ok so i just put the bbs back up
and now i'm getting a lot of uknown login attempts and they are nothing and saying connecting on port what ever.. as its all different ones
i'm guessing that someones trying to bute force their way in and not doing so well.
any way as to limit those. i have looked thru the docs and done everthing there..
they are cloging things up for sure..
--- SBBSecho 2.27-Win32
* Origin: winsomehaven.com 1:153/758 (1:153/758)
� Synchronet � Vertrauen � Home of Synchronet �

Re: hackers
By: Danny Weeds to All on Mon Dec 19 2016 12:24 pm

ok so i just put the bbs back up
and now i'm getting a lot of uknown login attempts and they are nothing and saying connecting on port what ever.. as its all different ones
i'm guessing that someones trying to bute force their way in and not doing so well.

Marai Bots, Mark lewis will fill you in, these are not hackers, they are SLAVE computers taken over by a master server that commands them to do it's dirty work at intervals.. nothing for you to worry about except the mess of tying your nodes up. Update to version 3.17 if you can and setup all the auto filtering/ bannning stuff..

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
� Synchronet � KK4QBN

Re: hackers
By: Danny Weeds to All on Mon Dec 19 2016 12:24 pm

ok so i just put the bbs back up
and now i'm getting a lot of uknown login attempts and they are nothing and saying connecting on port what ever.. as its all different ones
i'm guessing that someones trying to bute force their way in and not doing so well.
any way as to limit those. i have looked thru the docs and done everthing there..
they are cloging things up for sure..

Read this: http://wiki.synchro.net/howto:block-hackers

digital man

Synchronet "Real Fact" #14:
SBBSecho was originally written by Allen Christiansen (King Drafus) in 1994. Norco, CA WX: 64.1�F, 12.0% humidity, 15 mph W wind, 0.00 inches rain/24hrs
---
� Synchronet � Vertrauen � Home of Synchronet � telnet://vert.synchro.net

El 19/12/16 a las 19:31, kk4qbn escribi�:

Re: hackers
By: Danny Weeds to All on Mon Dec 19 2016 12:24 pm

ok so i just put the bbs back up
and now i'm getting a lot of uknown login attempts and they are nothing and saying connecting on port what ever.. as its all different ones
i'm guessing that someones trying to bute force their way in and not doing
so well.

Marai Bots, Mark lewis will fill you in, these are not hackers, they are SLAVE
computers taken over by a master server that commands them to do it's dirty work at intervals.. nothing for you to worry about except the mess of tying your nodes up. Update to version 3.17 if you can and setup all the auto filtering/ bannning stuff..

--

you can use fail2ban filters based on sbbs log files.

i will put this info on the wiki asap

Re: hackers
By: Danny Weeds to All on Mon Dec 19 2016 12:24 pm

ok so i just put the bbs back up
and now i'm getting a lot of uknown login attempts and they are nothing

One excellent addition in prevention of these probes to dilly dally around
your nodes is the latest 'login.js' update, grab it from cvs if it's not the
latest you have already (login.js,v 1.14 2016/12/06 09:23:32).

What it does is to detect probings without terminal (most of them are) and
immediatelly cut their 'inactivity' to X amount of sec (70 by default, you can
change it whatever, mine is 30) and remove them once the time is up.
Funny thing is that most of them will immediatelly fire up some common login
(root or such) which in turn, being likely in your ban list will get them
disconnected. The nice part about it is that it all lasts about..a second?
This update helped me reduce the flow of hogging pest so much, I almost don't
see the attempts anymore or they last 1 sec which is not bad at all. :)


|09,.-''|12Dali's Cat - "I love it" |07- Andre Breton, 1925 |09''-., |05daliscat.synchro.net

---
� Synchronet � Dali's Cat

19 Dec 16 12:24, you wrote to All:

ok so i just put the bbs back up and now i'm getting a lot of uknown
login attempts and they are nothing and saying connecting on port what ever.. as its all different ones i'm guessing that someones trying to
bute force their way in and not doing so well. any way as to limit
those. i have looked thru the docs and done everthing there.. they are cloging things up for sure..

your system is the victim of the MIRAI and variants IoT infestation botnet mess...

1. get off of port 23 and/or 2323

that one rule will eliminate 99.99% of these troubles... if you feel that you must stay there then either enable the steps detailed in the wiki's hackers section or install an intrusion detection system with autoblocking capabilities
on your perimeter firewall to catch and block these connections... my ID Sautoblocking solution has over 7000 IPs world wide blocked and managed specifically due to MIRAI and its variants... plus i have another double fist full manually added to my manually managed ipblock list... trust me, as a network security guy that has been dealing with MIRAI since before it was know to the public, rule 1 above is the best thing to do to prevent them from mucking with your system... they can't do anything anyway as they are looking to break into IOT devices but still...


)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Grandparents and grandchildren get on, as they have a common enemy.
---
* Origin: (1:3634/12.73)
� Synchronet � Vertrauen � Home of Synchronet � telnet://vert.synchro.net

Re: hackers
By: Danny Weeds to All on Mon Dec 19 2016 12:24 pm

ok so i just put the bbs back up
and now i'm getting a lot of uknown login attempts and they are nothing and saying connecting on port what ever.. as its all different ones
i'm guessing that someones trying to bute force their way in and not doing

had this issue too, but Rob just put a IP limit in SBBS.INI, so I suggest you download 3.17 and set the maximum connections to 1, at least that will keep your nodes from filling up.

|08% |15Dribble|08 [|15ACiDiC/nRk|08]|07

---
� Synchronet � Lunatic Fringe - lunatic.synchro.net

Re: Re: hackers
By: Ragnarok to kk4qbn on Mon Dec 19 2016 09:19 pm

you can use fail2ban filters based on sbbs log files.

i will put this info on the wiki asap

Cool, but why? 3.17 has this plus more. all built in...

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
� Synchronet � KK4QBN BBS - (706)422-9538 - kk4qbn.synchro.net, Chatsworth GA US

Re: hackers
By: mark lewis to Danny Weeds on Mon Dec 19 2016 07:12 pm

1. get off of port 23 and/or 2323

I disagree.


I ugraded to 3.17,

Have my connection throttling, temp banning . and ip filters setup pefect and keep my nodes clear 99% of the time.. sometime Ill get 2-3 hits from the same i- at once but now sbbs does the job inteneded,

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
� Synchronet � KK4QBN BBS - (706)422-9538 - kk4qbn.synchro.net, Chatsworth GA US

Re: hackers
By: Digital Man to Danny Weeds on Mon Dec 19 2016 15:26:48

Re: hackers
By: Danny Weeds to All on Mon Dec 19 2016 12:24 pm

ok so i just put the bbs back up
and now i'm getting a lot of uknown login attempts and they are nothing and saying connecting on port what ever.. as its all different ones
i'm guessing that someones trying to bute force their way in and not doing so well.
any way as to limit those. i have looked thru the docs and done everthing there..
they are cloging things up for sure..

Read this: http://wiki.synchro.net/howto:block-hackers

yeah i did read that one and went thru it
so far still popping in

digital man

Synchronet "Real Fact" #14:
SBBSecho was originally written by Allen Christiansen (King Drafus) in 1994. Norco, CA WX: 64.1�F, 12.0% humidity, 15 mph W wind, 0.00 inches rain/24hrs

--- SBBSecho 2.27-Win32
* Origin:

Re: Re: hackers
By: Ragnarok to kk4qbn on Mon Dec 19 2016 21:19:21

cool ill look for it thanks
--- SBBSecho 2.27-Win32
* Origin: winsomehaven.com 1:153/758 (1:153/758)
� Synchronet � Vertrauen � Home of Synchronet � telnet://vert.synchro.net

Re: hackers
By: Dribble to Danny Weeds on Mon Dec 19 2016 16:29:44

thanks... did that ill configure it on the weekend when im back home
--- SBBSecho 2.27-Win32
* Origin: winsomehaven.com 1:153/758 (1:153/758)
� Synchronet � Vertrauen � Home

El 19/12/16 a las 23:29, kk4qbn escribi�:

Re: Re: hackers
By: Ragnarok to kk4qbn on Mon Dec 19 2016 09:19 pm

you can use fail2ban filters based on sbbs log files.

i will put this info on the wiki asap

Cool, but why? 3.17 has this plus more. all built in...

sbbs can block but al process level. (cpu load, open process, check etc..)
when filter are apply to iptables, its block at kernel level and sbbs
process never get nodes busy, the load is down etc..

just only (and posible no visible) optimization of server. =)

El 19/12/16 a las 22:20, Danny Weeds escribi�:

Re: Re: hackers
By: Ragnarok to kk4qbn on Mon Dec 19 2016 21:19:21

cool ill look for it thanks

simple you can create a filter file in /etc/fail2ban/filter.d/sbbs.conf

---- cut --------
[INCLUDES]
before = common.conf

[Definition]

failregex = Bad password from: <HOST>
Throttling suspicious connection from: <HOST>

-------- cut ---------

and add another failregex string based on the sbbs log file, with these
two are fine for my for now. But i think that is posible to add another
based on the POP/SMTP sevices too

then, append this to the /etc/fail2ban/jail.conf

[sbbs-iptables]
enabled = true
filter = sbbs
action = iptables-allports[name=SBBS, protocol=all]
logpath = /var/log/daemon.log
maxretry = 3
findtime = 21600
bantime = 21600

Note: at my system i use syslog and send the log to the daemon.log file

then you can test fail2ban


$ fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/sbbs.conf

Running tests
=============

Use failregex file : sbbs.conf
Use log file : /var/log/daemon.log


Results
=======

Failregex: 3566 total
|- #) [# of hits] regular expression
| 1) [3043] Bad password from: <HOST>
| 2) [523] Throttling suspicious connection from: <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [145289] MONTH Day Hour:Minute:Second
`-

Lines: 145289 lines, 0 ignored, 3566 matched, 141723 missed
Missed line(s): too many to print. Use --print-all-missed to print all
141723 lines

19 Dec 16 21:32, you wrote to me:

1. get off of port 23 and/or 2323

I disagree.

you're entitled to do that ;)

I ugraded to 3.17,

Have my connection throttling, temp banning . and ip filters setup
pefect and keep my nodes clear 99% of the time.. sometime Ill get 2-3
hits from the same i- at once but now sbbs does the job inteneded,

my FD/RA system (on port 23) doesn't have these capabilities... it is traditional old school DOS stuff... however the IDS running on my perimeter firewall has rules in place to detect these intrusions... the alerts it creates
trigger blocking of the offending IP in the firewall so the server (aka BBS) software is not flooded with them and ignoring them... the server/BBS can still
be DDOSed by IPs being ignored... ignoring them requires some processing to make the decision to block or not... blocking at the perimeter firewall takes the strain off the servers and their software plus the firewall is designed to handle this stuff...

when i say i am seeing 500+ hits a day, i'm being serious and a bit lienient...
it is actually more than that but who expects 500 connections a day in this day
in time??

i have eight nodes on my FD/RA system and sometimes they are all full of probes
and infestation attempts from different IPs all hitting at the same time... i've seen the SBBS system i host (on port 2323) have all 10 of its nodes filled
with similar probes and infestation attempts... that SBBS system is configured in the same manner as yours but the probes and attempts still get through until
expressly detected and blocked...

there are only 1440 minutes in a day... at 500+ attempts, that's one attempt about every three minutes on average and that's with only one node taking the connections... multiply that by the number of nodes available and you have your
potential daily count... heck, if each attempt takes 60 seconds, there could easily be 1440 attempts a day per node...

the probes and infestation attempts are getting worse, too... they come in bunches and there are numerous bot herders fighting amongst themselves so each is trying to beat the other to have the largest bot net... plus someone has taken MIRAI and taught it to look on other ports (5555, 7xxx i can't recall right now, and a new one 6789)... i won't even mention about it being taught TR-064 and how it can now also infest routers and other devices using TR-064...

seriously, if one wants to run their BBS and not have to deal with these probes
and infestations attempts, the absolute best thing to do is to get off the ports being worked over... that is a fact that cannot be denied...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Do what comes naturally now. Seethe and fume and throw a tantrum.
---
* Origin: (1:3634/12.73)
� Synchronet � Vertrauen � Home of Synchronet � telnet://vert.synchro.net

kk4qbn wrote to Danny Weeds <=-

Marai Bots, Mark lewis will fill you in, these are not hackers, they
are SLAVE computers taken over by a master server that commands them to
do it's dirty work at intervals.. nothing for you to worry about except the mess of tying your nodes up. Update to version 3.17 if you can and setup all the auto filtering/ bannning stuff..

In short: annoying, but not harmful (to BBSs).


... Useless Invention: Reduced calorie water.
--- Mult

Re: hackers
By: mark lewis to kk4qbn on Tue Dec 20 2016 07:50 am

the probes and infestation attempts are getting worse, too... they come in bunches and there are numerous bot herders fighting amongst themselves so each is trying to beat the other to have the largest bot net... plus someone has taken MIRAI and taught it to look on other ports (5555, 7xxx i can't recall right now, and a new one 6789)... i won't even mention about it being taught TR-064 and how it can now also infest routers and other

<SNIP>

Yes, it takes a tiny bit of resources to deny an ip once it gets filtered, and they are getting worse because idiots and their unprotected devices, but the ip filter works fine if strictly configured, I get close to 4000 (YES 4000) attempts a day, and never get any node past node 5 filled all at once with the new ip filtering. I see no need whatsoever to use a non standard port in Synchronet. why even run a bbs if a person out in wwwland downloads some regular mtelnet type app, and has no idea about ports, but knows your hostname.. that person will NEVER see your BBS, there are BBSes that have been up for years and can advertise months ahead of time that they are changing ports, when the change comes, that BBS just lost 85% of their users.. thats just how it is.. people dont like change.. or are too lazy to change a freaking port number..

What we need to do is find a way to allow these Mirai systems on and find and exploit of our own to shut them down. I believe it was you that was talking about that before, but what would be coold is to send something like an ANSI bomb (hell something) in place of the IP filter message that would render their bot useless..

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
� Synchronet � KK4QBN BBS - (706)422-9538 - kk4qbn.synchro.net, Chatsworth GA US

Re: Re: hackers
By: Ragnarok to kk4qbn on Tue Dec 20 2016 12:24 pm

El 19/12/16 a las 23:29, kk4qbn escribi�:

Re: Re: hackers
By: Ragnarok to kk4qbn on Mon Dec 19 2016 09:19 pm

you can use fail2ban filters based on sbbs log files.

i will put this info on the wiki asap

Cool, but why? 3.17 has this plus more. all built in...

sbbs can block but al process level. (cpu load, open process, check etc..) when filter are apply to iptables, its block at kernel level and sbbs process never get nodes busy, the load is down etc..

just only (and posible no visible) optimization of server. =)

you're very right. there's no load for the bbs to take and iptables is a better solution.

Re: Re: hackers
By: Ragnarok to kk4qbn on Mon Dec 19 2016 09:19 pm

Marai Bots, Mark lewis will fill you in, these are not hackers, they are S computers taken over by a master server that commands them to do it's dirt work at intervals.. nothing for you to worry about except the mess of tyin your nodes up. Update to version 3.17 if you can and setup all the auto filtering/ bannning stuff..

3.17??? Where is this available? synchro.net only shows 3.16c as the latest version..

I get hammered most of the time by these bots too. But since I only have 1 account on my BBS, mine, I am not bothered by it. But I would be interesting in stopping them anyway, just because I can..

Jeff in Australia.

---
� Synchronet

Re: Re: hackers
By: Jeff Friend to Ragnarok on Mon Dec 26 2016 10:49 am

3.17??? Where is this available? synchro.net only shows 3.16c as the latest version..

I get hammered most of the time by these bots too. But since I only have 1 account on my BBS, mine, I am not bothered by it. But I would be interesting in stopping them anyway, just because I can..

compiled binaries for windows?
you can get them from ftp://vert.synchro.net/Synchronet/
sort them by date
they have sbbs_run and sbbs_dev

then check out cvs.synchro.net and grab a tarball if you need anything else that doesnt require compiling

i am running 3.17 and the new stuff hasnt really helped lessen attackers.
i tweaked the settings, still getting them tying up nodes.

i think the best way to do it is via your hardware or
software firewall and block specific countries and repeat offenders.
---
� Synchronet � ::: BBSES.info - free BBS services :::

Re: Re: hackers
By: Jeff Friend to Ragnarok on Mon Dec 26 2016 10:49 am

Re: Re: hackers
By: Ragnarok to kk4qbn on Mon Dec 19 2016 09:19 pm

Marai Bots, Mark lewis will fill you in, these are not hackers, they are S computers taken over by a master server that commands them to do it's dirt work at intervals.. nothing for you to worry about except the mess of tyin your nodes up. Update to version 3.17 if you can and setup all the auto filtering/ bannning stuff..

3.17???

3.17 is currently under development.

Where is this available?

ftp://vert.synchro.net/Synchronet

synchro.net only shows 3.16c as the latest version..

That is the latest release still.

digital man

Synchronet "Real Fact" #6:
Synchronet version 3 for Linux and FreeBSD development began in 2001.
Norco, CA WX: 69.9�F, 16.0% humidity, 4 mph WSW wind, 0.00 inches rain/24hrs ---
� Synchronet � Vertrauen

Re: Re: hackers
By: Mro to Jeff Friend on Mon Dec 26 2016 12:27 am

i am running 3.17 and the new stuff hasnt really helped lessen attackers.
i tweaked the settings, still getting them tying up nodes.

Care to elaborate? What settings? How did you tweak them? Define "tying up nodes"? Thanks,

digital man

Synchronet "Real Fact" #79:
172 Synchronet Match Maker registrations were sold (@$69) between 1995 and 1996.
Norco, CA WX: 69.9�F, 16.0% humidity, 4 mph WSW wind, 0.00 inches rain/24hrs ---
� Synchronet � Vertrauen � Home of Synchronet � telnet://vert.synchro.net

Re: Re: hackers
By: Digital Man to Mro on Mon Dec 26 2016 03:17 pm

Re: Re: hackers
By: Mro to Jeff Friend on Mon Dec 26 2016 12:27 am

i am running 3.17 and the new stuff hasnt really helped lessen attackers. i tweaked the settings, still getting them tying up nodes.

Care to elaborate? What settings? How did you tweak them? Define "tying up nodes"? Thanks,

Settings in control panel properties > security
---
� Synchronet � ::: BBSES.info - free BBS serv

Re: Re: hackers
By: Mro to Digital Man on Mon Dec 26 2016 09:50 pm

Re: Re: hackers
By: Digital Man to Mro on Mon Dec 26 2016 03:17 pm

Re: Re: hackers
By: Mro to Jeff Friend on Mon Dec 26 2016 12:27 am

i am running 3.17 and the new stuff hasnt really helped lessen attackers. i tweaked the settings, still getting them tying up nodes.

Care to elaborate? What settings? How did you tweak them? Define "tying up nodes"? Thanks,

Settings in control panel properties > security

Not all of the settings are exposed there yet, for example, MaxConcurrentConnections. See http://wiki.synchro.net/config:sbbs.ini for all the relevant available settings.

digital man

Synchronet/BBS Terminology Definition #57:
XPDEV = Cross-platform Development
Norco, CA WX: 69.9�F, 16.0% humidity, 4 mph WSW wind, 0.00 inches rain/24hrs ---
� Synchronet � Vertrauen � Home of Synchronet �

Hello Jeff,

On Mon Dec 26 2016 10:49:18, Jeff Friend wrote to Ragnarok:

3.17??? Where is this available? synchro.net only shows 3.16c as the latest version..

3.16c is the latest downloadable full version. You can download nightly builds and run the latest and greatest if you wish, albeit they're not "stable" versions. However, the developers are here and take every bit of criticism you can throw at them - and will help you fix any issues you may have.

My opinion (which doesn't matter much): well worth it. :)

Regards,
Nick

... "Не знаю. Я здесь только работаю."
--- GoldED+/LNX 1.1.5-b20161221
* Origin: thePharcyde_ distribution system (Wisconsin) (723:1/1)
� Synchronet � thePharcyde_ telnet:/