Subj : Unwanted connections to port 23.
To   : j b l
From : Joe Bruchis
Date : Mon Jun 12 2017 09:59 am

j b l wrote in a message to mark lewis:

 jbl>  Re: Unwanted connections to port 23.
 jbl>  By: mark lewis to Ignatius on Mon Jun 12 2017 04:35 am


 ML> intrusion detection systems are the only things i've seen that
 ML> come close
 ML> but the connection and attempted login still has to take place... the
 ML> *ONLY* other option is to get off of port 23 and the other few
 ML> that MIRAI
 ML> specifically targets... that includes the default SSH port as well...

 jbl> I've just come across a utility, called "PSAD", it is a port
 jbl> scanning utility.. if the "danger level" meets a certain
 jbl> threshold, it will automatically block the offending IP address.
 jbl> Pretty cool. I'm still testing it out at the moment, but this may
 jbl> be what i've been looking for.

I have minimized these attempts with the following entries in sbbs.ini:

LoginAttemptDelay = 50000
LoginAttemptThrottle = 50000
LoginAttemptHackThreshold = 3
LoginAttemptBanThreshold = 3

Assume a bot attempts a login as Root. Root does not exist in the user files. 
The 50000 value will pause the next login prompt 45 seconds before another 
login name can be entered. This is usually enough time for the bot to move on 
to its next victim. The downside is, if a real user accidentally places a typo 
in their login name, they will have to wait 45 seconds before they are prompted 
for their login name again. That can be remedied with a warning screen prior to 
the login prompt, letting your users know that because of automated hacking 
bots, failed login attempts will be paused 45 seconds before the next login 
attempt will be accepted.

It works well here.

Regards,

 Joe 
--- timEd/386 1.10+
 * Origin: Fire on the Bayou BBS - bayouflames.ddns.net (1:3828/12)

.