• Block admin and root access attempts

    From nightcrawler@DARKSANC to All on Saturday, October 25, 2014 00:08:25
    Hey guys.

    Can someone tell me something I can add to my login script that will automatically add Ip's to the IP.can file that try to log in as root or admin. It is becoming a full time job adding all the hack attempt IP's manually. There was some discussion on the Facebook group about this, but wasn't given a definitive answer. Also, I figured it would be more helpful to other Sysops if it was asked and answered on here.

    Thanks

    ... Anyone who lives within his means suffers from a lack of imagination.

    Nightcrawler +o Dark Sanctuary
    darksanctuary.darktech.org

    ---
    ■ Synchronet ■ Dark Sanctuary darksanctuary.darktech.org
  • From Mro@BBSESINF to nightcrawler on Saturday, October 25, 2014 18:54:41
    Re: Block admin and root access attempts
    By: nightcrawler to All on Sat Oct 25 2014 12:08 am

    Can someone tell me something I can add to my login script that will automatically add Ip's to the IP.can file that try to log in as root or admin. It is becoming a full time job adding all the hack attempt IP's manually. There was some discussion on the Facebook group about this, but wasn't given a definitive answer. Also, I figured it would be more helpful


    since you are a server on the internet, all your services have brute force attacks.

    adding something to your logon script will just block people who try to telnet in. what about ftp, email, ssh, rlogin, nntp, etc?

    get peerblock and just block china.
    that way it's blocked before it even hits your bbs.

    i have that bbs capcha thing and it's not stopping new ones from hitting me every day. it's a losing battle.
    ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::
  • From nightcrawler@DARKSANC to Mro on Sunday, October 26, 2014 16:26:29
    Re: Block admin and root access attempts
    By: Mro to nightcrawler on Sat Oct 25 2014 06:54 pm

    Re: Block admin and root access attempts
    By: nightcrawler to All on Sat Oct 25 2014 12:08 am

    Can someone tell me something I can add to my login script that will
    automatically add Ip's to the IP.can file that try to log in as root
    or admin. It is becoming a full time job adding all the hack attempt
    IP's manually. There was some discussion on the Facebook group about
    this, but wasn't given a definitive answer. Also, I figured it would
    be more helpful


    since you are a server on the internet, all your services have brute force attacks.

    adding something to your logon script will just block people who try to telnet in. what about ftp, email, ssh, rlogin, nntp, etc?

    get peerblock and just block china.
    that way it's blocked before it even hits your bbs.

    i have that bbs capcha thing and it's not stopping new ones from hitting me every day. it's a losing battle.

    I've never really had a problem with ftp, rlogin, etc. All the attempts seem to be localized to SSH connections, trying either admin or root. Recently I noticed a single IP will attempt simultanious connections, taking all my nodes down.

    I've tried peerblock with very little success. Seems it doesn't cut down on attempts at all.

    Nightcrawler +o Dark Sanctuary
    darksanctuary.darktech.org

    ---
    ■ Synchronet ■ Dark Sanctuary darksanctuary.darktech.org
  • From Mro@BBSESINF to nightcrawler on Sunday, October 26, 2014 21:40:18
    Re: Block admin and root access attempts
    By: nightcrawler to Mro on Sun Oct 26 2014 04:26 pm

    I've never really had a problem with ftp, rlogin, etc. All the attempts
    seem to be localized to SSH connections, trying either admin or root. Recently I noticed a single IP will attempt simultanious connections,
    taking all my nodes down.

    change your ssh port.

    I've tried peerblock with very little success. Seems it doesn't cut down on attempts at all.

    you have to use a custom block script and add ip ranges. you just cant run it and use it to block attackers.

    i put it all on facebook, take a look at it.

    nothing is better than a watchful eye. block the attackers.
    block entire ranges in your ip.can if you dont want to use peerblock.
    make a honeypot. use spambait.cfg

    with synchronet you are running a ton of servers on the internet. you will always have a lot of attack attempts.
    ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::
  • From Digital Man to nightcrawler on Monday, October 27, 2014 16:38:00
    Re: Block admin and root access attempts
    By: nightcrawler to All on Sat Oct 25 2014 12:08 am

    Hey guys.

    Can someone tell me something I can add to my login script that will automatically add Ip's to the IP.can file that try to log in as root or admin. It is becoming a full time job adding all the hack attempt IP's manually. There was some discussion on the Facebook group about this, but wasn't given a definitive answer. Also, I figured it would be more helpful to other Sysops if it was asked and answered on here.

    There's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at
    http://wiki.synchro.net/config:sbbs.ini for details.

    digital man

    Synchronet "Real Fact" #11:
    Synchronet was the first BBS software to ship with built-in RIPscrip support. Norco, CA WX: 73.6°F, 56.0% humidity, 4 mph ESE wind, 0.00 inches rain/24hrs
  • From nightcrawler@DARKSANC to Mro on Tuesday, October 28, 2014 20:59:45
    Re: Block admin and root access attempts
    By: Mro to nightcrawler on Sun Oct 26 2014 09:40 pm

    attempts seem to be localized to SSH connections, trying either admin
    or root. Recently I noticed a single IP will attempt simultanious
    connections, taking all my nodes down.

    change your ssh port.

    Not a bad idea.
    I've tried peerblock with very little success. Seems it doesn't cut
    down on attempts at all.

    you have to use a custom block script and add ip ranges. you just cant
    run it and use it to block attackers.

    I used the block list you provided. It has:

    hank billings:96.36.1.1-96.36.255.255
    hong kong:123.0.0.0-123.255.255.255
    dragon networks:209.124.1.0-209.255.255.255
    china mobile:120.192.0.0-120.255.255.255
    attacker:176.0.0.0-176.255.255.255
    taiwan:125.227.0.0-125.227.255.255
    attacker:187.147.0.0-187.147.255.255
    banjkok:61.19.0.0-61.255.255.255

    It blocks a few, but most attacks still seem to get through.

    Nightcrawler +o Dark Sanctuary
    darksanctuary.darktech.org

    ---
    ■ Synchronet ■ Dark Sanctuary darksanctuary.darktech.org
  • From nightcrawler@DARKSANC to Digital Man on Tuesday, October 28, 2014 21:04:35
    Re: Block admin and root access attempts
    By: Digital Man to nightcrawler on Mon Oct 27 2014 04:38 pm

    Re: Block admin and root access attempts
    By: nightcrawler to All on Sat Oct 25 2014 12:08 am

    Hey guys.

    Can someone tell me something I can add to my login script that will
    automatically add Ip's to the IP.can file that try to log in as root
    or admin. It is becoming a full time job adding all the hack attempt
    IP's manually. There was some discussion on the Facebook group about
    this, but wasn't given a definitive answer. Also, I figured it would
    be more helpful to other Sysops if it was asked and answered on here.

    There's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at http://wiki.synchro.net/config:sbbs.ini for details.

    digital man

    Thanks.

    I set the LoginAttemptFilterThreshold to 3, but doesn't seem to be having any effect.I've noticed a dozen or more attempts from an IP and it isn't being added to the ip.can. Do you have any idea what I am doing wrong?

    This is what I have:

    LoginAttemptDelay=5000
    LoginAttemptThrottle=1000
    LoginAttemptHackThreshold=3
    LoginAttemptFilterThreshold=3
    TempDirectory=
    HostName=
    Interface=0.0.0.0
    LogLevel=Debugging
    BindRetryCount=2
    BindRetryDelay=15

    Nightcrawler +o Dark Sanctuary
    darksanctuary.darktech.org

    ---
    ■ Synchronet ■ Dark Sanctuary darksanctuary.darktech.org
  • From Digital Man to nightcrawler on Tuesday, October 28, 2014 17:37:49
    Re: Block admin and root access attempts
    By: nightcrawler to Digital Man on Tue Oct 28 2014 09:04 pm

    Re: Block admin and root access attempts
    By: Digital Man to nightcrawler on Mon Oct 27 2014 04:38 pm

    Re: Block admin and root access attempts
    By: nightcrawler to All on Sat Oct 25 2014 12:08 am

    Hey guys.

    Can someone tell me something I can add to my login script that will
    automatically add Ip's to the IP.can file that try to log in as root
    or admin. It is becoming a full time job adding all the hack attempt
    IP's manually. There was some discussion on the Facebook group about
    this, but wasn't given a definitive answer. Also, I figured it would
    be more helpful to other Sysops if it was asked and answered on here.

    There's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at http://wiki.synchro.net/config:sbbs.ini for details.

    digital man

    Thanks.

    I set the LoginAttemptFilterThreshold to 3, but doesn't seem to be having any effect.I've noticed a dozen or more attempts from an IP and it isn't being added to the ip.can. Do you have any idea what I am doing wrong?

    This is what I have:

    LoginAttemptDelay=5000
    LoginAttemptThrottle=1000
    LoginAttemptHackThreshold=3
    LoginAttemptFilterThreshold=3

    That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?

    The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.

    digital man

    Synchronet "Real Fact" #24:
    The Digital Dynamics company ceased day-to-day opperations in late 1995.
    Norco, CA WX: 77.0°F, 48.0% humidity, 6 mph SE wind, 0.00 inches rain/24hrs
  • From Mro@BBSESINF to nightcrawler on Tuesday, October 28, 2014 20:56:24
    Re: Block admin and root access attempts
    By: nightcrawler to Mro on Tue Oct 28 2014 08:59 pm

    run it and use it to block attackers.

    I used the block list you provided. It has:

    hank billings:96.36.1.1-96.36.255.255
    hong kong:123.0.0.0-123.255.255.255
    dragon networks:209.124.1.0-209.255.255.255
    china mobile:120.192.0.0-120.255.255.255
    attacker:176.0.0.0-176.255.255.255
    taiwan:125.227.0.0-125.227.255.255
    attacker:187.147.0.0-187.147.255.255
    banjkok:61.19.0.0-61.255.255.255


    yeah i just added that to show you the syntax of the blocklist format.
    you have to add your own ranges.

    btw, i hate that dragon networks guy! attacks me all day even after i changed my ip address. he owns several servers and attacks people. i reported him to his provider and they wanted to know my exact ip address so they can tell him to stop attacking me. i dont think that would benefit me.
    ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::
  • From nightcrawler@DARKSANC to Digital Man on Tuesday, October 28, 2014 23:41:04
    Re: Block admin and root access attempts
    By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm

    That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?

    No there doesn't appear to be any.

    The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.

    So do you mean consecutive as in the calls have to be concurrent, or can they be staggerd throughout the day?

    Nightcrawler +o Dark Sanctuary
    darksanctuary.darktech.org

    ---
    ■ Synchronet ■ Dark Sanctuary darksanctuary.darktech.org
  • From Digital Man to nightcrawler on Tuesday, October 28, 2014 22:33:19
    Re: Block admin and root access attempts
    By: nightcrawler to Digital Man on Tue Oct 28 2014 11:41 pm

    Re: Block admin and root access attempts
    By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm

    That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?

    No there doesn't appear to be any.

    What protocol are they attacking with?

    The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.

    So do you mean consecutive as in the calls have to be concurrent, or can they be staggerd throughout the day?

    They can be staggered throughout days/weeks/whatever, so long as the server (the BBS) is not recycled or restarted during that time.

    If you're using the Synchronet Control Panel (for Windows), you can view the failed login attempts with the View->Login Attempts menu option. It'll show you
    which login attempts from what IPs using what protocols with what username and password, etc. This list is cleared when the control panel is restarted. The "Unique" column shows the number that is compared against the thresholds we discussed for logging in the hack.log and filtering via ip.can.

    If you're using 'sbbs', the console program (e.g. for Linux) instead, then the 'a' command from the console prompt ("[Threads: x Sockets: x Clients: x Served: x Errors: x] (?=Help):" will show the same information (list of failed login attempts). This list is cleared when the sbbs program is restated.

    digital man

    Synchronet "Real Fact" #57:
    The last version of Synchronet to run on MS-DOS and OS/2 was v2.30c (1999). Norco, CA WX: 66.6°F, 73.0% humidity, 0 mph NW wind, 0.00 inches rain/24hrs
  • From Digital Man to nightcrawler on Wednesday, October 29, 2014 00:00:17
    Re: Block admin and root access attempts
    By: Digital Man to nightcrawler on Tue Oct 28 2014 10:33 pm

    Re: Block admin and root access attempts
    By: nightcrawler to Digital Man on Tue Oct 28 2014 11:41 pm

    Re: Block admin and root access attempts
    By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm

    That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?

    No there doesn't appear to be any.

    What protocol are they attacking with?

    The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.

    So do you mean consecutive as in the calls have to be concurrent, or can they be staggerd throughout the day?

    They can be staggered throughout days/weeks/whatever, so long as the server (the BBS) is not recycled or restarted during that time.

    If you're using the Synchronet Control Panel (for Windows), you can view
    the failed login attempts with the View->Login Attempts menu option. It'll show you which login attempts from what IPs using what protocols with what username and password, etc. This list is cleared when the control panel is restarted. The "Unique" column shows the number that is compared against
    the thresholds we discussed for logging in the hack.log and filtering via ip.can.

    If you're using 'sbbs', the console program (e.g. for Linux) instead, then the 'a' command from the console prompt ("[Threads: x Sockets: x Clients: x Served: x Errors: x] (?=Help):" will show the same information (list of failed login attempts). This list is cleared when the sbbs program is restated.

    BTW, if the attacks were using SSH or RLogin protocols, then I suspect this is due to a bug I *just* fixed where failed login attemps using either of those protocols would *not* be added to the 'failed login attempt' list if the username attempted was not a valid username (not in your userbase). Either get the latest from CVS and rebuild (if you build from source) or grab tomorrow morning's daily development build to get the fixed version.

    Thanks for the head's up!

    digital man

    Synchronet "Real Fact" #53:
    The Synchronet source code consists of over 500,000 lines of C and C++.
    Norco, CA WX: 65.1°F, 78.0% humidity, 1 mph NNW wind, 0.00 inches rain/24hrs