity.

Thanks again...

[adrien]

Hi

I think it's unlikely that someone would hack your system and know enough to edit the black hole list. I think it's more likely something else caused the problem, perhaps even registry corruption? Have you checked the disk lately? Might pay to run chkdisk on it.

We've thought about auto-blackholing before, but usually it's of limited value. Most abusers don't hit you from the same IP every time, they go through open proxies etc, and what happens is you fill up your black hole list with IPs that either don't contact you again, or are later used by bona-fide people who then can't access your system.

I guess we could add a function in script to allow adding an IP/mask to the blackhole list though, then you could hook the auth failed events to it.

Adrien

[Elijah-777]

Thanks Adrien - succesfully loaded the Hive from the last back-up of the Registry and then extracted and re-entered the Ip Ban Table - so all is back as before. The Ip Ban Table, as a loadable separate file, would be much easier. Don't quite see how any corruption would specifically hit the Ban Table and then block the default gateway. Weird. Anyhow, thanks - will run chkdisk - Blessings - Elijah