Subj : Block admin and root access attempts
To   : nightcrawler
From : Digital Man
Date : Wed Oct 29 2014 12:00 am

 Re: Block admin and root access attempts
 By: Digital Man to nightcrawler on Tue Oct 28 2014 10:33 pm

>   Re: Block admin and root access attempts
>   By: nightcrawler to Digital Man on Tue Oct 28 2014 11:41 pm
>
>  >   Re: Block admin and root access attempts
>  >   By: Digital Man to nightcrawler on Tue Oct 28 2014 05:37 pm
>  >
>  >  DM> That looks fine. Are you getting entries in your data/hack.log for
>  >  DM> these 3+ consecutive login failures from the same IP?
>  >
>  > No there doesn't appear to be any.
>
> What protocol are they attacking with?
>
>  >  DM> The failed login attempts have to be from the same IP address and
>  >  DM> consecutive without the BBS being restarted/recycled.
>  >
>  > So do you mean consecutive as in the calls have to be concurrent, or can
>  > they be staggerd throughout the day?
>
> They can be staggered throughout days/weeks/whatever, so long as the server
> (the BBS) is not recycled or restarted during that time.
>
> If you're using the Synchronet Control Panel (for Windows), you can view
> the failed login attempts with the View->Login Attempts menu option. It'll
> show you which login attempts from what IPs using what protocols with what
> username and password, etc. This list is cleared when the control panel is
> restarted. The "Unique" column shows the number that is compared against
> the thresholds we discussed for logging in the hack.log and filtering via
> ip.can.
>
> If you're using 'sbbs', the console program (e.g. for Linux) instead, then
> the 'a' command from the console prompt ("[Threads: x  Sockets: x  Clients:
> x Served: x Errors: x] (?=Help):" will show the same information (list of
> failed login attempts). This list is cleared when the sbbs program is
> restated.

BTW, if the attacks were using SSH or RLogin protocols, then I suspect this is
due to a bug I *just* fixed where failed login attemps using either of those
protocols would *not* be added to the 'failed login attempt' list if the
username attempted was not a valid username (not in your userbase). Either get
the latest from CVS and rebuild (if you build from source) or grab tomorrow
morning's daily development build to get the fixed version.

Thanks for the head's up!

                                           digital man

Synchronet "Real Fact" #53:
The Synchronet source code consists of over 500,000 lines of C and C++.
Norco, CA WX: 65.1�F, 78.0% humidity, 1 mph NNW wind, 0.00 inches rain/24hrs

---
� Synchronet � Vertrauen � Home of Synchronet � telnet://vert.synchro.net

You are viewing proxied material from bbs.kd3.us. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.