Hey guys.ããCan someone tell me something I can add to my login script that willãautomatically add Ip's to the IP.can file that try to log in as root or admin.ãIt is becoming a full time job adding all the hack attempt IP's manually. Thereãwas some discussion on the Facebook group about this, but wasn't given aãdefinitive answer. Also, I figured it would be more helpful to other Sysops ifãit was asked and answered on here.ããThanksãã... Anyone who lives within his means suffers from a lack of imagination.ããNightcrawler +o Dark Sanctuaryãdarksanctuary.darktech.org ãã---ã þ Synchronet þ Dark Sanctuary darksanctuary.darktech.orgã

Re: Block admin and root access attemptsã By: nightcrawler to All on Sat Oct 25 2014 12:08 amãã > Can someone tell me something I can add to my login script that willã > automatically add Ip's to the IP.can file that try to log in as root orã > admin. It is becoming a full time job adding all the hack attempt IP'sã > manually. There was some discussion on the Facebook group about this, butã > wasn't given a definitive answer. Also, I figured it would be more helpfulãããsince you are a server on the internet, all your services have brute forceãattacks. ããadding something to your logon script will just block people who try to telnetãin. what about ftp, email, ssh, rlogin, nntp, etc?ããget peerblock and just block china.ãthat way it's blocked before it even hits your bbs.ããi have that bbs capcha thing and it's not stopping new ones from hitting meãevery day. it's a losing battle.ã---ã þ Synchronet þ ::: BBSES.info - free BBS services :::ã

Re: Block admin and root access attemptsã By: Mro to nightcrawler on Sat Oct 25 2014 06:54 pmãã Mr> Re: Block admin and root access attemptsã Mr> By: nightcrawler to All on Sat Oct 25 2014 12:08 amãã >> Can someone tell me something I can add to my login script that willã >> automatically add Ip's to the IP.can file that try to log in as rootã >> or admin. It is becoming a full time job adding all the hack attemptã >> IP's manually. There was some discussion on the Facebook group aboutã >> this, but wasn't given a definitive answer. Also, I figured it wouldã >> be more helpfulããã Mr> since you are a server on the internet, all your services have brute forceã Mr> attacks. ãã Mr> adding something to your logon script will just block people who try toã Mr> telnet in. what about ftp, email, ssh, rlogin, nntp, etc?ãã Mr> get peerblock and just block china.ã Mr> that way it's blocked before it even hits your bbs.ãã Mr> i have that bbs capcha thing and it's not stopping new ones from hittingã Mr> me every day. it's a losing battle.ã ãI've never really had a problem with ftp, rlogin, etc. All the attempts seem toãbe localized to SSH connections, trying either admin or root. Recently Iãnoticed a single IP will attempt simultanious connections, taking all my nodesãdown. ããI've tried peerblock with very little success. Seems it doesn't cut down onãattempts at all. ããNightcrawler +o Dark Sanctuaryãdarksanctuary.darktech.org ãã---ã þ Synchronet þ Dark Sanctuary darksanctuary.darktech.orgã

Re: Block admin and root access attemptsã By: nightcrawler to Mro on Sun Oct 26 2014 04:26 pmãã > I've never really had a problem with ftp, rlogin, etc. All the attemptsã > seem to be localized to SSH connections, trying either admin or root.ã > Recently I noticed a single IP will attempt simultanious connections,ã > taking all my nodes down. ããchange your ssh port.ãã > I've tried peerblock with very little success. Seems it doesn't cut down onã > attempts at all. ããyou have to use a custom block script and add ip ranges. you just cant run itãand use it to block attackers.ããi put it all on facebook, take a look at it.ããnothing is better than a watchful eye. block the attackers. ãblock entire ranges in your ip.can if you dont want to use peerblock.ãmake a honeypot. use spambait.cfgããwith synchronet you are running a ton of servers on the internet. you willãalways have a lot of attack attempts.ã---ã þ Synchronet þ ::: BBSES.info - free BBS services :::ã

Re: Block admin and root access attemptsã By: nightcrawler to All on Sat Oct 25 2014 12:08 amãã > Hey guys.ã >ã > Can someone tell me something I can add to my login script that willã > automatically add Ip's to the IP.can file that try to log in as root orã > admin. It is becoming a full time job adding all the hack attempt IP'sã > manually. There was some discussion on the Facebook group about this, butã > wasn't given a definitive answer. Also, I figured it would be more helpfulã > to other Sysops if it was asked and answered on here.ããThere's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at ãhttp://wiki.synchro.net/config:sbbs.ini for details.ãã digital manããSynchronet "Real Fact" #11:ãSynchronet was the first BBS software to ship with built-in RIPscrip support.ãNorco, CA WX: 73.6øF, 56.0% humidity, 4 mph ESE wind, 0.00 inches rain/24hrsã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Re: Block admin and root access attemptsã By: Mro to nightcrawler on Sun Oct 26 2014 09:40 pmãã >> attempts seem to be localized to SSH connections, trying either adminã >> or root. Recently I noticed a single IP will attempt simultaniousã >> connections, taking all my nodes down. ãã Mr> change your ssh port.ããNot a bad idea.ã >> I've tried peerblock with very little success. Seems it doesn't cutã >> down on attempts at all. ãã Mr> you have to use a custom block script and add ip ranges. you just cantã Mr> run it and use it to block attackers.ããI used the block list you provided. It has:ããhank billings:96.36.1.1-96.36.255.255ãhong kong:123.0.0.0-123.255.255.255ãdragon networks:209.124.1.0-209.255.255.255ãchina mobile:120.192.0.0-120.255.255.255ãattacker:176.0.0.0-176.255.255.255ãtaiwan:125.227.0.0-125.227.255.255ãattacker:187.147.0.0-187.147.255.255ãbanjkok:61.19.0.0-61.255.255.255ããIt blocks a few, but most attacks still seem to get through.ããNightcrawler +o Dark Sanctuaryãdarksanctuary.darktech.org ãã---ã þ Synchronet þ Dark Sanctuary darksanctuary.darktech.orgã

Re: Block admin and root access attemptsã By: Digital Man to nightcrawler on Mon Oct 27 2014 04:38 pmãã DM> Re: Block admin and root access attemptsã DM> By: nightcrawler to All on Sat Oct 25 2014 12:08 amãã >> Hey guys.ãã >> Can someone tell me something I can add to my login script that willã >> automatically add Ip's to the IP.can file that try to log in as rootã >> or admin. It is becoming a full time job adding all the hack attemptã >> IP's manually. There was some discussion on the Facebook group aboutã >> this, but wasn't given a definitive answer. Also, I figured it wouldã >> be more helpful to other Sysops if it was asked and answered on here.ãã DM> There's an auto-filtering capability built-into Synchronet. Seeã DM> "LoginAttemptFilterThreshold" at http://wiki.synchro.net/config:sbbs.iniã DM> for details.ãã DM> digital manããThanks.ããI set the LoginAttemptFilterThreshold to 3, but doesn't seem to be having anyãeffect.I've noticed a dozen or more attempts from an IP and it isn't beingãadded to the ip.can. Do you have any idea what I am doing wrong?ããThis is what I have:ããLoginAttemptDelay=5000ãLoginAttemptThrottle=1000ãLoginAttemptHackThreshold=3ãLoginAttemptFilterThreshold=3ãTempDirectory=ãHostName=ãInterface=0.0.0.0ãLogLevel=DebuggingãBindRetryCount=2ãBindRetryDelay=15ããNightcrawler +o Dark Sanctuaryãdarksanctuary.darktech.org ãã---ã þ Synchronet þ Dark Sanctuary darksanctuary.darktech.orgã

Re: Block admin and root access attemptsã By: nightcrawler to Digital Man on Tue Oct 28 2014 09:04 pmãã > Re: Block admin and root access attemptsã > By: Digital Man to nightcrawler on Mon Oct 27 2014 04:38 pmã >ã > DM> Re: Block admin and root access attemptsã > DM> By: nightcrawler to All on Sat Oct 25 2014 12:08 amã >ã > >> Hey guys.ã >ã > >> Can someone tell me something I can add to my login script that willã > >> automatically add Ip's to the IP.can file that try to log in as rootã > >> or admin. It is becoming a full time job adding all the hack attemptã > >> IP's manually. There was some discussion on the Facebook group aboutã > >> this, but wasn't given a definitive answer. Also, I figured it wouldã > >> be more helpful to other Sysops if it was asked and answered on here.ã >ã > DM> There's an auto-filtering capability built-into Synchronet. Seeã > DM> "LoginAttemptFilterThreshold" atã > DM> http://wiki.synchro.net/config:sbbs.ini for details.ã >ã > DM> digital manã >ã > Thanks.ã >ã > I set the LoginAttemptFilterThreshold to 3, but doesn't seem to be havingã > any effect.I've noticed a dozen or more attempts from an IP and it isn'tã > being added to the ip.can. Do you have any idea what I am doing wrong?ã >ã > This is what I have:ã >ã > LoginAttemptDelay=5000ã > LoginAttemptThrottle=1000ã > LoginAttemptHackThreshold=3ã > LoginAttemptFilterThreshold=3ããThat looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?ããThe failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.ãã digital manããSynchronet "Real Fact" #24:ãThe Digital Dynamics company ceased day-to-day opperations in late 1995.ãNorco, CA WX: 77.0øF, 48.0% humidity, 6 mph SE wind, 0.00 inches rain/24hrsã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Re: Block admin and root access attemptsã By: nightcrawler to Mro on Tue Oct 28 2014 08:59 pmãã > Mr> run it and use it to block attackers.ãã > I used the block list you provided. It has:ãã > hank billings:96.36.1.1-96.36.255.255ã > hong kong:123.0.0.0-123.255.255.255ã > dragon networks:209.124.1.0-209.255.255.255ã > china mobile:120.192.0.0-120.255.255.255ã > attacker:176.0.0.0-176.255.255.255ã > taiwan:125.227.0.0-125.227.255.255ã > attacker:187.147.0.0-187.147.255.255ã > banjkok:61.19.0.0-61.255.255.255ãããyeah i just added that to show you the syntax of the blocklist format.ãyou have to add your own ranges.ããbtw, i hate that dragon networks guy! attacks me all day even after i changedãmy ip address. he owns several servers and attacks people. i reported him toãhis provider and they wanted to know my exact ip address so they can tell himãto stop attacking me. i dont think that would benefit me.ã---ã þ Synchronet þ ::: BBSES.info - free BBS services :::ã

Re: Block admin and root access attemptsã By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pmãã DM> That looks fine. Are you getting entries in your data/hack.log for theseã DM> 3+ consecutive login failures from the same IP?ããNo there doesn't appear to be any. ãã DM> The failed login attempts have to be from the same IP address andã DM> consecutive without the BBS being restarted/recycled.ããSo do you mean consecutive as in the calls have to be concurrent, or can theyãbe staggerd throughout the day?ããNightcrawler +o Dark Sanctuaryãdarksanctuary.darktech.org ãã---ã þ Synchronet þ Dark Sanctuary darksanctuary.darktech.orgã

Re: Block admin and root access attemptsã By: nightcrawler to Digital Man on Tue Oct 28 2014 11:41 pmãã > Re: Block admin and root access attemptsã > By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pmã >ã > DM> That looks fine. Are you getting entries in your data/hack.log forã > DM> these 3+ consecutive login failures from the same IP?ã >ã > No there doesn't appear to be any.ããWhat protocol are they attacking with?ãã > DM> The failed login attempts have to be from the same IP address andã > DM> consecutive without the BBS being restarted/recycled.ã >ã > So do you mean consecutive as in the calls have to be concurrent, or canã > they be staggerd throughout the day?ããThey can be staggered throughout days/weeks/whatever, so long as the server ã(the BBS) is not recycled or restarted during that time.ããIf you're using the Synchronet Control Panel (for Windows), you can view the ãfailed login attempts with the View->Login Attempts menu option. It'll show you ãwhich login attempts from what IPs using what protocols with what username and ãpassword, etc. This list is cleared when the control panel is restarted. The ã"Unique" column shows the number that is compared against the thresholds we ãdiscussed for logging in the hack.log and filtering via ip.can.ããIf you're using 'sbbs', the console program (e.g. for Linux) instead, then the ã'a' command from the console prompt ("[Threads: x Sockets: x Clients: x ãServed: x Errors: x] (?=Help):" will show the same information (list of failed ãlogin attempts). This list is cleared when the sbbs program is restated.ãã digital manããSynchronet "Real Fact" #57:ãThe last version of Synchronet to run on MS-DOS and OS/2 was v2.30c (1999).ãNorco, CA WX: 66.6øF, 73.0% humidity, 0 mph NW wind, 0.00 inches rain/24hrsã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Re: Block admin and root access attemptsã By: Digital Man to nightcrawler on Tue Oct 28 2014 10:33 pmãã > Re: Block admin and root access attemptsã > By: nightcrawler to Digital Man on Tue Oct 28 2014 11:41 pmã >ã > > Re: Block admin and root access attemptsã > > By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pmã > >ã > > DM> That looks fine. Are you getting entries in your data/hack.log forã > > DM> these 3+ consecutive login failures from the same IP?ã > >ã > > No there doesn't appear to be any.ã >ã > What protocol are they attacking with?ã >ã > > DM> The failed login attempts have to be from the same IP address andã > > DM> consecutive without the BBS being restarted/recycled.ã > >ã > > So do you mean consecutive as in the calls have to be concurrent, or canã > > they be staggerd throughout the day?ã >ã > They can be staggered throughout days/weeks/whatever, so long as the serverã > (the BBS) is not recycled or restarted during that time.ã >ã > If you're using the Synchronet Control Panel (for Windows), you can viewã > the failed login attempts with the View->Login Attempts menu option. It'llã > show you which login attempts from what IPs using what protocols with whatã > username and password, etc. This list is cleared when the control panel isã > restarted. The "Unique" column shows the number that is compared againstã > the thresholds we discussed for logging in the hack.log and filtering viaã > ip.can.ã >ã > If you're using 'sbbs', the console program (e.g. for Linux) instead, thenã > the 'a' command from the console prompt ("[Threads: x Sockets: x Clients:ã > x Served: x Errors: x] (?=Help):" will show the same information (list ofã > failed login attempts). This list is cleared when the sbbs program isã > restated.ããBTW, if the attacks were using SSH or RLogin protocols, then I suspect this isãdue to a bug I *just* fixed where failed login attemps using either of those ãprotocols would *not* be added to the 'failed login attempt' list if the ãusername attempted was not a valid username (not in your userbase). Either get ãthe latest from CVS and rebuild (if you build from source) or grab tomorrow ãmorning's daily development build to get the fixed version.ããThanks for the head's up!ãã digital manããSynchronet "Real Fact" #53:ãThe Synchronet source code consists of over 500,000 lines of C and C++.ãNorco, CA WX: 65.1øF, 78.0% humidity, 1 mph NNW wind, 0.00 inches rain/24hrsã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã