• Hacker making all Mystic nodes "BUSY"

    From Gandalf@21:4/153 to ALL on Monday, February 13, 2023 21:15:24
    Greetings and Salutations! I am having an issue with a hacker who trys to crack my system password eventually making all of my nodes busy so that users cannot login. When I periodically check Nodespy, all three of my nodes show a couple of system password attempts (in asterisk form) and a third prompt and the screen is hung. I have to Alt(K)ick each node 2 or three times until it autobans the IP address. Is there something I can do other than removing the system password prompt to keep this from happening? (Linux Mint - Mystic 1.12 A48)

    ... Never laugh at live dragons.

    --- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
    * Origin: ARDA-BBS (21:4/153)
  • From paulie420@21:2/150 to Gandalf on Monday, February 13, 2023 19:08:56
    Greetings and Salutations! I am having an issue with a hacker who trys
    to crack my system password eventually making all of my nodes busy so
    that users cannot login. When I periodically check Nodespy, all three
    of my nodes show a couple of system password attempts (in asterisk form) and a third prompt and the screen is hung. I have to Alt(K)ick each
    node 2 or three times until it autobans the IP address. Is there something I can do other than removing the system password prompt to
    keep this from happening? (Linux Mint - Mystic 1.12 A48)

    Check out two Mystic mods that might help you with bots. Mystic is good at kicking them after multiple attempts, but here are two options - you can even install both if you like. Actually, I know of THREE:

    ThreatSentry; check geo-location per the rules you set in the .ini's...

    BotChecker; this is where you have to press ESC 2x to even start the Mystic bbs

    MAPTCHA; A 'captcha-like' mod that requires you to enter some text prior to being let in

    They can all be found on 2oFB @ 20ForBeers.com:1337; search the File Menu. (And other BBSes/fsxNet File Areas)



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A48 (Linux/64)
    * Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)
  • From esc@21:4/173 to Gandalf on Monday, February 13, 2023 22:55:53
    Greetings and Salutations! I am having an issue with a hacker who trys
    to crack my system password eventually making all of my nodes busy so
    that users cannot login. When I periodically check Nodespy, all three
    of my nodes show a couple of system password attempts (in asterisk form) and a third prompt and the screen is hung. I have to Alt(K)ick each
    node 2 or three times until it autobans the IP address. Is there something I can do other than removing the system password prompt to
    keep this from happening? (Linux Mint - Mystic 1.12 A48)

    That sounds like a botnet :) My advice would be to do some country blocking. I believe if you looked at each of the IP addresses attempting this you'd find they come from specific places.

    Also, I have the "botcheck" mod from phenom. It requires someone to press the escape key twice to proceed to the system password screen. This one confounds botnets pretty well.

    --- Mystic BBS v1.12 A48 (Linux/64)
    * Origin: m O N T E R E Y b B S . c O M (21:4/173)
  • From Warpslide@21:3/110 to Gandalf on Tuesday, February 14, 2023 03:18:53
    On 13 Feb 2023, Gandalf said the following...

    Greetings and Salutations! I am having an issue with a hacker who trys
    to crack my system password eventually making all of my nodes busy so
    that users cannot login.

    something I can do other than removing the system password prompt to
    keep this from happening?

    Check out botcheck.mps in your mystic/themes/default/scripts directory:

    [ begin quote botcheck.mps ]
    BOTCHECK.MPS: Example script to force users to immediately press ESCAPE
    twice upon connection within 15 seconds or else their
    connection will be closed.

    To install: Copy this as "connect.mps" in your theme's script directory
    and then use MPLC to compile it (mplc -T will compile all theme scripts)
    [ end quote botcheck.mps ]

    You may want to paste this in right after "Begin" in the script:
    If ACS('OS') Then break

    This will skip asking people to press ESC twice if they connect via SSH as they'd already be authenticated.


    I have this in place along with blocking a bunch of countries with iptables:

    ipset create block4 hash:net
    ipset create block6 hash:net family inet6
    iptables -A INPUT -m set --match-set block4 src -j DROP
    iptables -A OUTPUT -m set --match-set block4 dst -j DROP
    ip6tables -A INPUT -m set --match-set block6 src -j DROP
    ip6tables -A OUTPUT -m set --match-set block6 dst -j DROP


    [ begin geoip.sh ]
    #!/bin/bash
    tmpdir=`mktemp -d`
    cd $tmpdir

    countries=("ru" "ua" "by" "bg" "br" "cn" "hk" "kr" "kp" "ir")

    for i in ${countries[@]}; do
    curl -f -s -k https://www.ipdeny.com/ipblocks/data/aggregated/$i-aggregated.zone >> block4.zone
    curl -f -s -k https://www.ipdeny.com/ipv6/ipaddresses/aggregated/$i-aggregated.zone >> block6.zone
    done

    ipset flush
    for i in $( cat block4.zone ); do ipset -A block4 $i; done
    for i in $( cat block6.zone ); do ipset -A block6 $i; done

    ipset save > /etc/iptables/ipsets

    rm -f $tmpdir/*
    rmdir $tmpdir
    [ end geoip.sh ]


    Jay

    ... When cheese gets its picture taken, what does it say?

    --- Mystic BBS v1.12 A49 2023/01/27 (Linux/64)
    * Origin: Northern Realms | bbs.nrbbs.net | 289-424-5180 (21:3/110)
  • From Alonzo@21:1/130 to Gandalf on Tuesday, February 14, 2023 10:29:21
    Greetings and Salutations! I am having an issue with a hacker who trys
    to crack my system password eventually making all of my nodes busy so
    that users cannot login. When I periodically check Nodespy, all three
    of my nodes show a couple of system password attempts (in asterisk form) and a third prompt and the screen is hung. I have to Alt(K)ick each
    node 2 or three times until it autobans the IP address. Is there

    I have the same problem, but not with the the screen getting hung up. 24 hours a day, every ten minutes or so, someone is trying to hack my board. I don't want people to automatically get to my login screen, and I want to slow these morons down a bit so this is what I did. I set up the board so that it is ANSI-only. Then I edited the prompt that usually asks if you want ANSI or ASCII to this menu:

    It says...
    PLEASE READ CAREFULLY - This is a menu, not a command line. Typing random sh*t will do nothing. Slapping your ENTER key will do nothing. Your bots will do nothing. See that number 1 on your keyboard? Poke it! Go ahead, poke it! What are you waiting for? You have four chances to get this right.

    [1} Yes, I want to use this BBS
    [0} No,disconnect

    This slows them down a bit.

    ... I know a good tagline when I steal one!

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/64)
    * Origin: The Unmarked Van (21:1/130)
  • From Gandalf@21:4/153 to paulie420 on Tuesday, February 14, 2023 13:20:21
    Thank you @paulie420, I have ThreatSentry v1.1 installed. I will check out the other two you mentioned. Thanks again for your reply.

    ... Deeds will not be less valiant because they are unpraised.

    --- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
    * Origin: ARDA-BBS (21:4/153)
  • From Gandalf@21:4/153 to esc on Tuesday, February 14, 2023 13:23:47
    Thank you @esc I will check out BotChecker that sounds like it would work for me. I appreciate it.

    ... Short cuts make long delays.

    --- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
    * Origin: ARDA-BBS (21:4/153)
  • From Gandalf@21:4/153 to Warpslide on Tuesday, February 14, 2023 13:26:51
    Thank you @Warpslide, BotCheck is definately the suggested fix for my issue. I thank you for the time and effort to provide configuration and installation instruction. I will work on it now. I appreciate it.

    ... Faithless is he that says farewell when the road darkens.

    --- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
    * Origin: ARDA-BBS (21:4/153)
  • From Gandalf@21:4/153 to Alonzo on Tuesday, February 14, 2023 13:29:10
    @Alonzo LOL Awesome! Thank you! I appreciate it.

    ... I will not walk backward in life.

    --- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
    * Origin: ARDA-BBS (21:4/153)
  • From Gandalf@21:4/153 to ALL on Tuesday, February 14, 2023 15:06:25
    Botcheck1_2 installed. However, using the standard install instructions where you modify the theme prompt "|TE detected" to "!botcheck1_2 |TE detected", the botcheck works, but is displayed after the system password so it does not help at that point of the login process. I tried editing the system password prompt line where in my case it is: "|CR|14Speak friend and enter: |XX" to "!botcheck1_2 |CR|14Speak friend and enter: |XX", which the botcheck runs in ASCII (no color) then when you hit ESC twice, it does not prompt the text before the input prompt. I can type the system password at that point, which allows me to continue but that does not let the user know that there is a system password prompt waiting for input. I tried adding |CR carriage return and |CL clear screen codes at different points but cannot find a config that works. Is there another prompt line I should be using or something I can add to the script? Looks like the only option is to turn off the system password. I like that feature. I use it as an initial user qualification puzzle. If you know what ARDA is and that it is related to LOTR then you will understand the prompt and enter the correct password. If you don't, then it is a challenge and maybe using a LOTR themed BBS is not for you anyway. It would be nice to figure out a solution that allows this puzzle to remain. Thank you, I appreciate your input and help!

    ... In a hole in the ground there lived a hobbit.

    --- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
    * Origin: ARDA-BBS (21:4/153)
  • From Geri Atricks@21:4/102 to Gandalf on Monday, February 13, 2023 23:22:31
    Greetings and Salutations! I am having an issue with a hacker who trys
    to crack my system password eventually making all of my nodes busy so
    that users cannot login. When I periodically check Nodespy, all three

    Limit the number of connections your board will allow from the same IP. I think I have mine set to like 2 if I remember correctly, and only THAT high so that I can be logged into my sysop account and my test account at the some time when making changes remotely.

    --- Mystic BBS v1.12 A48 (Windows/64)
    * Origin: Legends of Yesteryear (furmenservices.net:23322) (21:4/102)
  • From Tracker1@21:3/149 to Geri Atricks on Tuesday, April 25, 2023 19:21:47
    Limit the number of connections your board will allow from the same IP. I think I have mine set to like 2 if I remember correctly, and only THAT high so that I can be logged into my sysop account and my test account at the some time when making changes remotely.

    If you are supporting HTTP(S), you should allow 6-10 connections as browsers make multiple connections to download supporting files in parallel (js, css, images etc).


    --
    Michael J. Ryan
    +o roughneckbbs.com
    tracker1@roughneckbbs.com
    --- SBBSecho 3.15-Linux
    * Origin: Roughneck BBS - roughneckbbs.com (21:3/149)