Subj : Getting hammered!
To   : Sniper
From : Bill McGarrity
Date : Fri Mar 17 2017 17:44:00

-=> Sniper wrote to All on 03-16-17 22:53 <=-

 Sn> So, its been a long time...  My BBS has been running on auto-pilot.
 Sn> With daily observation, just not participating.  ANyway, over the last
 Sn> few months, it seems that my IP address, host name, or something has
 Sn> been given to the hackers of the world.  My system is constantly being
 Sn> connected to and they are trying to log in with unknown users.  I've
 Sn> checked on the system and 2 or 3 nodes are scrolling off the screen as
 Sn> someone is attempting to brute force the Guest account.  (Doesn't
 Sn> exist, but that doesn't seem to stop them).  They try to brute force
 Sn> the "root" and "admin" as well.  The large majority of these are coming
 Sn> from oversees.  .jp, .ru, .au, etc.  So I was attempting to block them
 Sn> by IP, but, as soon as I block one, 50 more show up.  Now all this is
 Sn> occuring on a little 18 meg Uverse setup.  Its getting a little out of
 Sn> hand!  So today, I did a google search for a list of all the world
 Sn> domains.  ANd I found a wiki listing them.   So I dropped the list into
 Sn> the filter/hostname.  I'm still getting attacked... but now its
 Sn> scrolling off the screen:

 Sn>   3/16  10:33:30p  1284 Telnet connection accepted from: 14.175.124.99
 Sn> port 34238
 Sn>   3/16  10:33:30p  1284 Hostname: static.vnpt.vn
 Sn>   3/16  10:33:31p  1284 !CLIENT BLOCKED in host.can: static.vnpt.vn

 Sn> So that list is helping, but, I could seriosuly use a "Silent" mode,
 Sn> like the IP block (Silence).

 Sn> But that's only about 1/2 of the constant hammering I'm getting.  The
 Sn> rest are "No Name":

 Sn>  3/16  10:42:50p  Node 2 10:42p  Thu Mar 16 2017            Node   2
 Sn>   3/16  10:42:50p  Node 2 Telnet  <no name> [45.114.83.11]
 Sn>   3/16  10:42:50p  1260 Telnet connection accepted from:
 Sn> 123.168.185.171 port 43422
 Sn>   3/16  10:42:50p  Terminal Server connection reset by peer on send

 Sn>  3/16  10:40:33p  Node 2 connection reset by peer on receive
 Sn>   3/16  10:40:33p  Node 2 10:40p  Thu Mar 16 2017            Node   2
 Sn>   3/16  10:40:33p  Node 2 Telnet  <no name> [27.54.54.208]
 Sn>   3/16  10:40:39p  Node 2 thread terminated (1 node threads remain, 110
 Sn> clients served)

 Sn> Usually, you'll see them connect, then shortly after a second
 Sn> connect... the first one drops off then the second one starts sending
 Sn> commands:

 Sn>   3/16  10:21:30p  Node 1 Unknown User 'Root'
 Sn>   3/16  10:21:31p  Node 1 Unknown User 'Nable'
 Sn>   3/16  10:21:31p  Node 1 Unknown User 'Ystem'
 Sn>   3/16  10:21:32p  Node 1 Unknown User 'Bin/busybox Mirai'
 Sn>   3/16  10:21:34p  Node 1 socket closed by peer on input

 Sn> I'm at my wits end over this.  Can we enter IP's for entire domains?
 Sn> 1.1.1.1/32 ??  Because one at a time is just not feasiable anymore!
 Sn> Anyone have a good comprehensive list they might send me?

Why not add those user names to your name.can file in the ../sbbs/text folder
and adjust your LoginAttemptTempBanDuration in sbbs.ini to 20 or 30 minutes.  

Also think about getting 'PeerBlock' if you can't work with your router in
banning said IP's.


--

Bill

Telnet: tequilamockingbirdonline.net
Web: bbs.tequilamockingbirdonline.net:81
FTP: ftp.tequilamockingbirdonline.net:2121
IRC: irc.tequilamockingbirdonline.net Ports: 6661-6670 SSL: +6697
Radio: radio.tequilamockingbirdonline.net:8010/live


.... Look Twice... Save a Life!!! Motorcycles are Everywhere!!!
--- MultiMail/Win32 v0.50
[0m þ [32mSynchronet[0m þ TequilaMockingbird Online - Toms River, NJ

.