Forum: Dock Sud BBS

SSH

From Denn Gray@VERT/OUTWEST to All on Thu Mar 23 08:51:58 2017

Recently I blocked the SSH port 22 and turned it off in Synchronet control panel since I log in either through my home network or Telnet only.
Most of the unwanted port sniffing bot traffic is now gone or rejected.
I use two firewalls on my Synchronet PC, the windows firewall and my router firewall.
Seems like the snifbots are assuming I run on a Linux machine as they are trying to access my root directory, this weekend I plan to do a country ip block on certain countries like china, even if they were able to gain controll of my Synchronet PC they would not get any useful information.
/s

---
� Synchronet � The Outwest BBS - outwestbbs.com - DOORS - Files -Dove-Net

From Nightfox@VERT/DIGDIST to Denn Gray on Thu Mar 23 09:16:07 2017

Seems like the snifbots are assuming I run on a Linux machine as they are trying to access my root directory

For that reason, I'm not sure if they're really harmful for Synchronet systems. I doubt they can gain access to your system through the Synchronet SSH server, and if they try to log in as 'root' etc., they're not going to get in, unless you happen to have a BBS user named 'root' (which is unlikely).

Nightfox

---
� Synchronet � Digital Distortion: digitaldistortionbbs.com

From Ennev@VERT/MTLGEEK to Nightfox on Thu Mar 23 15:27:25 2017

For that reason, I'm not sure if they're really harmful for Synchronet systems. I doubt they can gain access to your system through the Synchronet SSH server, and if they try to log in as 'root' etc., they're not going to get in, unless you happen to have a BBS user named 'root' (which is unlikely).

I guess the only really annoyance it's the node that are taking and the log they are filling :-)

---
� Synchronet � MtlGeek - Geeks in Montreal - http://mtlgeek.com/ -

From Nightfox@VERT/DIGDIST to Ennev on Thu Mar 23 13:18:01 2017

I guess the only really annoyance it's the node that are taking and the log they are filling :-)

That's true.. For a while I started blocking IPs in my router so that they wouldn't even hit my BBS machine..

Nightfox

---
� Synchronet � Digital Distortion: digitaldistortionbbs.com

From KK4QBN@VERT/KK4QBN to Nightfox on Thu Mar 23 19:49:28 2017

Re: SSH
By: Nightfox to Denn Gray on Thu Mar 23 2017 09:16 am

For that reason, I'm not sure if they're really harmful for Synchronet systems. I doubt they can gain access to your system through the Synchronet SSH server, and if they try to log in as 'root' etc., they're not going to get in, unless you happen to have a BBS user named 'root' (which is unlikely).

Actually had one get in on my guest account the other day, I logged in the BBS and the caller list popped up and it showed a Guest login with location of /bin/busybox Mirai.

That is the furthest I've ever seen one get.

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
� Synchronet � KK4QBN + (706)-422-9538 + kk4qbn.synchro.net + 24/7/365

From Denn Gray@VERT/OUTWEST to Ennev on Thu Mar 23 22:27:00 2017

Re: Re: SSH
By: Ennev to Nightfox on Thu Mar 23 2017 03:27 pm

I guess the only really annoyance it's the node that are taking and the log they are filling :-)

I have 10 nodes and only the first two nodes are affected
If I had a Linux box I could run a cron job to delete the logs every so often, not sure if windows has something similar.
/a

---
� Synchronet � The Outwest BBS - outwestbbs.com - DOORS - Files -Dove-Net

From Ennev@VERT/MTLGEEK to Denn Gray on Fri Mar 24 07:48:17 2017

I have 10 nodes and only the first two nodes are affected
If I had a Linux box I could run a cron job to delete the logs every so often, not sure if windows has something similar.
/a

Someone could call a scheduled task calling a script that would do that.

I guess it's all about the volume, some are getting hit hard sometime.

It could be hard to cope with a DDOS, since even if the firewall or router would block the packet they would still saturate the traffic.

I remember a couple of years ago when the google bots was login to my ftp service every second to try to enter anonymously. In http you have a robot.txt but I had no way to make them stop. It it was google. nice.

---
� Synchronet � MtlGeek - Geeks in Montreal - http://mtlgeek.com/ -

From Denn Gray@VERT/OUTWEST to KK4QBN on Fri Mar 24 08:20:18 2017

Re: SSH
By: KK4QBN to Nightfox on Thu Mar 23 2017 07:49 pm

Actually had one get in on my guest account the other day, I logged in the B and the caller list popped up and it showed a Guest login with location of /bin/busybox Mirai.

I was getting that alot, now I get User unknown 'ROOT'

---
� Synchronet � The Outwest BBS - outwestbbs.com - DOORS - Files -Dove-Net

From KenDB3@VERT/KD3NET to KK4QBN on Fri Mar 24 13:24:46 2017

Re: SSH
By: KK4QBN to Nightfox on Thu Mar 23 2017 07:49 pm

For that reason, I'm not sure if they're really harmful for
Synchronet systems. I doubt they can gain access to your system
through the Synchronet SSH server, and if they try to log in as
'root' etc., they're not going to get in, unless you happen to have
a BBS user named 'root' (which is unlikely).

Actually had one get in on my guest account the other day, I logged in the BBS and the caller list popped up and it showed a Guest login with location of /bin/busybox Mirai.

That is the furthest I've ever seen one get.

I have caught a few stuck there after logging in. The Bot doesn't know what to do once it gets into the guest account. It's kind of funny.

I have actually done a Node Spy on them at that point, and since it is just sitting there, I hit enter a couple of times so the Bot gets to the Weather Door, and I can see what country the IP is from. They come from all over, including the US.

I get hits like that every day now. They used to show up with the same location you saw: "/bin/busybox Mirai", but more often now I see just "Shell" or "Sh".

Mostly just annoying since I have the Guest account locked down fairly well. The bot could play Oregon Trail or Star Trek if it really wanted :-P

~KenDB3

---
� Synchronet � KD3net-Rhode Island's only BBS about nothing. http://bbs.kd3.us

From KenDB3@VERT/KD3NET to Denn Gray on Fri Mar 24 13:27:35 2017

Re: Re: SSH
By: Denn Gray to Ennev on Thu Mar 23 2017 10:27 pm

I guess the only really annoyance it's the node that are taking and
the log they are filling :-)

I have 10 nodes and only the first two nodes are affected
If I had a Linux box I could run a cron job to delete the logs every so often, not sure if windows has something similar.

I see it fill up about 4 to 6 nodes sometimes, but I am not sure if that is Mirai or not. I get the occassional bot/script that fills up 10 or even 20 nodes, but that is really rare. I used to grab the IP, do a whois, and send an abuse ticket to the ISP that controls the IP. But, the volume is so much these days that it is useless and a complete waste of my time.

~KenDB3

---
� Synchronet � KD3net-Rhode Island's only BBS about nothing. http://bbs.kd3.us

From KK4QBN@VERT/KK4QBN to Denn Gray on Fri Mar 24 13:56:06 2017

Re: SSH
By: Denn Gray to KK4QBN on Fri Mar 24 2017 08:20 am

location of /bin/busybox Mirai.

I was getting that alot, now I get User unknown 'ROOT'

check your username filter and make sure root and all the other popular admin names are put in.

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
� Synchronet � KK4QBN + (706)-422-9538 + kk4qbn.synchro.net + 24/7/365

From Ennev@VERT/MTLGEEK to KenDB3 on Fri Mar 24 16:49:36 2017

I have caught a few stuck there after logging in. The Bot doesn't know what to do once it gets into the guest account. It's kind of funny.

Theses bot don't expect a BBS but just an unprotected bash shell. So the
script they made will just do the pre-established step and that's it, no brain behind it.

Still, it's annoying. Sorry, my bbs is not Hudson Bay Company with non-encrypted csv file of all the credit cards data they processed.

---
� Synchronet � MtlGeek - Geeks in Montreal - http://mtlgeek.com/ -

From Denn Gray@VERT/OUTWEST to KenDB3 on Fri Mar 24 23:29:15 2017

Re: SSH
By: KenDB3 to KK4QBN on Fri Mar 24 2017 01:24 pm

Actually had one get in on my guest account the other day, I logged in BBS and the caller list popped up and it showed a Guest login with location of /bin/busybox Mirai.

I have had several sucessful logins by bots to my Guest account.
I just added a password so that should stop the bots there.
I also get the /bin/busybox Mirai
as well as Unknown User "ROOT" "SHELL" "SSH" etc....
looks like the measures I've taken has reduced the bot traffic by a significant amount.

---
� Synchronet � The Outwest BBS - outwestbbs.com - DOORS - Files -Dove-Net

From Denn Gray@VERT/OUTWEST to KenDB3 on Fri Mar 24 23:35:12 2017

Re: Re: SSH
By: KenDB3 to Denn Gray on Fri Mar 24 2017 01:27 pm

I see it fill up about 4 to 6 nodes sometimes, but I am not sure if that is Mirai or not. I get the occassional bot/script that fills up 10 or even 20 nodes, but that is really rare. I used to grab the IP, do a whois, and send abuse ticket to the ISP that controls the IP. But, the volume is so much the days that it is useless and a complete waste of my time.

a couple of years ago I had DDOS'ers attacking my Game servers, since I run those servers on Linux Ubuntu I just enabled UFW and just opened the ports needed to run the game server and that ended the DDOS attacks.

---
� Synchronet � The Outwest BBS - outwestbbs.com - DOORS - Files -Dove-Net

From Denn Gray@VERT/OUTWEST to KK4QBN on Fri Mar 24 23:36:17 2017

Re: SSH
By: KK4QBN to Denn Gray on Fri Mar 24 2017 01:56 pm

check your username filter and make sure root and all the other popular admi names are put in.

Ok will do thanks for the tip.

---
� Synchronet � The Outwest BBS - outwestbbs.com - DOORS - Files -Dove-Net

Who's Online
Recent Visitors
- Ragnarok
  Sat Sep 13 04:32:13 2025
  from Dock Sud via Telnet
- Gus8027
  Sat Sep 13 03:35:28 2025
  from Buenos Aies via Telnet
- Ragnarok
  Sat Sep 13 01:51:04 2025
  from Dock Sud via HTTP
- Ragnarok
  Sat Sep 13 01:50:17 2025
  from Dock Sud via SSH
- Guest
  Sat Sep 13 00:25:47 2025
  from Linuxshell via Raw
- Damian Kleiman
  Fri Sep 12 22:55:56 2025
  from Rosario, Sf via Telnet
- Ragnarok
  Fri Sep 12 09:09:14 2025
  from Dock Sud via NNTP
- Ragnarok
  Thu Sep 11 20:41:27 2025
  from Dock Sud via SSH
- Damian Kleiman
  Thu Sep 11 00:01:30 2025
  from Rosario, Sf via Telnet
- Ragnarok
  Wed Sep 10 22:41:23 2025
  from Dock Sud via SSH

System Info

Sysop:	Ragnarok
Location:	Dock Sud, Bs As, Argentina
Users:	136
Nodes:	10 (0 / 10)
Uptime:	16:41:45
Calls:	15,171
Calls today:	4
Files:	19,857
D/L today:	89 files (7,858K bytes)
Messages:	1,691,872

SSH

Who's Online

Recent Visitors

System Info