Looking at the logs I sometimes see "Unknown User 'Root'",
"Unknown User 'Sh'" and "Unknown User '/bin/busybox;echo =E \14'"
next to certain IP addresses, which seem to be different every day.
I realise that these are machines attempting to break into the
server's telnet port and they are hardly likely to get anywhere
because of the way Synchronet works and I shouldn't worry about it
too much. But is there a way for Synchronet to work with Fail2ban to
block these addresses anyway?
Looking at the logs I sometimes see "Unknown User 'Root'", "Unknown User 'Sh'" and "Unknown User '/bin/busybox;echo =E \14'"
next to certain IP addresses, which seem to be different every day.
I realise that these are machines attempting to break into the
server's telnet port and they are hardly likely to get anywhere
because of the way Synchronet works and I shouldn't worry about it
too much. But is there a way for Synchronet to work with Fail2ban to block these addresses anyway?
block them at your perimeter firewall and keep the traffic off the network completely... understand, too, that those are likely proxy or dynamic addresses... if they are dynamic, then you will be blocking individuals who didn't do this when the addresses change...
Looking at the logs I sometimes see "Unknown User
'Root'", "Unknown User 'Sh'" and "Unknown User
'/bin/busybox;echo =E \14'" next to certain IP addresses, which
seem to be different every day. I realise that these are
machines attempting to break into the server's telnet port and
they are hardly likely to get anywhere because of the way
Synchronet works and I shouldn't worry about it too much. But is
there a way for Synchronet to work with Fail2ban to block these addresses anyway?
block them at your perimeter firewall and keep the traffic off the
network completely... understand, too, that those are likely proxy
or dynamic addresses... if they are dynamic, then you will be
blocking individuals who didn't do this when the addresses change...
I am having the same thing here. Been going on a couple of weeks,
Using many different addresses, so it probably would be a big
hassle to try and block in firewall. Obviously what they are doing
isn't working, but it is a pain to the effect they connect about
20 times a day.
Could be worse ;)
as for synchronet working with fail2ban, shouldn't that be the other
eway around? doesn't fail2ban scan the logs to do its work? if this is
how i remember it being, that means that either fail2ban could be
altered to read synchronet's log format OR possibly synchronet might
be able to output a log format more like a *nix /var/log/messages
log... maybe as an addon?
On 14 Feb 14 15:01, mark lewis wrote to DrNick:
as for synchronet working with fail2ban, shouldn't that be the
other eway around? doesn't fail2ban scan the logs to do its work?
if this is how i remember it being, that means that either
fail2ban could be altered to read synchronet's log format OR
possibly synchronet might be able to output a log format more like
a *nix /var/log/messages log... maybe as an addon?
Synchronet already logs to /var/log/messages, so this may be
easier than one thinks right off the get-go.
you can send the log to syslog and create sbbs.log in /var/log,
then create new filter in fail2ban and add it to jail.conf
Sysop: | MCMLXXIX |
---|---|
Location: | Prospect, CT |
Users: | 325 |
Nodes: | 10 (0 / 10) |
Uptime: | 12:20:48 |
Calls: | 510 |
Messages: | 220575 |