Anyone familiar with having a blog or web site can tell you that spam and getting hacked are a constant thing. Hell, I had to completely redo my web site late last year after getting hacked.

Well, apparently hacking BBSes is still a thing. For the most part all of the ip addresses associated seem to be from eastern countries, China, Korea, etc…

sbbsterminalserver

Terminal Server Window

There are a couple of simple things you can do to cut down on the traffic and false logins and there are several reasons to do so.

First and foremost, if your router is able to block specific incoming addresses, that’s the route to take because it will cut down on traffic on your internal network. Not going to go into that here because until I load DDWRT on my router I don’t have that capability.

There are several settings in Synchronet that will help cut down on the number of folks attempting to log in.

  1. In the Synchronet Control Panel go to File – Properties. That will open the Control Panel Properties Window. Open the Security tab. There’s 4 options here. Delay (milliseconds) is where you can set the time between failed login attempts before a specific IP is locked out. Throttle (milliseconds) is how long to delay successive  logins after a failed attempt. Hack Log Threshold  is how many failed login attempts from a specific IP before it’s marked as  a hack attempt. I keep this set at 3. IP Filter Threshold is how many failed attempts from a specific IP are allowed before it’s marked as a hack. That’s also set at 3 here. These options are all good if you want to automate the process. It’s still going to allow a certain number through and a small amount of network traffic but it’s damn sure better than nothing.
  2. You can also manually block folks as well. In the /sbbs/text directory there are a few pertinent files to look for. One I use constantly is the ip.can. It’s a list of IP addresses, wild cards accepted. Mine is currently up to 175 lines. If you use this and block top-level IPs be aware you can block prospective users as well.
  3. name.can is a list of user names that are blocked or not allowed to be used by new users. Sysop, user*, system*, config* are all good names to be in here.
  4. password and phone.can should be looked at as well.
  5. hosts.can is basically the same as ip.can except allowed host names. It’s not as good as ip.can as the host isn’t always reported BUT it can block multiple IPs that use the same host.

Obviously this isn’t foolproof but it’s a big help. As you can see from the picture above several have been blocked this morning. More than several actually. If you view Failed Login Attempts this will give you a list of failed logins so you don’t have to scroll through the terminal server window. Here’s a small part of the several hundred from this morning I haven’t blocked yet (although now it’s done). I try and go through this when I have time so I can add them to my ip.can

Failed Login Attempts Window

Failed Login Attempts Window

Hopefully this has been a little helpful for someone out there.

Advertisements