Hey guys.

Can someone tell me something I can add to my login script that will automatically add Ip's to the IP.can file that try to log in as root or admin. It is becoming a full time job adding all the hack attempt IP's manually. There was some discussion on the Facebook group about this, but wasn't given a definitive answer. Also, I figured it would be more helpful to other Sysops if it was asked and answered on here.

Thanks

... Anyone who lives within his means suffers from a lack of imagination.

Nightcrawler +o Dark Sanctuary
darksanctuary.darktech.org

---
þ Synchronet þ Dark Sanctuary darksanctuary.darktech.org

Re: Block admin and root access attempts
By: nightcrawler to All on Sat Oct 25 2014 12:08 am

Can someone tell me something I can add to my login script that will automatically add Ip's to the IP.can file that try to log in as root or admin. It is becoming a full time job adding all the hack attempt IP's manually. There was some discussion on the Facebook group about this, but wasn't given a definitive answer. Also, I figured it would be more helpful

since you are a server on the internet, all your services have brute force attacks.

adding something to your logon script will just block people who try to telnet in. what about ftp, email, ssh, rlogin, nntp, etc?

get peerblock and just block china.
that way it's blocked before it even hits your bbs.

i have that bbs capcha thing and it's not stopping new ones from hitting me every day. it's a losing battle.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: Block admin and root access attempts
By: Mro to nightcrawler on Sat Oct 25 2014 06:54 pm

Re: Block admin and root access attempts
By: nightcrawler to All on Sat Oct 25 2014 12:08 am

Can someone tell me something I can add to my login script that will
automatically add Ip's to the IP.can file that try to log in as root
or admin. It is becoming a full time job adding all the hack attempt
IP's manually. There was some discussion on the Facebook group about
this, but wasn't given a definitive answer. Also, I figured it would
be more helpful

since you are a server on the internet, all your services have brute force attacks.

adding something to your logon script will just block people who try to telnet in. what about ftp, email, ssh, rlogin, nntp, etc?

get peerblock and just block china.
that way it's blocked before it even hits your bbs.

i have that bbs capcha thing and it's not stopping new ones from hitting me every day. it's a losing battle.

I've never really had a problem with ftp, rlogin, etc. All the attempts seem to be localized to SSH connections, trying either admin or root. Recently I noticed a single IP will attempt simultanious connections, taking all my nodes down.

I've tried peerblock with very little success. Seems it doesn't cut down on attempts at all.

Nightcrawler +o Dark Sanctuary
darksanctuary.darktech.org

---
þ Synchronet þ Dark Sanctuary darksanctuary.darktech.org

Re: Block admin and root access attempts
By: nightcrawler to Mro on Sun Oct 26 2014 04:26 pm

I've never really had a problem with ftp, rlogin, etc. All the attempts
seem to be localized to SSH connections, trying either admin or root. Recently I noticed a single IP will attempt simultanious connections,
taking all my nodes down.

change your ssh port.

I've tried peerblock with very little success. Seems it doesn't cut down on attempts at all.

you have to use a custom block script and add ip ranges. you just cant run it and use it to block attackers.

i put it all on facebook, take a look at it.

nothing is better than a watchful eye. block the attackers.
block entire ranges in your ip.can if you dont want to use peerblock.
make a honeypot. use spambait.cfg

with synchronet you are running a ton of servers on the internet. you will always have a lot of attack attempts.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: Block admin and root access attempts
By: nightcrawler to All on Sat Oct 25 2014 12:08 am

Hey guys.

Can someone tell me something I can add to my login script that will automatically add Ip's to the IP.can file that try to log in as root or admin. It is becoming a full time job adding all the hack attempt IP's manually. There was some discussion on the Facebook group about this, but wasn't given a definitive answer. Also, I figured it would be more helpful to other Sysops if it was asked and answered on here.

There's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at
http://wiki.synchro.net/config:sbbs.ini for details.

digital man

Synchronet "Real Fact" #11:
Synchronet was the first BBS software to ship with built-in RIPscrip support. Norco, CA WX: 73.6øF, 56.0% humidity, 4 mph ESE wind, 0.00 inches rain/24hrs

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Block admin and root access attempts
By: Mro to nightcrawler on Sun Oct 26 2014 09:40 pm

attempts seem to be localized to SSH connections, trying either admin
or root. Recently I noticed a single IP will attempt simultanious
connections, taking all my nodes down.

change your ssh port.

Not a bad idea.

I've tried peerblock with very little success. Seems it doesn't cut
down on attempts at all.

you have to use a custom block script and add ip ranges. you just cant
run it and use it to block attackers.

I used the block list you provided. It has:

hank billings:96.36.1.1-96.36.255.255
hong kong:123.0.0.0-123.255.255.255
dragon networks:209.124.1.0-209.255.255.255
china mobile:120.192.0.0-120.255.255.255
attacker:176.0.0.0-176.255.255.255
taiwan:125.227.0.0-125.227.255.255
attacker:187.147.0.0-187.147.255.255
banjkok:61.19.0.0-61.255.255.255

It blocks a few, but most attacks still seem to get through.

Nightcrawler +o Dark Sanctuary
darksanctuary.darktech.org

---
þ Synchronet þ Dark Sanctuary darksanctuary.darktech.org

Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Mon Oct 27 2014 04:38 pm

Re: Block admin and root access attempts
By: nightcrawler to All on Sat Oct 25 2014 12:08 am

Hey guys.

Can someone tell me something I can add to my login script that will
automatically add Ip's to the IP.can file that try to log in as root
or admin. It is becoming a full time job adding all the hack attempt
IP's manually. There was some discussion on the Facebook group about
this, but wasn't given a definitive answer. Also, I figured it would
be more helpful to other Sysops if it was asked and answered on here.

There's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at http://wiki.synchro.net/config:sbbs.ini for details.

digital man

Thanks.

I set the LoginAttemptFilterThreshold to 3, but doesn't seem to be having any effect.I've noticed a dozen or more attempts from an IP and it isn't being added to the ip.can. Do you have any idea what I am doing wrong?

This is what I have:

LoginAttemptDelay=5000
LoginAttemptThrottle=1000
LoginAttemptHackThreshold=3
LoginAttemptFilterThreshold=3
TempDirectory=
HostName=
Interface=0.0.0.0
LogLevel=Debugging
BindRetryCount=2
BindRetryDelay=15

Nightcrawler +o Dark Sanctuary
darksanctuary.darktech.org

---
þ Synchronet þ Dark Sanctuary darksanctuary.darktech.org

Re: Block admin and root access attempts
By: nightcrawler to Digital Man on Tue Oct 28 2014 09:04 pm

Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Mon Oct 27 2014 04:38 pm

Re: Block admin and root access attempts
By: nightcrawler to All on Sat Oct 25 2014 12:08 am

Hey guys.

Can someone tell me something I can add to my login script that will
automatically add Ip's to the IP.can file that try to log in as root
or admin. It is becoming a full time job adding all the hack attempt
IP's manually. There was some discussion on the Facebook group about
this, but wasn't given a definitive answer. Also, I figured it would
be more helpful to other Sysops if it was asked and answered on here.

There's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at http://wiki.synchro.net/config:sbbs.ini for details.

digital man

Thanks.

I set the LoginAttemptFilterThreshold to 3, but doesn't seem to be having any effect.I've noticed a dozen or more attempts from an IP and it isn't being added to the ip.can. Do you have any idea what I am doing wrong?

This is what I have:

LoginAttemptDelay=5000
LoginAttemptThrottle=1000
LoginAttemptHackThreshold=3
LoginAttemptFilterThreshold=3

That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?

The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.

digital man

Synchronet "Real Fact" #24:
The Digital Dynamics company ceased day-to-day opperations in late 1995.
Norco, CA WX: 77.0øF, 48.0% humidity, 6 mph SE wind, 0.00 inches rain/24hrs

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Block admin and root access attempts
By: nightcrawler to Mro on Tue Oct 28 2014 08:59 pm

run it and use it to block attackers.

I used the block list you provided. It has:

hank billings:96.36.1.1-96.36.255.255
hong kong:123.0.0.0-123.255.255.255
dragon networks:209.124.1.0-209.255.255.255
china mobile:120.192.0.0-120.255.255.255
attacker:176.0.0.0-176.255.255.255
taiwan:125.227.0.0-125.227.255.255
attacker:187.147.0.0-187.147.255.255
banjkok:61.19.0.0-61.255.255.255

yeah i just added that to show you the syntax of the blocklist format.
you have to add your own ranges.

btw, i hate that dragon networks guy! attacks me all day even after i changed my ip address. he owns several servers and attacks people. i reported him to his provider and they wanted to know my exact ip address so they can tell him to stop attacking me. i dont think that would benefit me.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm

That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?

No there doesn't appear to be any.

The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.

So do you mean consecutive as in the calls have to be concurrent, or can they be staggerd throughout the day?

Nightcrawler +o Dark Sanctuary
darksanctuary.darktech.org

---
þ Synchronet þ Dark Sanctuary darksanctuary.darktech.org

Re: Block admin and root access attempts
By: nightcrawler to Digital Man on Tue Oct 28 2014 11:41 pm

Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm

That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?

No there doesn't appear to be any.

What protocol are they attacking with?

The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.

So do you mean consecutive as in the calls have to be concurrent, or can they be staggerd throughout the day?

They can be staggered throughout days/weeks/whatever, so long as the server (the BBS) is not recycled or restarted during that time.

If you're using the Synchronet Control Panel (for Windows), you can view the failed login attempts with the View->Login Attempts menu option. It'll show you
which login attempts from what IPs using what protocols with what username and password, etc. This list is cleared when the control panel is restarted. The "Unique" column shows the number that is compared against the thresholds we discussed for logging in the hack.log and filtering via ip.can.

If you're using 'sbbs', the console program (e.g. for Linux) instead, then the 'a' command from the console prompt ("[Threads: x Sockets: x Clients: x Served: x Errors: x] (?=Help):" will show the same information (list of failed login attempts). This list is cleared when the sbbs program is restated.

digital man

Synchronet "Real Fact" #57:
The last version of Synchronet to run on MS-DOS and OS/2 was v2.30c (1999). Norco, CA WX: 66.6øF, 73.0% humidity, 0 mph NW wind, 0.00 inches rain/24hrs

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Tue Oct 28 2014 10:33 pm

Re: Block admin and root access attempts
By: nightcrawler to Digital Man on Tue Oct 28 2014 11:41 pm

Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm

That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?

No there doesn't appear to be any.

What protocol are they attacking with?

The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.

So do you mean consecutive as in the calls have to be concurrent, or can they be staggerd throughout the day?

They can be staggered throughout days/weeks/whatever, so long as the server (the BBS) is not recycled or restarted during that time.

If you're using the Synchronet Control Panel (for Windows), you can view
the failed login attempts with the View->Login Attempts menu option. It'll show you which login attempts from what IPs using what protocols with what username and password, etc. This list is cleared when the control panel is restarted. The "Unique" column shows the number that is compared against
the thresholds we discussed for logging in the hack.log and filtering via ip.can.

If you're using 'sbbs', the console program (e.g. for Linux) instead, then the 'a' command from the console prompt ("[Threads: x Sockets: x Clients: x Served: x Errors: x] (?=Help):" will show the same information (list of failed login attempts). This list is cleared when the sbbs program is restated.

BTW, if the attacks were using SSH or RLogin protocols, then I suspect this is due to a bug I *just* fixed where failed login attemps using either of those protocols would *not* be added to the 'failed login attempt' list if the username attempted was not a valid username (not in your userbase). Either get the latest from CVS and rebuild (if you build from source) or grab tomorrow morning's daily development build to get the fixed version.

Thanks for the head's up!

digital man

Synchronet "Real Fact" #53:
The Synchronet source code consists of over 500,000 lines of C and C++.
Norco, CA WX: 65.1øF, 78.0% humidity, 1 mph NNW wind, 0.00 inches rain/24hrs

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net