1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • intruder detect without invalid password attemp

    From Ragnarok@VERT/DOCKSUD to DOVE-Net.Synchronet_Discussion on Thursday, January 11, 2018 23:00:38
    Hi Digital Man!

    I usualy use internal synchronet ban filter plus fail2ban to block hack attemps. it's work very well when the "attack" are "invalid password"

    But few days ago, i'm detecting that attack, connect (via telnet), and disconnect without any other action or operation. Sometime puts the
    "Guest" user at prompt, but do not try to send the password and
    inmediate disconnect.

    This behavior is not detect actually by sync detector system.
    I think that can be detected as "posible bot scanning attempt"
    due that is occur for a short period of time and many times, at least 2
    or 3 attemtps

    i think that can be great if you can implement this rule too, you can
    saves many cpu cicles and server load and get sync more eco-firendly

    =)

    this is example session:

    Jan 11 22:35:52 localhost synchronet: term 0071 Telnet connection
    accepted from: 75.141.230.84 port 48222
    Jan 11 22:35:52 localhost synchronet: evnt Node 2 constructor using
    socket 71 (settings=40100)
    Jan 11 22:35:52 localhost synchronet: term Node 2 temporary file
    directory: /sbbs/nodes/node2/temp/
    Jan 11 22:35:52 localhost synchronet: term Node 2 attached to local
    interface 152.169.166.33 port 23
    Jan 11 22:35:52 localhost synchronet: term Node 2 thread started
    Jan 11 22:35:52 localhost synchronet: term Node 2 JavaScript: Creating
    runtime: 8388608 bytes
    Jan 11 22:35:52 localhost synchronet: term Node 2 input thread started
    Jan 11 22:35:52 localhost synchronet: term Node 2 JavaScript:
    Initializing context (stack: 16384 bytes)
    Jan 11 22:35:52 localhost synchronet: term Node 2 output thread started
    Jan 11 22:35:52 localhost synchronet: term Node 2 22:35 Thu Jan 11
    2018 Node 2
    Jan 11 22:35:52 localhost synchronet: term Node 2 Telnet <no name> [75.141.230.84]
    Jan 11 22:35:52 localhost synchronet: term Node 3 received telnet window
    size: 80x24
    Jan 11 22:35:53 localhost synchronet: term Node 1 output thread
    terminated (sent 1513 bytes in 5 blocks, 302 average, 0 short)
    Jan 11 22:35:53 localhost synchronet: term Node 1 thread terminated (2
    node threads remain, 332 clients served)
    Jan 11 22:35:53 localhost synchronet: term Node 1 destructor begin
    Jan 11 22:35:53 localhost synchronet: term Node 1 JavaScript: Destroying context
    Jan 11 22:35:53 localhost synchronet: term Node 1 JavaScript: Destroying runtime
    Jan 11 22:35:53 localhost synchronet: term Node 1 destructor end
    Jan 11 22:36:12 localhost synchronet: term Node 2 disconnected
    Jan 11 22:36:12 localhost synchronet: term Node 2 input thread
    terminated (received 42 bytes in 5 blocks)
    Jan 11 22:36:12 localhost synchronet: term 0068 Telnet connection
    accepted from: 75.141.230.84 port 48303
    Jan 11 22:36:12 localhost synchronet: evnt Node 1 constructor using
    socket 68 (settings=40100)
    Jan 11 22:36:12 localhost synchronet: term Node 1 temporary file
    directory: /sbbs/node1/temp/
    Jan 11 22:36:12 localhost synchronet: term Node 1 attached to local
    interface 152.169.166.33 port 23
    Jan 11 22:36:12 localhost synchronet: term Node 1 thread started
    Jan 11 22:36:12 localhost synchronet: term Node 1 JavaScript: Creating
    runtime: 8388608 bytes
    Jan 11 22:36:12 localhost synchronet: term Node 1 input thread started
    Jan 11 22:36:12 localhost synchronet: term Node 1 JavaScript:
    Initializing context (stack: 16384 bytes)
    Jan 11 22:36:12 localhost synchronet: term Node 1 output thread started
    Jan 11 22:36:12 localhost synchronet: term Node 1 22:36 Thu Jan 11
    2018 Node 1
    Jan 11 22:36:12 localhost synchronet: term Node 1 Telnet <no name> [75.141.230.84]
    Jan 11 22:36:13 localhost synchronet: term Node 2 output thread
    terminated (sent 1531 bytes in 6 blocks, 255 average, 0 short)
    Jan 11 22:36:13 localhost synchronet: term Node 2 thread terminated (2
    node threads remain, 333 clients served)
    Jan 11 22:36:13 localhost synchronet: term Node 2 destructor begin
    Jan 11 22:36:13 localhost synchronet: term Node 2 JavaScript: Destroying context
    Jan 11 22:36:13 localhost synchronet: term Node 2 JavaScript: Destroying runtime
    Jan 11 22:36:13 localhost synchronet: term Node 2 destructor end
    Jan 11 22:36:33 localhost synchronet: term Node 1 disconnected
    Jan 11 22:36:33 localhost synchronet: term Node 1 input thread
    terminated (received 42 bytes in 5 blocks)
    Jan 11 22:36:33 localhost synchronet: term 0071 Telnet connection
    accepted from: 75.141.230.84 port 48387
    Jan 11 22:36:33 localhost synchronet: evnt Node 2 constructor using
    socket 71 (settings=40100)
    Jan 11 22:36:33 localhost synchronet: term Node 2 temporary file
    directory: /sbbs/nodes/node2/temp/
    Jan 11 22:36:33 localhost synchronet: term Node 2 attached to local
    interface 152.169.166.33 port 23
    Jan 11 22:36:33 localhost synchronet: term Node 2 output thread started
    Jan 11 22:36:33 localhost synchronet: term Node 2 thread started
    Jan 11 22:36:33 localhost synchronet: term Node 2 JavaScript: Creating
    runtime: 8388608 bytes
    Jan 11 22:36:33 localhost synchronet: term Node 2 input thread started
    Jan 11 22:36:33 localhost synchronet: term Node 2 JavaScript:
    Initializing context (stack: 16384 bytes)
    Jan 11 22:36:33 localhost synchronet: term Node 2 22:36 Thu Jan 11
    2018 Node 2
    Jan 11 22:36:33 localhost synchronet: term Node 2 Telnet <no name> [75.141.230.84]
    Jan 11 22:36:33 localhost synchronet: term Node 3 received telnet window
    size: 80x24
    Jan 11 22:36:33 localhost synchronet: term Node 3 received telnet
    terminal type: ANSI
    Jan 11 22:36:33 localhost synchronet: term Node 3 received telnet window
    size: 80x24
    Jan 11 22:36:34 localhost synchronet: term Node 1 output thread
    terminated (sent 1531 bytes in 6 blocks, 255 average, 0 short)
    Jan 11 22:36:34 localhost synchronet: term Node 1 thread terminated (2
    node threads remain, 334 clients served)
    Jan 11 22:36:34 localhost synchronet: term Node 1 destructor begin
    Jan 11 22:36:34 localhost synchronet: term Node 1 JavaScript: Destroying context
    Jan 11 22:36:34 localhost synchronet: term Node 1 JavaScript: Destroying runtime
    Jan 11 22:36:34 localhost synchronet: term Node 1 destructor end
    Jan 11 22:36:53 localhost synchronet: term Node 2 disconnected
    Jan 11 22:36:53 localhost synchronet: term Node 2 input thread
    terminated (received 45 bytes in 5 blocks)
    Jan 11 22:36:53 localhost synchronet: term 0068 Telnet connection
    accepted from: 75.141.230.84 port 48472
    Jan 11 22:36:53 localhost synchronet: evnt Node 1 constructor using
    socket 68 (settings=40100)
    Jan 11 22:36:53 localhost synchronet: term Node 1 temporary file
    directory: /sbbs/node1/temp/
    Jan 11 22:36:53 localhost synchronet: term Node 1 attached to local
    interface 152.169.166.33 port 23
    Jan 11 22:36:53 localhost synchronet: term Node 1 input thread started
    Jan 11 22:36:53 localhost synchronet: term Node 1 thread started
    Jan 11 22:36:53 localhost synchronet: term Node 1 JavaScript: Creating
    runtime: 8388608 bytes
    Jan 11 22:36:53 localhost synchronet: term Node 1 JavaScript:
    Initializing context (stack: 16384 bytes)
    Jan 11 22:36:53 localhost synchronet: term Node 1 output thread started
    Jan 11 22:36:53 localhost synchronet: term Node 1 22:36 Thu Jan 11
    2018 Node 1
    Jan 11 22:36:53 localhost synchronet: term Node 1 Telnet <no name> [75.141.230.84]
    Jan 11 22:36:54 localhost synchronet: term Node 2 output thread
    terminated (sent 1531 bytes in 7 blocks, 218 average, 0 short)
    Jan 11 22:36:54 localhost synchronet: term Node 2 thread terminated (2
    node threads remain, 335 clients served)

    ---
    þ Synchronet þ Dock Sud BBS TLD 24 HS - http://www.docksud.com.ar - telnet://bbs.docksud.com.ar