Hmm seeing as I run on port 23 I get all sorts of spurious script kiddies trying to log in, expecting they're trying to log into a router or something similar, not realising they're attempting to hack a DOS implementation.

So, I went through a few phases trying to sort them out.. I've ended up with.

- Add everything possible that they seem to use to the bad usernames file,
ultimately this included the GUEST account as its a regular for attempts
by kiddies.

- Your banned name response can be anything, when I first started I used the SuperBBS manual to make it look like they found something :) Then I swapped to the middle finger image, and ban threats. This does seem to
slow some of them down a little.

- I have HAPROXY installed on the linux box to send the telnet requests to
my DOS bbs. Any linux service ought to be able to manage something
similar. I have set up fail2ban so that it'll ban anyone connecting
to HAPROXY more than 3 times in one minute. Which the scripts tend to do, and real users don't.

- fail2ban is presently only banning specific IP's for 1 year at the moment
I have had it ban for 10 minutes, 1 hour, 1 day, forever, but 1year seems
to have the most effect. I have also set it in the past to ban class c
networks based on the offending IP. I'm not sure about this one, it
seems to slow things down a treat, but there's some consternation
that this net is a bit wide and you might ban a lot of innocent
addresses. And it was such a pain to set up a second time after losing
it, I couldn't be bothered.

None of this is really new information, but it is I think the first time I've put it together in one place, and it might be of value to anyone whose bbs is linux based, or has a linux passthrough component, and the bad user list could work for anyone. I'll pop the bad names list up through the bot echo with the subject badnames

Spec


--- SuperBBS v1.17-3 (Eval)
* Origin: < Scrawled in blood at The Lower Planes > (21:3/101)

Hmm seeing as I run on port 23 I get all sorts of spurious script kiddies trying to log in, expecting they're trying to log into a router or something similar, not realising they're attempting to hack a DOS implementation.

So, I went through a few phases trying to sort them out.. I've ended up with.

- Add everything possible that they seem to use to the bad usernames file,
ultimately this included the GUEST account as its a regular for attempts
by kiddies.

- Your banned name response can be anything, when I first started I used the SuperBBS manual to make it look like they found something :) Then I swapped to the middle finger image, and ban threats. This does seem to
slow some of them down a little.

- I have HAPROXY installed on the linux box to send the telnet requests to
my DOS bbs. Any linux service ought to be able to manage something
similar. I have set up fail2ban so that it'll ban anyone connecting
to HAPROXY more than 3 times in one minute. Which the scripts tend to do, and real users don't.

- fail2ban is presently only banning specific IP's for 1 year at the moment
I have had it ban for 10 minutes, 1 hour, 1 day, forever, but 1year seems
to have the most effect. I have also set it in the past to ban class c
networks based on the offending IP. I'm not sure about this one, it
seems to slow things down a treat, but there's some consternation
that this net is a bit wide and you might ban a lot of innocent
addresses. And it was such a pain to set up a second time after losing
it, I couldn't be bothered.

None of this is really new information, but it is I think the first time I've put it together in one place, and it might be of value to anyone whose bbs is linux based, or has a linux passthrough component, and the bad user list could work for anyone. I'll pop the bad names list up through the bot echo with the subject badnames

Spec


--- SuperBBS v1.17-3 (Eval)
* Origin: < Scrawled in blood at The Lower Planes > (21:3/101)