May be a stupid question, but is there a program that will add a ip address to the silent filter automaticly if say one address repeatly tries to log in unsuccessfully in a given amount of time. I'm tired of manualy having to add these hack attempts myself. It gets so bad at times, it ties up all 5 lines of the bbs. As always, thanks

- Don't eat the yellow snow!

- C.G. Learn
- Valhalla Home Services! - Telnet://valhalla.synchro.net
- A Gamers Paradise - Over 100 Registered Online Game Doors!


---
þ Synchronet þ Valhalla Home Services þ USA þ http://valhalla.synchro.net

Re: Attacks
By: DesotoFireflite to All on Sat Feb 15 2014 04:43 am

May be a stupid question, but is there a program that will add a ip address to the silent filter automaticly if say one address repeatly tries to log
in unsuccessfully in a given amount of time.

Yes (well, the ip.can, not the silent filter): in the [Global] section of your ctrl/sbbs.ini file, set LoginAttemptFilterThreshold to a non-zero value.

This value defaults to 0 for a good reason however. If you're going to use a non-zero value, I would set it to something high (like 20 or 30 attempts).

See http://wiki.synchro.net/config:sbbs.ini for details.

digital man

Synchronet "Real Fact" #66:
SEXYZ is as a 32-bit replacement for [F]DSZ, CE-XYZ and other protocol drivers. Norco, CA WX: 77.1øF, 23.0% humidity, 4 mph SE wind, 0.00 inches rain/24hrs
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Digital Man wrote to DesotoFireflite <=-

May be a stupid question, but is there a program that will add a ip address to the silent filter automaticly if say one address repeatly tries to log
in unsuccessfully in a given amount of time.

Yes (well, the ip.can, not the silent filter): in the [Global] section
of your ctrl/sbbs.ini file, set LoginAttemptFilterThreshold to a
non-zero value.

This value defaults to 0 for a good reason however. If you're going to
use a non-zero value, I would set it to something high (like 20 or 30 attempts).

See http://wiki.synchro.net/config:sbbs.ini for details.

Thank you!!


Bill

Telnet: tequilamockingbirdonline.net
IRC: irc.tequilamockingbirdonline.net Ports: 6661-6670 SSL: +6697
Radio: radio.tequilamockingbirdonline.net:8010/live


... Motorcycles are everywhere... Look twice, save a life!!
--- MultiMail/Win32 v0.50
þ Synchronet þ TequilaMockingbird Online - TELNET: tequilamockingbirdonline.ne

Re: Attacks
By: Digital Man to DesotoFireflite on Sat Feb 15 2014 04:26 pm

Yes (well, the ip.can, not the silent filter): in the [Global] section
of your ctrl/sbbs.ini file, set LoginAttemptFilterThreshold to a
non-zero value.

Thanks, that's what I wanted. As always, you have the answer:)

- CAT (n.), Furry keyboard cover.

- C.G. Learn
- Valhalla Home Services! - Telnet://valhalla.synchro.net
- A Gamers Paradise - Over 100 Registered Online Game Doors!


---
þ Synch

Re: Attacks
By: DesotoFireflite to All on Sat Feb 15 2014 04:43 am

May be a stupid question, but is there a program that will add a ip address to the silent filter automaticly if say one address repeatly tries to log in unsuccessfully in a given amount of time. I'm tired of manualy having to add these hack attempts myself. It gets so bad at times, it ties up all 5 lines of the bbs. As always, thanks

Out of curiousity, are these "hack attempts" actually trying to login to your board, or just randomly trying to connect to your various services to no avail?

I guess I'm trying to say, are they actually doing any harm to your system or just continually trying to connect?

Do they cause your normal users to not be able to login?

I mean if your answer is no, why bother trying to block all of them, just ignore it as spam traffic.

blocking an IP won't stop anyone that's actively trying to get into your system, it just stops some random script from completing whatever it's trying to do, which doesn't sound like much.

Again, apologies if they are actually gaining access to your system. Maybe you're runing your board on some pentagon system that houses national secrets or something.

Best of luck,
-A.

Re: Attacks
By: Android8675 to DesotoFireflite on Sun Feb 16 2014 10:26 am

Out of curiousity, are these "hack attempts" actually trying to login to your board, or just randomly trying to connect to your various services to

I get about 3 attempts aday trying to gain access. In the old days, I would call it war dialing. If I manually put the address into the can, it stops, till another random address comes along to start it all over again. over a weeks times, I can quite a few addresses.. None never make it in, but it's still a pain.

- CAT (n.), Furry keyboard cover.

- C.G. Learn
- Valhalla Home Services! - Telnet://valhalla.synchro.net
- A Gamers Paradise - Over 100 Registered Online Game Doors!


---
þ Synchronet þ Va

Re: Attacks
By: Android8675 to DesotoFireflite on Sun Feb 16 2014 10:26:18

The hacks I see look like they're general hack scripts that are just
running against open telnet servers. Looking for a way in, hoping it's
a misconfigured router, server, switch, etc. If you look thru the
username/pw combo lists they try they're not looking to get into the
'BBS'.... just an auto script that found an open telnet port and trying
a pile of common admin logins.

That being said, it's annoying because it ties up ports/nodes and
occassionaly appears to crash the BBS.

Tho in my case, that could've been due to me running 18mo old code. :)
Just updated today.. hopefully the crashing stops.


--Chris


------------------------------------------
| Chris Trainor - FleetHQ BBS
| telnet://bbs.fleethq.org
| http://www.facebook.com/FleetHQ
| +1-401-949-0465 (V.34/HST/CrankyAtTimes) ------------------------------------------

---
þ Synchronet þ FleetHQ BBS - Greenville, RI

On Wed, 19 Feb 2014, Chris Trainor wrote to Android8675:

The hacks I see look like they're general hack scripts that are
just running against open telnet servers. Looking for a way in,
hoping it's a misconfigured router, server, switch, etc.

exactly... otherwise known as scriptkiddies... the question, then, is if the attack is coming from a zombie machine... in a most cases that i've researched,
they are zombie machines in a botnet...

If you look thru the username/pw combo lists they try they're not looking to get into the 'BBS'.... just an auto script that found
an open telnet port and trying a pile of common admin logins.

yup! this is one of the reasons why anyone running servers of any type should take the time to learn about the mess that is going on out there and what they can do to protect themselves... i see way too many blaming individuals and blocking IPs that are transient... a temp block at the perimeter to stop the attack for some period of time is the best response... drop the packets into the bitbucket and let the violating system have to wait on the timeout to take effect... this slows them down a bit and is better than sending a reject which tells them that there is something there and doesn't tie them up waiting on the
timeout...

That being said, it's annoying because it ties up ports/nodes and occassionaly appears to crash the BBS.

true...

Tho in my case, that could've been due to me running 18mo old code.
:) Just updated today.. hopefully the crashing stops.

:)

)\/(ark

One of the great tragedies of life is the murder of a beautiful theory by a gang of brutal facts. --Benjamin Franklin

--- FMail/Win32 1.60
* Origin: (1:

On 02-19-14, mark lewis said the following...

If you look thru the username/pw combo lists they try they're not looking to get into the 'BBS'.... just an auto script that found
an open telnet port and trying a pile of common admin logins.

yup! this is one of the reasons why anyone running servers of any type should take the time to learn about the mess that is going on out there and what they can do to protect themselves... i see way too many blaming individuals and blocking IPs that are transient... a temp block at the perimeter to stop the attack for some period of time isthe best response... drop the packets into the bitbucket and let the violating system have to wait on the timeout to take effect... this slows them
down a bit and is better than sending a reject which tells them that
there is something there and doesn't tie them up waiting on the

I run a script every 3 minutes that grabs all the aborted knocks at the door.
I then count the number of hits from that IP for the day, and if they are more 5 in one day, I add them to the block file for that country. I have a block file for separate countries. My script differentiates between actuall bbs callers, and those who are just portscanning. If the port scanner's IP comes from some specific countries, I will just add them to the block file no
matter how many times they attemp to connect. My BBS has been ping'd by
these port scanners as many as 100 times a day, mostly from different IP's,
and mostly from China.

I then take the contents of the block file and add them to my IPTABLES.

That being said, it's annoying because it ties up ports/nodes and occassionaly appears to crash the BBS.

On mine, it just inflates the calls per day count.

--- Mystic BBS v1.10 A38 (Linux)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | K

Re: Attacks
By: DesotoFireflite to Android8675 on Mon Feb 17 2014 04:23 am

Out of curiousity, are these "hack attempts" actually trying to
login to your board, or just randomly trying to connect to your
various services to

I get about 3 attempts aday trying to gain access. In the old days, I would call it war dialing. If I manually put the address into the can, it stops, till another random address comes along to start it all over again. over a weeks times, I can quite a few addresses.. None never make it in, but it's still a pain.

3? like 3 attempts to connect or 3 different times where thousands of connect attempts just bombard your system bringing it to a crushing halt and crushing any hopes of your users being able to connect, forcing you to literally rip your network connection out of the wall or face a full blown system crash?

If it's 3... like just 3 random connects from some IP address, do an IP lookup, it's probably just someone running some random script that pokes around the net for systems and tries to figure out what they are.

I mean come on my throw me a bone, are you watching someone running some crazy password hacking script, or is it just some bot trying to relay spam emails through your SMTP service?

From what you've described it doesn't sound like much of a pain.


---
þ Synchronet þ Shodan's Core - shodan.synchro.net:23 & :2323

Re: Attacks
By: Chris Trainor to Android8675 on Wed Feb 19 2014 03:15 pm

The hacks I see look like they're general hack scripts that are just running against open telnet servers. Looking for a way in, hoping it's
a misconfigured router, server, switch, etc. If you look thru the username/pw combo lists they try they're not looking to get into the 'BBS'.... just an auto script that found an open telnet port and trying
a pile of common admin logins.

I get those all the time, they never completely occupy available nodes and they are on just long enough to be annoying. I only have SBBS running as a 6 node system, and I've never had someone not be able to connect because someone was trying to "hack" my board, though more likely it's some botnet probing my IP for security issues.

That being said, it's annoying because it ties up ports/nodes and occassionaly appears to crash the BBS.

Annoying, sure, and if it's crashing your BBS... well maybe you should compile the debug build of SBBS, take some crash dumps and post them to dovenet. Maybe someone can help resolve that issue.

I used to get crashes until I fixed some minor issues and setup my board to restart if (heaven forbid) it were to shut down.

Tho in my case, that could've been due to me running 18mo old code. :) Just updated today.. hopefully the crashing stops.

*facepalm*

I think half the fun it watching "people" try to connect. Your board is connected to a "fairly" large network, assuming you've chosen to make your board accessable to "THE INTERNET"... (<DrEvil>"Lasers"</DrEvil>) Shit's gonna happen, enjoy it, back up your files, and plug your security holes when they come up.


---
þ Synchronet þ Shod

Re: Attacks
By: Android8675 to DesotoFireflite on Wed Feb 19 2014 09:06 pm

3? like 3 attempts to connect or 3 different times where thousands of connect attempts just bombard your system bringing it to a crushing halt

I meant 3 times a day, I get pinged about 100 times each, sometimes more. It just ties the system up so real callers sometimes can't get in. That is about 300 hack attempts aday, which at times, they come so fast, it takes down all 5 nodes. The clear by themselves, but like I said, it's a pain. They never get in to the bbs, just tie it up.

- CAT (n.), Furry keyboard cover.

- C.G. Learn
- Valhalla Home Services! - Telnet://valhalla.synchro.net
- A Gamers Paradise - Over 100 Registered Online Game Doors!

Re: Attacks
By: DesotoFireflite to Android8675 on Thu Feb 20 2014 08:17 am

3? like 3 attempts to connect or 3 different times where thousands of connect attempts just bombard your system bringing it to a crushing halt

I meant 3 times a day, I get pinged about 100 times each, sometimes more.
It just ties the system up so real callers sometimes can't get in. That is about 300 hack attempts aday, which at times, they come so fast, it takes down all 5 nodes. The clear by themselves, but like I said, it's a pain. They never get in to the bbs, just tie it up.

Just a 2 cents worth. I once had my cable go down and was out a few days. When I came back up, my IP address changed to one that was so wonderfully listed as a proxy server. So many hits per minute, it just shut my system down. I finally
had to change the ip address and that did the trick. That was a drastic attack.
The current ones going on are not anywhere near as bad, but if it really starts
killing your bbs, maybe You could think about changing the IP address. Depending on what kind You have of course.

Have a good One!
Mike



---
þ Synchronet þ The Holodeck BBS

Re: Attacks
By: Android8675 to Chris Trainor on Wed Feb 19 2014 21:16:46

I get those all the time, they never completely occupy available nodes and t are on just long enough to be annoying. I only have SBBS running as a 6 node system, and I've never had someone not be able to connect because someone wa trying to "hack" my board, though more likely it's some botnet probing my IP for security issues.

Oh it's obvious it's not someone trying to hack my BBS. I've got 10 nodes conifgured and they never filled all the nodes, but the eventual crash did cause some annoyance.

Annoying, sure, and if it's crashing your BBS... well maybe you should compi the debug build of SBBS, take some crash dumps and post them to dovenet. May someone can help resolve that issue.

I figured since I had left this thing alone for so long I should update to the latest code before doing something like that and hassing Rob/etc over stuff that was fixed ages ago. :)

I think half the fun it watching "people" try to connect. Your board is connected to a "fairly" large network, assuming you've chosen to make your board accessable to "THE INTERNET"... (<DrEvil>"Lasers"</DrEvil>) Shit's gon

yeah that was kindof the whole point. :) No sense running a BBS that only I can get to via localhost. :) Tho I do provide a dialup... still makes me wonder why anyone uses it. (I get like 5 - 15 calls/week on it!).

--Chris

------------------------------------------
| Chris Trainor - FleetHQ BBS
| telnet://bbs.fleethq.org
| http://www.facebook.com/FleetHQ
| +1-401-949-0465 (V.34/HST/CrankyAtTimes) ------------------------------------------

---
þ Synchronet þ FleetHQ BBS - Greenville, RI

On Wed, 19 Feb 2014, Android8675 wrote to DesotoFireflite:

3? like 3 attempts to connect or 3 different times where thousands
of connect attempts just bombard your system bringing it to a
crushing halt and crushing any hopes of your users being able to
connect, forcing you to literally rip your network connection out of
the wall or face a full blown system crash?

unless i'm mistaken, that's called a (D)DOS... DDOS if all of the hits are from
a lot of different IPs at the same time... is your system being targetted specifically for some reason?

If it's 3... like just 3 random connects from some IP address, do an
IP lookup, it's probably just someone running some random script
that pokes around the net for systems and tries to figure out what
they are.

I mean come on my throw me a bone, are you watching someone running
some crazy password hacking script,

that would be noticible... especially if it were using brute force or possibly a list from publicized breeches...

or is it just some bot trying to relay spam emails through your
SMTP service?

that's slightly different than BBS logins, isn't it?

From what you've described it doesn't sound like much of a pain.

hehe... that's why my IDS rules take into account so many attempts with a certain period of time before they alert and the automatic response system deals with it ;) my trashcans and similar are virtually empty but my perimeter
firewall, on the other hand, averages ~200-~300 IPs that are blocked and managed :)

)\/(ark


* Origin: (1:3634/12)
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

On Wed, 19 Feb 2014, Android8675 wrote to Chris Trainor:

I think half the fun it watching "people" try to connect.

absolutely! you should see some of the stuff that my FrontDoor mailer records as "caller id" data because it arrives after the second "ring"... i get folks trying to login there before the bbs has even been brought online to handle the
connection ;)

Your board is connected to a "fairly" large network, assuming
you've chosen to make your board accessable to "THE INTERNET"... (<DrEvil>"Lasers"</DrEvil>) Shit's gonna happen, enjoy it, back up
your files, and plug your security holes when they come up.

exactly :)

)\/(ark


* Origin: (1:3634/12)
---
þ Synchronet þ Vertrauen þ Home of Synchronet

Re: Attacks
By: DesotoFireflite to Android8675 on Thu Feb 20 2014 08:17 am

3? like 3 attempts to connect or 3 different times where thousands
of connect attempts just bombard your system bringing it to a
crushing halt

I meant 3 times a day, I get pinged about 100 times each, sometimes more. It just ties the system up so real callers sometimes can't get in. That is about 300 hack attempts aday, which at times, they come so fast, it takes down all 5 nodes. The clear by themselves, but like I said, it's a pain. They never get in to the bbs, just tie it up.

That seems excessive, how is your system setup on the net? Cable/DSL? Provider? Are you behind a router with port forwarding or are you "exposed"? Using a synchro.net DynDNS or some other DNS setup? Got your own domain? Who's your host?

What also shocks me is that you have callers trying to get in at the same time as these hack attempts and they've contacted you to let you know that they can't get online. Wish I could get that kind of traffic.

-A.


---
þ Synchronet þ Shodan's Core - shodan.synchro.net:23 & :2323

Re: Attacks
By: Chris Trainor to Android8675 on Thu Feb 20 2014 03:08 pm

yeah that was kindof the whole point. :) No sense running a BBS that only I can get to via localhost. :) Tho I do provide a dialup... still makes me wonder why anyone uses it. (I get like 5 - 15 calls/week on it!).

It's a combination of "Nostalgia" and the fact that the US is still (guessing) about 40% dial-up only. You should run with that, buy up all the USRs off eBay and start a dial-in service again. You'd have the hottest board...


---
þ Synchronet þ Shodan's Core - shodan.synchro.net:23 & :2323

Re: Attacks
By: mark lewis to Android8675 on Thu Feb 20 2014 02:46 pm

I mean come on my throw me a bone, are you watching someone running
some crazy password hacking script,

that would be noticible... especially if it were using brute force or possibly a list from publicized breeches...

or is it just some bot trying to relay spam emails through your
SMTP service?

that's slightly different than BBS logins, isn't it?

He didn't really specify what kind of connections they were, I was thinking maybe they were SMTP connection attempts. It's not out of the realm of possibility.


---
þ Synchronet þ Shodan's Core - shodan.synchro.net:23 & :2323

Re: Attacks
By: First Officer to DesotoFireflite on Thu Feb 20 2014 10:17 am

Just a 2 cents worth. I once had my cable go down and was out a few days. When I came back up, my IP address changed to one that was so wonderfully listed as a proxy server. So many hits per minute, it just shut my system down. I finally had to change the ip address and that did the trick. That was a drastic attack. The current ones going on are not anywhere near as bad, but if it really starts killing your bbs, maybe You could think about changing the IP address. Depending on what kind You have of course.

That's doable, if it gets to bad, i'll give it a go. sometimes we forget the obvious. Thanks

- CAT (n.), Furry keyboard cover.

- C.G. Learn
- Valhalla Home Services! - Telnet://valhalla.synchro.net
- A Gamers Paradise - Over 100 Registered Online Game Doors!


---
þ Synchronet þ Valhalla Home Services þ USA þ http://valhalla.synchro.net

Re: Attacks
By: Android8675 to DesotoFireflite on Thu Feb 20 2014 10:16 pm

That seems excessive, how is your system setup on the net? Cable/DSL? Provider? Are you behind a router with port forwarding or are you "exposed"? Using a synchro.net DynDNS or some other DNS setup? Got your own domain? Who's your host?

I'm behind a router, with ports forwarded, using syncs DynDNS.

What also shocks me is that you have callers trying to get in at the same time as these hack attempts and they've contacted you to let you know that they can't get online. Wish I could get that kind of traffic.

LOL, wish I did have that kind of traffic. Let me rephrase... I assume it's blocking inbound bbs calls, as the bot activity is tying up all 5 nodes at times.

- CAT (n.), Furry keyboard cover.

- C.G. Learn
- Valhalla Home Services! - Telnet://valhalla.synchro.net
- A Gamers Paradise - Over 100 Registered Online Game Doors!


---
þ Synchronet þ Valhalla Home Ser

Re: Attacks
By: DesotoFireflite to Android8675 on Fri Feb 21 2014 04:33:59

LOL, wish I did have that kind of traffic. Let me rephrase... I assume it's blocking inbound bbs calls, as the bot activity is tying up all 5 nodes at times.

I get that at times, and looking at the control screen it shows all 5 nodes as At Logon Prompt, for several seconds and then it goes away again. one at the time

In the meantime nobody can get in
--- SBBSecho 2.26-Win32
* Origin: The Lions

Re: Attacks
By: Chris Trainor to Android8675 on Thu Feb 20 2014 15:08:44

yeah that was kindof the whole point. :) No sense running a BBS that only
I can get to via localhost. :) Tho I do provide a dialup... still makes
me wonder why anyone uses it. (I get like 5 - 15 calls/week on it!).

I used to play around with some cool stuff using Winserver. Was neat (Probably could do similiar using synchronet, don't see why not...) I'd run a BBS on one computer, another BBS on another computer, totally different software, totally different users, menus, message areas, files, etc. And when you connect via telnet to winserver, it'd allow you to telnet out to the other BBS's via a telnet command to the local IP address that was only visable via inside the network. All BBS's where setup on port 23, but could only be accessed from the winserver setup (which was the only computer open on the router).

---
þ Synchronet þ Roach Guts -- kingcoder.net

From Newsgroup: alt.bbs.synchronet

To: Chris Trainor
.,: This is something about Attacks,
Chris Trainor said it to Android8675 on Wed Feb 19 2014 03:15 pm --ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄ---ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ---ÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄ

The hacks I see look like they're general hack scripts that are just
running against open telnet servers. Looking for a way in, hoping it's
a misconfigured router, server, switch, etc. If you look thru the username/pw combo lists they try they're not looking to get into the 'BBS'.... just an auto script that found an open telnet port and trying
a pile of common admin logins.

they're not 'hack's; they're attacks.

it's all part of running a server on the internet.
you're going to be attacked all freaking day and all night by these losers.


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

--- Synchronet 3.16a-Win32 NewsLink 1.102
þ Synchronet þ Vertrauen þ Home of Syn

From Newsgroup: alt.bbs.synchronet

To: Android8675
.,: This is something about Attacks,
Android8675 said it to DesotoFireflite on Wed Feb 19 2014 09:06 pm --ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄ---ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ---ÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄ

I get about 3 attempts aday trying to gain access. In the old days, I would call it war dialing. If I manually put the address into the can,

3? like 3 attempts to connect or 3 different times where thousands of connec attempts just bombard your system bringing it to a crushing halt and crushin any hopes of your users being able to connect, forcing you to literally rip

i would give my left nut for 3 attack attempts. i get like 3 million per day.

From what you've described it doesn't sound like much of a pain.

maybe this guy's best bet is security through obscurity. make it harder for some script to login and try to attack. he could even have a type of telnet capcha which catches a login and tells them to type a code to login to the real system.... or be blocked.

with bbstorrents i added something simple to my scripts and stopped script attacks and fake accounts by 90%


---
This email is free from viruses and malware because avast! Antivirus protection is active.
h

From Newsgroup: alt.bbs.synchronet

To: DesotoFireflite
.,: This is something about Attacks,
DesotoFireflite said it to Android8675 on Thu Feb 20 2014 08:17 am --ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄ---ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ---ÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄ

I meant 3 times a day, I get pinged about 100 times each, sometimes more. It just ties the system up so real callers sometimes can't get in. That is abou

look into using peerblock if you are on windows and if your router doesnt
give you many options for blocking.


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

--- Synchronet 3.16a-Win32 NewsLink 1.102
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

So just curious,

due to the mass DDoS attacks, what does everyone have their throttle and delay set at, mine are both 5000 with perm filter at 3 but it doesn't appear to be filtering anyone, so I thought it might have to do with the delay/throttle.

|08% |15Dribble|08 [|15ACiDiC/nRk|08]|07

---
þ Synchronet þ Lunatic Fringe - lunatic.zapto.org

Re: Attacks
By: Dribble to All on Tue Oct 25 2016 02:35 pm

So just curious,

due to the mass DDoS attacks, what does everyone have their throttle and delay set at, mine are both 5000 with perm filter at 3 but it doesn't appear to be filtering anyone, so I thought it might have to do with the delay/throttle.

Are the attacks actually attempting login?

Look at your logs (e.g. data/hack.log to see the permanent filtering activity).

digital man

Synchronet/BBS Terminology Definition #40:
UART = Universal Asynchronous Receiver/Transmitter
Norco, CA WX: 75.2øF, 54.0% humidity, 4 mph E wind, 0.06 inches rain/24hrs
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://v

Re: Attacks
By: Digital Man to Dribble on Tue Oct 25 2016 04:47 pm

Are the attacks actually attempting login?
Look at your logs (e.g. data/hack.log to see the permanent filtering

Apparently hack.log is not being created, and they are trying to login - they try account names such as root, echo, and other randoms, but it happens so quickly it has to be a script of some sort.

|08% |15Dribble|08 [|15ACiDiC/nRk|08]|07

---
þ Synchronet þ Lunatic Fringe - lunatic.zapto.org

Re: Attacks
By: Dribble to Digital Man on Tue Oct 25 2016 07:24 pm

Re: Attacks
By: Digital Man to Dribble on Tue Oct 25 2016 04:47 pm

Are the attacks actually attempting login?
Look at your logs (e.g. data/hack.log to see the permanent filtering

Apparently hack.log is not being created, and they are trying to login - they try account names such as root, echo, and other randoms, but it happens so quickly it has to be a script of some sort.

What version of Synchronet are you running?

What do you have LoginAttemptHackThreshold set to in your ctrl/sbbs.ini file?

If you put those accounts names (they're not random) in your text/name.can file, those attackers will be automatically temp-banned.
See http://cvs.synchro.net/cgi-bin/viewcvs.cgi/*checkout*/text/name.can
and http://wiki.synchro.net/howto:block-hackers for details.

digital man

Synchronet/BBS Terminology Definition #9:
CR = Carriage Return (ASCII 13, Ctrl-M)
Norco, CA WX: 63.2øF, 76.0% humidity, 0 mph SSE wind, 0.01 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

25 Oct 16 19:24, you wrote to Digital Man:

Are the attacks actually attempting login? Look at your logs (e.g.
data/hack.log to see the permanent filtering

Apparently hack.log is not being created, and they are trying to login
- they try account names such as root, echo, and other randoms, but it happens so quickly it has to be a script of some sort.

dribble,

where have you been these last weeks?? have you not heard of MIRAI? ;)

FWIW1: it is not a script but we like to think that those running these things are nothing more than script kiddies... MIRAI and its friends are actually compiled binaries... i think GoLang but a lot of what i see looks to be C... at
least it reads like C...

FWIW2: your seeing the "echo" string comes from the bot attempting to determine
if the ""device"" it has connected to has been infested by itself... "echo" is not actually a user name or passwords but one of the commands it uses... your system just happened to catch it when it was waiting for the remote to emit their user name... you might even see the four most common commands "enable", "system", "shell" and "sh" in that order... they are then followed by "the/path/to/busybox" with the command "MIRAI", "ECCHI", "IHCCE" or "VDOSS"...

FWIW3: MIRAI has 63 pairs of user names and passwords... of those, 60 are unique pairs... there's only 15 unique user names and only 42 unique passwords with 2 entries not having any password at all...

FWIW4: here's the list of user names and passwords... we just added them to the
.can files so that folks can't use them to sign in with...

unique user names
=================
666666
888888
admin
admin1
administrator
Administrator
guest
mother
root
service
supervisor
support
tech
ubnt
user


unique passwords
================
00000000
1111
1111111
1234
12345
123456
54321
666666
7ujMko0admin
7ujMko0vizxv
888888
admin
admin1234
anko
default
dreambox
fucker
guest
hi3518
ikwb
juantech
jvbzd
klv123
klv1234
meinsm
pass
password
realtek
root
service
smcadmin
supervisor
support
system
tech
ubnt
user
vizxv
xc3511
xmhdipc
zlxx.
Zte521


)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Desperate times call for cheap shots.
---
* Origin: (1:3634/12.73)
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Hello Digital,

On 25 Oct 16 16:47, Digital Man wrote to Dribble:

due to the mass DDoS attacks, what does everyone have their
throttle and delay set at, mine are both 5000 with perm filter at 3
but it doesn't appear to be filtering anyone, so I thought it might
have to do with the delay/throttle.

Are the attacks actually attempting login?

Look at your logs (e.g. data/hack.log to see the permanent filtering activity).

Honestly, I haven't really understood this from the get-go so I may as well ask some questions here too.

What you're saying is that the only way it will ban is from login attempts? So if the same IP address connects 30x in one minute, it won't ban them for taking up all your nodes, idling there for a couple minutes, then disconnecting - leaving your system unreachable to others until you manually add that IP to your ip.can?

Regards,
Nick

... "If at first you don't succeed, destroy all evidence that you tried."
--- GoldED+/LNX 1.1.5-b20

Re: Re: Attacks
By: Accession to Digital Man on Wed Oct 26 2016 11:23 am

Honestly, I haven't really understood this from the get-go so I may as well ask some questions here too.

What you're saying is that the only way it will ban is from login attempts? So if the same IP address connects 30x in one minute, it won't ban them for taking up all your nodes, idling there for a couple minutes, then disconnecting - leaving your system unreachable to others until you manually add that IP to your ip.can?

That is correct. There is no method currently for banning or filtering just based on connection activity.

digital man

Synchronet/BBS Terminology Definition #21:
FSP = FidoNet Standards Proposal
Norco, CA WX: 76.8øF, 50.0% humidity, 2 mph ESE wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net