In all of my backend servers, no matter what type of project, I implemented my rate limiter system in a way that it redirects any suspicious requests and/or brute force attacks to Never Gonna Give You Up music video on RUclips
Such a good video, a holistic overview plus diving into specific details is what's missing so much on RUclips now, this type of explanation shows you're a true Web native
From here, i noticed how firewall working. Before it i just learning how to attack without knowing what happened backside of it. This so helpful for me. Nice job sir
This was a pretty interesting video and I learnt some neat stuff from it. I'll definitely be experimenting with my own implementations of your script. Good work man
My father in-law had all sorts of issues with his VOIP having issues, I got rid of his off the shelf Netgear router and replaced it with a better Open Source firewall with more horsepower that can drop a lot of requests a lot faster than the slow junk sold on the shelf like his Netgear. Nothing but smooth VOIP calls now because the router isn't getting bogged down with so many scan packets it can't deal with.
@@gamehacks5814 I didn't want to say what brand of firewall software I was using because it starts a flame war. So no it wasn't making it sound like I was overselling myself on a resume or linked-in.
I rarely comment on youtube videos, but this video is done great! you have a nice tempo when you speak and you explained the concepts with ease. props!
I got affected by a stinky bad actor christmas eve and been picking up this a$$hole all week, now my uni PC is not in good shape. I may be down the shallow end with a lot of this stuff but at least i could follow it gave some direction where to go next to keep stacking up the knowledge. I like the fact that I actually heard the word defender, today think i needed to hear it. Great content, Thank you.
One could just hold the connections, and reverse flood brute force attempts. Back when amplification attacks were more effective one could also use automated responses to rate limiting triggers. In theory.
not about being easily distracted, it's about feeling the child like excitement of cybersecurity to me. a lost art. liked and subscribed in hopes of learning a lot🙂i always wanted to have a "home-lab" ... but I don't even know what that means. I think what you did here might be part of what it means? let's build !!!
wish i coulda had vids like this about 4 5 years ago lol great job dude...this is hilarious but imo i wouldn't use on any server i had anything serious bc you know this just temps the hacker mindset like WHOA lol
This was very entertaining, interesting and informative. Do you have any low level tutorials on how to setup the basic firewall that comes in Windows 10/11 or a video with hints and tips on how to harden it? Thanks!
The IP that kept trying on port 25 is probably because DigitalOcean reuses previously used IP addresses. It might not be malicious. There might've been an email server on your IP address previously that they were using.
@Badeand this is very possible! Great observation. I do think a packet every 2 seconds for 20 minutes straight is a bit excessive for me to believe that this the case though. However you may be right! False positives will always exist. I appreciate your insight! 🙏
Wow your channel is quite impressive even content aside. Already almost 1000 subs including me and it’s only been a couple months. You explained very well and I’ll be implementing this very soon! Looking forward to more security tips
Wow, subscribed right away! The way you describe things is very understable and i loved the high level overview of things at the start :) However, i have a question. How do all these other attackers know the IP address of your newly rented server? 🤔
@lStaline If someone spoofs their IP address in the packet header, any response to that packet would be sent to the spoofed IP address, not the attacker’s actual IP address. This is because the spoofed IP is what the server believes is the source of the request. You can think of it like the mail system You can put whatever address you want in the From section, but the reciever will just respond to that From address
@@GnarCoding yes, but will this fail to block it? If it fails because it tries to block the wrong address, couldn't your server even become a DoS amplifier for the real target if the attacker sends a ton of requests? You're blocking incoming but not outgoing and you send 2 packets for every one incoming, so I'd think so.
@@cinderwolf32 Correct! This is why i show that even tho the firewall is in place, the initial packet with the syn flag still passes through the system (15:25). This is why you are not allowed to scan someone else's machine without their consent.
Wouldn't that use a lot of resources, such as CPU and bandwidth? Most server hostings have limited bandwidth, and sending back a response each time might be both CPU and bandwidth intensive right? Great video though, it really explains alot of stuff to newbies
Great point! Sending a response for every scan could use up some resources. For production systems, it’s definitely better to block directly without responding to conserve bandwidth and CPU. The 'try harder' message was more of a fun twist for the video. Glad you enjoyed the video!
Loved the video, please DO continue! Im eager to learn more about cibersecurity! Couldn't you just use two docker containers in different IP's and networks to simulate this instead of paying for the servers?
Hi! I understand that your goal is to encourage learning through independent coding, but I’m still curious: do you happen to have your version of the script available as a reference? Everyone learns differently, after all. Thanks for sharing this video!
thanks for your understanding - for real! here is a chatgpt prompt to get you started: "Hey chatgpt write a python script that will check packets for syn flags and then if the ip address exceeds 5, then add the ip to a block list using iptables. For added bonus, for the first five scans, push out a packet with a syn/ack flag and another packet containing a raw payload of "try harder". Be sure to unblock ips after 10 minutes and check to make sure you don't add the ip to the block list if it is already on the list" you got dis
Yes you could use a cron job to make this run on boot or like every 5 mins, you could also do the automation in .bashrc file or just create a daemon for this process but that's just overkill lol
Blue team activity exists in a variety of fields. The great thing about cybersecurity is that it's necessary everywhere in tech. I'm not a career expert tho, so maybe ask chatgpt. Cheers!
thanks for watching! The -Pn option simply skips the first stage of checking if the machines online - so no, the scan still follows the same protocol. (15:04)
Maybe I’m off my rocker, but couldn’t an attacker use scans to overload a vulnerable router. In that it causes slowness for the user which prompts them to upgrade the router or increase speed plan. The attacker being an ISP?
scans can def cause a DoS which is why you need permission before scanning anyone else's machine. the ISP stuff sounds pretty intense conspiracy like so i cant comment on that haha - but def not off your rocker in theory!
it doesnt necessarily help bc the proxy's ip will still get blocked. The attacker still needs to receive traffic from the proxy, which means their actions (even through a proxy_) are bound by the same principles of network communication.
u see the problem here ? people think they are "better" bc they try to mock evil actors but in reality, evil actors always winning and they never say a single word when they do
when using a popular cloud provider with one of their ip blocks, not all of those requests have to be malicious though. they could be, but they could also just be something looking for a machine that used to be there with the same IP you just got right?
What about after recon has been established, bad actor has your commonly used dns request via dbs spoofing and also ca certification to mitigate tls encryption on browser well what then?
A rogue CA cert installed on the machine would mean the machine was already compromised and likely already under C2 (command and control). There are layers of defense that are needed to avoid the attacker getting to this stage. Recon is stage 1 - so this scenario you describe assumes all other stages were completed.
@@alanwparkerap I highly encourage you to write your own scripts. AI makes it easier than ever. It'll never work the first try, but that's the point. Cheers! Thanks for watching!
Can you make a video about how to evade these firewals and how to conduct a stealth penetration test with advance enumuration. really like this video and very easy to understand Im grateful good luck🔥
I highly encourage you to write your own scripts. AI makes it easier than ever. Here is a prompt to help get you started: "Hey chatgpt write a python script that will check packets for syn flags and then if the ip address exceeds 5, then add the ip to a block list using iptables. For added bonus, for the first five scans, push out a packet with a syn/ack flag and another packet containing a raw payload of "try harder". Be sure to unblock ips after 10 minutes and check to make sure you don't add the ip to the block list if it is already on the list" you got dis
@@GnarCoding Alright, that's not what i'm getting at however. There is no handshake in udp. That means no syn. No syn=no sus traffic. How do you block those udp attacks without knowing which ip to block?
@CreativeWerxGFX ah I see. Suspicious activity can be defined a variety of ways (06:20). You would simply add some logic to look out for a multitude of udp packets going to a variety of ports. Those packets still pass through the NIC to be processed. Good question!
@@GnarCoding I see. That's slightly discouraging. quic protocol has not replaced tcp entirely just yet, I'm afraid if it becomes the standard, using firewall script to block traffic may cause too many false positives to make its primary daily use any worth while.
@Astroisback01 this should give you a good start: "Hey chatgpt write a python script that will check packets for syn flags and then if the ip address exceeds 5, then add the ip to a block list using iptables. For added bonus, for the first five scans, push out a packet with a syn/ack flag and another packet containing a raw payload of "try harder". Be sure to unblock ips after 10 minutes and check to make sure you don't add the ip to the block list if it is already on the list"
this works too! thanks to the subprocess in python - you can replace the command with whatever you prefer - the process stays the same. thanks for watching!
sounds like I'm OK since I use pubkey auth + pwd + CIDR range restriction via ipset/iptables on my commercial boxes. Also fail2ban :D. I just assume my VPS and DNS providers will handle/absorb DDoSing I guess. this is going on Watch Later :)
"Build a Firewall that tells Hackers to Try Harder" ?! Uh, that's fornicatingly unintelligent. Build a Firewall that tells Hackers You're a boring POS with nothing of interest. Duh.
![Seungmin "그렇게, 천천히, 우리(As we are)" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/kAzmhLHePqU/mqdefault.jpg)
Hello everyone! Due to popular demand, I have uploaded the code to Github which can be found in the video's description now.
In all of my backend servers, no matter what type of project, I implemented my rate limiter system in a way that it redirects any suspicious requests and/or brute force attacks to Never Gonna Give You Up music video on RUclips
Absolute madlad. Respec.
Mine just puts them in yee old honey pot
loool
ooooh I'm gonna do that with my APIs 404s lol. Right now I just tell them to GET OFF MY LAWN
Telegram's Deleted Account profile picture gives me enough info about what are you up to
You are the type of teacher who is loved by everyone and everyone would never skip your classes.
@unknownboi9084 thanks dude! I really appreciate that
Such a good video, a holistic overview plus diving into specific details is what's missing so much on RUclips now, this type of explanation shows you're a true Web native
@@GnarCoding it really is a great video and explanation well done m8
I've been looking for this kind of RUclips channel for a while now. Glad I found and thank you for the lesson
From here, i noticed how firewall working. Before it i just learning how to attack without knowing what happened backside of it. This so helpful for me. Nice job sir
This was a pretty interesting video and I learnt some neat stuff from it. I'll definitely be experimenting with my own implementations of your script. Good work man
Due to popular demand, I've uploaded the code to github which can now be found in the video description
@GnarCoding awesome. Thank you!
You have a very good video format. Easy to understand.
Nice video! A clear voice and clear explanations! Love it. Keep them coming!
My father in-law had all sorts of issues with his VOIP having issues, I got rid of his off the shelf Netgear router and replaced it with a better Open Source firewall with more horsepower that can drop a lot of requests a lot faster than the slow junk sold on the shelf like his Netgear. Nothing but smooth VOIP calls now because the router isn't getting bogged down with so many scan packets it can't deal with.
This is exactly how I list my skills on LinkedIn. You could have just said you bought a new router for your gramps 😭
@@gamehacks5814 damn
@@gamehacks5814 I didn't want to say what brand of firewall software I was using because it starts a flame war. So no it wasn't making it sound like I was overselling myself on a resume or linked-in.
Which model
@@gamehacks5814 😂😂😂
Thanks for the video. you made the whole thing so easy to digest, even dissecting command flags. keep up the good work!
I rarely comment on youtube videos, but this video is done great! you have a nice tempo when you speak and you explained the concepts with ease. props!
I got affected by a stinky bad actor christmas eve and been picking up this a$$hole all week, now my uni PC is not in good shape. I may be down the shallow end with a lot of this stuff but at least i could follow it gave some direction where to go next to keep stacking up the knowledge. I like the fact that I actually heard the word defender, today think i needed to hear it. Great content, Thank you.
Amazing video. I learned a lot. Thank you so much and please keep the content coming.
Love this, just waste their time and make fun of them like always! 🤣
One could just hold the connections, and reverse flood brute force attempts. Back when amplification attacks were more effective one could also use automated responses to rate limiting triggers. In theory.
what a great video, this is exactly im studying about at the moment, and having it visualized like this is insane. Keep coding gnar, codin crazy
not about being easily distracted, it's about feeling the child like excitement of cybersecurity to me. a lost art. liked and subscribed in hopes of learning a lot🙂i always wanted to have a "home-lab" ... but I don't even know what that means. I think what you did here might be part of what it means? let's build !!!
I really like the way you explain
good work soldier. over and out 😤
I loved the video ! It was very instructive. Give me idea to improve my personnal server security. Thanks bro !
Honestly i loved this video as ive been lookling forword to learning how to detect and block nmap scans, thx. :)
wish i coulda had vids like this about 4 5 years ago lol great job dude...this is hilarious but imo i wouldn't use on any server i had anything serious bc you know this just temps the hacker mindset like WHOA lol
New subscriber. You explain things very well!!!
Great, thorough explanation. I learned a lot, am super into this, and look forward to more videos like it!
Thank you for your videos i hope you will make more. Your videos help me to better understand networking concepts.
Very good video bro, I learned a lot
Thank you! This is gold.
This was very entertaining, interesting and informative. Do you have any low level tutorials on how to setup the basic firewall that comes in Windows 10/11 or a video with hints and tips on how to harden it? Thanks!
The IP that kept trying on port 25 is probably because DigitalOcean reuses previously used IP addresses. It might not be malicious. There might've been an email server on your IP address previously that they were using.
@Badeand this is very possible! Great observation. I do think a packet every 2 seconds for 20 minutes straight is a bit excessive for me to believe that this the case though. However you may be right! False positives will always exist. I appreciate your insight! 🙏
Amazing, very educational. I learned a lot
good job so far, keep it up and you'll be popular
Wow your channel is quite impressive even content aside. Already almost 1000 subs including me and it’s only been a couple months. You explained very well and I’ll be implementing this very soon! Looking forward to more security tips
@@adissonbuchanan1731 thank you!
Wow, subscribed right away! The way you describe things is very understable and i loved the high level overview of things at the start :)
However, i have a question. How do all these other attackers know the IP address of your newly rented server? 🤔
thank you! there's a lot of bots out there constantly scanning
@@GnarCoding I see, they can just scan some IP ranges and for some cloud providers these are known publicly
lets say the attacker has a vm that allows modifying ip header he can just spoof the source ip what can we do against that?
@lStaline If someone spoofs their IP address in the packet header, any response to that packet would be sent to the spoofed IP address, not the attacker’s actual IP address. This is because the spoofed IP is what the server believes is the source of the request.
You can think of it like the mail system
You can put whatever address you want in the From section, but the reciever will just respond to that From address
@@GnarCoding yes, but will this fail to block it? If it fails because it tries to block the wrong address, couldn't your server even become a DoS amplifier for the real target if the attacker sends a ton of requests? You're blocking incoming but not outgoing and you send 2 packets for every one incoming, so I'd think so.
@@cinderwolf32 Correct! This is why i show that even tho the firewall is in place, the initial packet with the syn flag still passes through the system (15:25). This is why you are not allowed to scan someone else's machine without their consent.
Well, yes, but I'm happy to assume the attacker doesn't care and will leverage whatever I deploy anyway, if possible.
Nice, please make a video about how you create the network maps
Great video. Really well explained
If you tell the hacker to "try harder", you can't sue them. Since you "asked" them do it.
Same goes for welcoming messages.
Wow great content. I'm subscribing!
Wouldn't that use a lot of resources, such as CPU and bandwidth? Most server hostings have limited bandwidth, and sending back a response each time might be both CPU and bandwidth intensive right? Great video though, it really explains alot of stuff to newbies
Great point! Sending a response for every scan could use up some resources. For production systems, it’s definitely better to block directly without responding to conserve bandwidth and CPU. The 'try harder' message was more of a fun twist for the video. Glad you enjoyed the video!
Wow that's a nice presentation i had in the end of 2024 ❤❤
Loved the video, please DO continue! Im eager to learn more about cibersecurity!
Couldn't you just use two docker containers in different IP's and networks to simulate this instead of paying for the servers?
thank you! you most def can do so as mentioned at 07:49. You can do everything from your own private network.
@@GnarCoding True, I skiped the networks part(Nonetheless it is important for the video context) straight into the fun stuff 😆
I found a youtube goldmine. This channel better blow up xD
Hi! I understand that your goal is to encourage learning through independent coding, but I’m still curious: do you happen to have your version of the script available as a reference? Everyone learns differently, after all. Thanks for sharing this video!
thanks for your understanding - for real! here is a chatgpt prompt to get you started:
"Hey chatgpt write a python script that will check packets for syn flags and then if the ip address exceeds 5, then add the ip to a block list using iptables. For added bonus, for the first five scans, push out a packet with a syn/ack flag and another packet containing a raw payload of "try harder". Be sure to unblock ips after 10 minutes and check to make sure you don't add the ip to the block list if it is already on the list"
you got dis
due to popular demand, i have uploaded the code to github which can be found in the video's description now.
Awesome stuff!
Nice video, you got a new sub!
Good tip but is better if you share the python script too.
@@danielfigueredo6761 you can do it! I believe in you ❤️
due to popular demand, i have uploaded the code to github which can be found in the video's description now.
incredible video, thanks a lot.
Always send the homie a syn packet
only true homies send that ack back tho
should this be added to some kind of auto-run?
Yes you could use a cron job to make this run on boot or like every 5 mins, you could also do the automation in .bashrc file or just create a daemon for this process but that's just overkill lol
To be fair a TCP syn is not indicative of a scan, but the initialization of the TCP handshake.
correct. (2:00 3:07 18:00)
Is using fail2ban not more secure against attacks?
@2008spoonman fail2ban works! Just used python here to show more in depth on packets and 3 way handshake
This is incident response job or who do this in blue team ?
Blue team activity exists in a variety of fields. The great thing about cybersecurity is that it's necessary everywhere in tech. I'm not a career expert tho, so maybe ask chatgpt. Cheers!
does the -Pn option bypass this?
just finished watching the video 😭😭🙏🙏
thanks for watching! The -Pn option simply skips the first stage of checking if the machines online - so no, the scan still follows the same protocol. (15:04)
@@GnarCoding yes! I learnt that after finishing the video, thank you :3
Maybe I’m off my rocker, but couldn’t an attacker use scans to overload a vulnerable router. In that it causes slowness for the user which prompts them to upgrade the router or increase speed plan. The attacker being an ISP?
scans can def cause a DoS which is why you need permission before scanning anyone else's machine. the ISP stuff sounds pretty intense conspiracy like so i cant comment on that haha - but def not off your rocker in theory!
@ Appreciate it man! Conspiracy sure but hey you never know today.
Sensei😊
Does it helps when the attacker is using proxy? To avoid the Firewall i mean to avoid to trigger the firewall that he gets dropt?
it doesnt necessarily help bc the proxy's ip will still get blocked. The attacker still needs to receive traffic from the proxy, which means their actions (even through a proxy_) are bound by the same principles of network communication.
u see the problem here ? people think they are "better" bc they try to mock evil actors but in reality, evil actors always winning and they never say a single word when they do
For the love of God post more cyber security type of videos
The script you wrote, in github?
I encourage you to write your own code
due to popular demand, i have uploaded the code to github which can be found in the video's description now.
* tcpdump can show ALL traffic, not just TCP or UDP
when using a popular cloud provider with one of their ip blocks, not all of those requests have to be malicious though. they could be, but they could also just be something looking for a machine that used to be there with the same IP you just got right?
correct. False positives will always exist. you can also reference the ip on whatsmyipaddress website to see if it has been blacklisted
Writing a firewall hook in python is... certainly a decision.
Wait why was he being scanned one minute into the video?
@tyulik bc they're zombies bro.
@@GnarCoding like a botnet?
What about after recon has been established, bad actor has your commonly used dns request via dbs spoofing and also ca certification to mitigate tls encryption on browser well what then?
A rogue CA cert installed on the machine would mean the machine was already compromised and likely already under C2 (command and control). There are layers of defense that are needed to avoid the attacker getting to this stage. Recon is stage 1 - so this scenario you describe assumes all other stages were completed.
nice imma try that
Where can we find the python script? You should make a github and drop the stuff from videos in it.
@@alanwparkerap I highly encourage you to write your own scripts. AI makes it easier than ever. It'll never work the first try, but that's the point. Cheers! Thanks for watching!
due to popular demand, i have uploaded the code to github which can be found in the video's description now.
wouldn't the try harder response go back to someone legit who's trying to connect as well?
This is a good point! You could modify the python script to only send it before the block.
Can you make a video about how to evade these firewals and how to conduct a stealth penetration test with advance enumuration.
really like this video and very easy to understand Im grateful good luck🔥
If these walls could talk...
Ohh
Wait...
Some do
code
I highly encourage you to write your own scripts. AI makes it easier than ever. Here is a prompt to help get you started:
"Hey chatgpt write a python script that will check packets for syn flags and then if the ip address exceeds 5, then add the ip to a block list using iptables. For added bonus, for the first five scans, push out a packet with a syn/ack flag and another packet containing a raw payload of "try harder". Be sure to unblock ips after 10 minutes and check to make sure you don't add the ip to the block list if it is already on the list"
you got dis
due to popular demand, i have uploaded the code to github which can be found in the video's description now.
Funny that 117 is flagged on VirusTotal url scan xD
I'm 9 minutes in... What about udp protocol?
tcpdump tool can also show udp traffic which is another popular protocol typically used in streaming services.
@@GnarCoding Alright, that's not what i'm getting at however. There is no handshake in udp. That means no syn. No syn=no sus traffic. How do you block those udp attacks without knowing which ip to block?
@CreativeWerxGFX ah I see. Suspicious activity can be defined a variety of ways (06:20). You would simply add some logic to look out for a multitude of udp packets going to a variety of ports. Those packets still pass through the NIC to be processed. Good question!
@@GnarCoding I see. That's slightly discouraging. quic protocol has not replaced tcp entirely just yet, I'm afraid if it becomes the standard, using firewall script to block traffic may cause too many false positives to make its primary daily use any worth while.
@CreativeWerxGFX generally IDS is preferred over IPS due to this concern
getting scanned by shodan has nothing to do with getting "hacked"
Wrong. Recon is first stage of attack lifecycle. Also shodan wouldn't be trying to connect to the smtp port for 20 minutes straight.
Hey Can you please
send me these codes? I wish to create a project using your code for my collge project.Thank you
@Astroisback01 this should give you a good start:
"Hey chatgpt write a python script that will check packets for syn flags and then if the ip address exceeds 5, then add the ip to a block list using iptables. For added bonus, for the first five scans, push out a packet with a syn/ack flag and another packet containing a raw payload of "try harder". Be sure to unblock ips after 10 minutes and check to make sure you don't add the ip to the block list if it is already on the list"
due to popular demand, i have uploaded the code to github which can be found in the video's description now.
@@GnarCoding Thank you so much for keeping my comment in mind and notifying me bud much appreciated
how about fail2ban?
that works too! wouldn't have been as fun a video tho. thanks for watching!
tells the Bots to Try Harder*
why not just use ufw firewall, takes less time and commands easier to navigate with and remember
this works too! thanks to the subprocess in python - you can replace the command with whatever you prefer - the process stays the same. thanks for watching!
thanks the hacker deleted all my files and locked me out
Hey mate hope you're joking. Otherwise please take note of first 5 seconds of video that says to use a test server
so its not free
you can simulate whole process on vm's in a private network for free.
sounds like I'm OK since I use pubkey auth + pwd + CIDR range restriction via ipset/iptables on my commercial boxes. Also fail2ban :D. I just assume my VPS and DNS providers will handle/absorb DDoSing I guess. this is going on Watch Later :)
hilarious
Im new to Computer Communications and i have no clue what i just watched 😂😂😂
@@EchoesofEgypt haa! It is fine line from boring to chaos. Thanks for watching
😂😂😂😂
Oh dear, ai thumbnails are already plaguing RUclips... 😔
that's photoshop my dude, thank you though!
F2B
"Build a Firewall that tells Hackers to Try Harder" ?!
Uh, that's fornicatingly unintelligent.
Build a Firewall that tells Hackers You're a boring POS with nothing of interest.
Duh.
hmm let me try with my proxychains btw with --mtu 8
Use fail2ban
nmap -Pn $ip