Can someone tell me something I can add to my login script that will automatically add Ip's to the IP.can file that try to log in as root or admin. It is becoming a full time job adding all the hack attempt IP's manually. There was some discussion on the Facebook group about this, but wasn't given a definitive answer. Also, I figured it would be more helpful
Re: Block admin and root access attempts
By: nightcrawler to All on Sat Oct 25 2014 12:08 am
Can someone tell me something I can add to my login script that will
automatically add Ip's to the IP.can file that try to log in as root
or admin. It is becoming a full time job adding all the hack attempt
IP's manually. There was some discussion on the Facebook group about
this, but wasn't given a definitive answer. Also, I figured it would
be more helpful
since you are a server on the internet, all your services have brute force attacks.
adding something to your logon script will just block people who try to telnet in. what about ftp, email, ssh, rlogin, nntp, etc?
get peerblock and just block china.
that way it's blocked before it even hits your bbs.
i have that bbs capcha thing and it's not stopping new ones from hitting me every day. it's a losing battle.
I've never really had a problem with ftp, rlogin, etc. All the attempts
seem to be localized to SSH connections, trying either admin or root. Recently I noticed a single IP will attempt simultanious connections,
taking all my nodes down.
I've tried peerblock with very little success. Seems it doesn't cut down on attempts at all.
Hey guys.
Can someone tell me something I can add to my login script that will automatically add Ip's to the IP.can file that try to log in as root or admin. It is becoming a full time job adding all the hack attempt IP's manually. There was some discussion on the Facebook group about this, but wasn't given a definitive answer. Also, I figured it would be more helpful to other Sysops if it was asked and answered on here.
attempts seem to be localized to SSH connections, trying either admin
or root. Recently I noticed a single IP will attempt simultanious
connections, taking all my nodes down.
change your ssh port.
I've tried peerblock with very little success. Seems it doesn't cut
down on attempts at all.
you have to use a custom block script and add ip ranges. you just cant
run it and use it to block attackers.
Re: Block admin and root access attempts
By: nightcrawler to All on Sat Oct 25 2014 12:08 am
Hey guys.
Can someone tell me something I can add to my login script that will
automatically add Ip's to the IP.can file that try to log in as root
or admin. It is becoming a full time job adding all the hack attempt
IP's manually. There was some discussion on the Facebook group about
this, but wasn't given a definitive answer. Also, I figured it would
be more helpful to other Sysops if it was asked and answered on here.
There's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at http://wiki.synchro.net/config:sbbs.ini for details.
digital man
Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Mon Oct 27 2014 04:38 pm
Re: Block admin and root access attempts
By: nightcrawler to All on Sat Oct 25 2014 12:08 am
Hey guys.
Can someone tell me something I can add to my login script that will
automatically add Ip's to the IP.can file that try to log in as root
or admin. It is becoming a full time job adding all the hack attempt
IP's manually. There was some discussion on the Facebook group about
this, but wasn't given a definitive answer. Also, I figured it would
be more helpful to other Sysops if it was asked and answered on here.
There's an auto-filtering capability built-into Synchronet. See "LoginAttemptFilterThreshold" at http://wiki.synchro.net/config:sbbs.ini for details.
digital man
Thanks.
I set the LoginAttemptFilterThreshold to 3, but doesn't seem to be having any effect.I've noticed a dozen or more attempts from an IP and it isn't being added to the ip.can. Do you have any idea what I am doing wrong?
This is what I have:
LoginAttemptDelay=5000
LoginAttemptThrottle=1000
LoginAttemptHackThreshold=3
LoginAttemptFilterThreshold=3
run it and use it to block attackers.
I used the block list you provided. It has:
hank billings:96.36.1.1-96.36.255.255
hong kong:123.0.0.0-123.255.255.255
dragon networks:209.124.1.0-209.255.255.255
china mobile:120.192.0.0-120.255.255.255
attacker:176.0.0.0-176.255.255.255
taiwan:125.227.0.0-125.227.255.255
attacker:187.147.0.0-187.147.255.255
banjkok:61.19.0.0-61.255.255.255
That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?
The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.
Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm
That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?
No there doesn't appear to be any.
The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.
So do you mean consecutive as in the calls have to be concurrent, or can they be staggerd throughout the day?
Re: Block admin and root access attempts
By: nightcrawler to Digital Man on Tue Oct 28 2014 11:41 pm
Re: Block admin and root access attempts
By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm
That looks fine. Are you getting entries in your data/hack.log for these 3+ consecutive login failures from the same IP?
No there doesn't appear to be any.
What protocol are they attacking with?
The failed login attempts have to be from the same IP address and consecutive without the BBS being restarted/recycled.
So do you mean consecutive as in the calls have to be concurrent, or can they be staggerd throughout the day?
They can be staggered throughout days/weeks/whatever, so long as the server (the BBS) is not recycled or restarted during that time.
If you're using the Synchronet Control Panel (for Windows), you can view
the failed login attempts with the View->Login Attempts menu option. It'll show you which login attempts from what IPs using what protocols with what username and password, etc. This list is cleared when the control panel is restarted. The "Unique" column shows the number that is compared against
the thresholds we discussed for logging in the hack.log and filtering via ip.can.
If you're using 'sbbs', the console program (e.g. for Linux) instead, then the 'a' command from the console prompt ("[Threads: x Sockets: x Clients: x Served: x Errors: x] (?=Help):" will show the same information (list of failed login attempts). This list is cleared when the sbbs program is restated.
Sysop: | MCMLXXIX |
---|---|
Location: | Prospect, CT |
Users: | 333 |
Nodes: | 10 (0 / 10) |
Uptime: | 16:55:36 |
Calls: | 574 |
Calls today: | 1 |
Messages: | 235855 |