1. Forum
  2. Usenet Intenat
  3. ALT.BBS.SYNCHRONET

  • smtp attack

    From Ragnarok@1:229/2 to All on Tuesday, March 31, 2020 16:09:17
    From: ragnarok@DOCKSUD.remove-k7c-this

    To: DOVE-Net.Synchronet_Discussion
    can you detect this attack? for throtle the smtp connection or log error
    + remote ip address to help to add a fail2ban rule ?

    thanks!



    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP Session thread started
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP Connection accepted
    on port 25 from: 45.143.223.164 port 60809
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org resolved to: 127.0.0.3
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP BLACKLISTED SERVER on sbl.spamhaus.org (see http://www.spamhaus.org/): <no name> [45.143.223.164] = 127.0.0.3
    Mar 31 16:07:15 scarlet synchronet: mail 0128 SMTP Session ID=14cf8023962f051dee29521
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP !ERROR 32 sending on
    socket
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Session thread
    terminated (8 threads remain, 3817 clients served)
    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP RX: EHLO ylmf-pc
    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP RX: AUTH LOGIN
    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN
    username argument
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Session thread started
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Connection accepted
    on port 25 from: 45.143.223.164 port 52049
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org resolved to: 127.0.0.3
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP BLACKLISTED SERVER on sbl.spamhaus.org (see http://www.spamhaus.org/): <no name> [45.143.223.164] = 127.0.0.3
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP Session ID=14cfb25cfd1eba1dee30b55
    Mar 31 16:07:16 scarlet synchronet: mail 0188 SMTP !ERROR 32 sending on
    socket
    Mar 31 16:07:16 scarlet synchronet: mail 0188 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:16 scarlet synchronet: mail 0188 SMTP Session thread
    terminated (8 threads remain, 3818 clients served)
    Mar 31 16:07:16 scarlet synchronet: mail 0178 SMTP RX: EHLO ylmf-pc
    Mar 31 16:07:17 scarlet synchronet: mail 0178 SMTP RX: AUTH LOGIN
    Mar 31 16:07:17 scarlet synchronet: mail 0178 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:17 scarlet synchronet: mail 0178 SMTP !missing AUTH LOGIN
    username argument
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP Session thread started
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP Connection accepted
    on port 25 from: 45.143.223.164 port 60259
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP DNSBL Query: 164.223.143.45.sbl.spamhaus.org resolved to: 127.0.0.3
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP BLACKLISTED SERVER on sbl.spamhaus.org (see http://www.spamhaus.org/): <no name> [45.143.223.164] = 127.0.0.3
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP Session ID=14cfbc1e13a4761dee3a7f0
    Mar 31 16:07:17 scarlet synchronet: mail 0188 SMTP RX: EHLO ylmf-pc
    Mar 31 16:07:18 scarlet synchronet: mail 0130 SMTP !ERROR 32 sending on
    socket
    Mar 31 16:07:18 scarlet synchronet: mail 0130 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:18 scarlet synchronet: mail 0130 SMTP Session thread
    terminated (8 threads remain, 3819 clients served)
    Mar 31 16:07:18 scarlet synchronet: mail 0188 SMTP RX: AUTH LOGIN
    Mar 31 16:07:18 scarlet synchronet: mail 0188 SMTP Socket closed by peer
    on receive
    Mar 31 16:07:18 scarlet synchronet: mail 0188 SMTP !missing AUTH LOGIN
    username argument
    Copy mode aborted

    ---
    ï¿­ Synchronet ï¿­ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
    --- Synchronet 3.17c-Win32 NewsLink 1.111
    * Vertrauen - Riverside County, California - telnet://vert.synchro.net

    --- SoupGate-Win32 v1.05
    * Origin: www.darkrealms.ca (1:229/2)
  • From Digital Man@1:229/2 to All on Tuesday, March 31, 2020 13:03:11
    From: digital.man@vert.synchro.net.remove-log-this

    To: Ragnarok
    Re: smtp attack
    By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09 pm

    can you detect this attack? for throtle the smtp connection or log error
    + remote ip address to help to add a fail2ban rule ?

    I think you're referring to this:

    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN username argument

    These are counted as a login failure and the loginAttempt settings apply (hack-logging, auto-filtering). And the login attempt delay is applicable here as well, if configured.

    So... I'm not sure what you're asking for.

    digital man

    This Is Spinal Tap quote #38:
    Artie Fufkin: I'm not asking, I'm telling with this. Kick my ass.
    Norco, CA WX: 73.7øF, 34.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs --- Synchronet 3.17c-Win32 NewsLink 1.111
    * Vertrauen - Riverside County, California - telnet://vert.synchro.net

    --- SoupGate-Win32 v1.05
    * Origin: www.darkrealms.ca (1:229/2)
  • From Ragnarok@1:229/2 to All on Tuesday, March 31, 2020 17:51:39
    From: ragnarok@DOCKSUD.remove-e6n-this

    To: Digital Man
    El 31/3/20 a las 17:03, Digital Man escribió:
    Re: smtp attack
    By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09 pm

    can you detect this attack? for throtle the smtp connection or log error
    + remote ip address to help to add a fail2ban rule ?

    I think you're referring to this:

    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN username argument

    These are counted as a login failure and the loginAttempt settings apply (hack-logging, auto-filtering). And the login attempt delay is applicable
    here as well, if configured.

    So... I'm not sure what you're asking for.

    digital man
    Yes, but i do not see the !TEMPORARY BAN or Throttling as TELNET (just
    this 3 lines at all log)


    Mar 31 07:47:32 scarlet synchronet: term Node 1 Throttling suspicious connection from: 190.19.114.20 (5 login attempts)
    Mar 31 07:47:53 scarlet synchronet: term Node 2 Throttling suspicious connection from: 190.19.114.20 (7 login attempts)
    Mar 31 08:59:40 scarlet synchronet: term 0093 Telnet !TEMPORARY BAN of 45.224.41.9 (2 login attempts, last: Root) - remaining: 9:55
    Mar 31 13:45:09 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of 59.29.152.201 (2 login attempts, last: Root) - remaining: 9:56
    Mar 31 15:01:58 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of 181.210.88.2 (3 login attempts, last: Root) - remaining: 9:56


    you can see the smtp parts log here:

    http://test.bbs.docksud.com.ar/tmp/sbbs-smtp.txt

    my sbbs.ini setting are the dafault:

    LoginAttemptDelay = 5000


    LoginAttemptThrottle = 1000


    LoginAttemptHackThreshold = 10


    LoginAttemptFilterThreshold = 0


    LoginAttemptTempBanThreshold = 20


    LoginAttemptTempBanDuration = 600

    I guess that the login fail counter is not working over the smtp
    service. The hack.log and spam.log file are empty.

    ---
    ï¿­ Synchronet ï¿­ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
    --- Synchronet 3.17c-Win32 NewsLink 1.111
    * Vertrauen - Riverside County, California - telnet://vert.synchro.net

    --- SoupGate-Win32 v1.05
    * Origin: www.darkrealms.ca (1:229/2)
  • From Rampage@1:229/2 to All on Tuesday, March 31, 2020 18:26:13
    From: rampage@SESTAR.remove-f72-this

    To: Ragnarok
    Re: Re: smtp attack
    By: Ragnarok to Digital Man on Tue Mar 31 2020 17:51:39


    Ragnarok> my sbbs.ini setting are the dafault:
    Ragnarok> LoginAttemptDelay = 5000
    Ragnarok> LoginAttemptThrottle = 1000
    Ragnarok> LoginAttemptHackThreshold = 10
    Ragnarok> LoginAttemptFilterThreshold = 0
    Ragnarok> LoginAttemptTempBanThreshold = 20
    Ragnarok> LoginAttemptTempBanDuration = 600

    i'm using the following...

    LoginAttemptDelay = 5000
    LoginAttemptThrottle = 1000
    LoginAttemptHackThreshold = 2
    LoginAttemptFilterThreshold = 3
    LoginAttemptTempBanThreshold = 3
    LoginAttemptTempBanDuration = 10M

    and they're banned to ip.can pretty quickly as are the telnet and ssh bots...

    why let them beat on your machine for such a long time? block'em and be done with'em real quick... no need to subject your machine to beatings like that ;)


    )\/(ark

    ---
    þ Synchronet þ The SouthEast Star Mail HUB - SESTAR
    --- Synchronet 3.17c-Win32 NewsLink 1.111
    * Vertrauen - Riverside County, California - telnet://vert.synchro.net

    --- SoupGate-Win32 v1.05
    * Origin: www.darkrealms.ca (1:229/2)
  • From Digital Man@1:229/2 to All on Tuesday, March 31, 2020 16:25:10
    From: digital.man@vert.synchro.net.remove-it0-this

    To: Ragnarok
    Re: Re: smtp attack
    By: Ragnarok to Digital Man on Tue Mar 31 2020 05:51 pm

    El 31/3/20 a las 17:03, Digital Man escribi¢:
    Re: smtp attack
    By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09 pm

    can you detect this attack? for throtle the smtp connection or log error
    + remote ip address to help to add a fail2ban rule ?

    I think you're referring to this:

    Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN username argument

    These are counted as a login failure and the loginAttempt settings apply (hack-logging, auto-filtering). And the login attempt delay is applicable here as well, if configured.

    So... I'm not sure what you're asking for.

    digital man
    Yes, but i do not see the !TEMPORARY BAN or Throttling as TELNET (just
    this 3 lines at all log)


    Mar 31 07:47:32 scarlet synchronet: term Node 1 Throttling suspicious connection from: 190.19.114.20 (5 login attempts)
    Mar 31 07:47:53 scarlet synchronet: term Node 2 Throttling suspicious connection from: 190.19.114.20 (7 login attempts)
    Mar 31 08:59:40 scarlet synchronet: term 0093 Telnet !TEMPORARY BAN of 45.224.41.9 (2 login attempts, last: Root) - remaining: 9:55
    Mar 31 13:45:09 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of 59.29.152.201 (2 login attempts, last: Root) - remaining: 9:56
    Mar 31 15:01:58 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of 181.210.88.2 (3 login attempts, last: Root) - remaining: 9:56


    you can see the smtp parts log here:

    http://test.bbs.docksud.com.ar/tmp/sbbs-smtp.txt

    my sbbs.ini setting are the dafault:

    LoginAttemptDelay = 5000
    LoginAttemptThrottle = 1000
    LoginAttemptHackThreshold = 10
    LoginAttemptFilterThreshold = 0
    LoginAttemptTempBanThreshold = 20
    LoginAttemptTempBanDuration = 600

    In which section(s) of the .ini file are those values? Each section (e.g. [mail]) can have over-rides of the defaults specified in the [globa] section.

    I guess that the login fail counter is not working over the smtp
    service. The hack.log and spam.log file are empty.

    It's certainly working for me:
    $ grep -c SMTP /sbbs/data/hack.log
    51184

    $ grep -c SMTP /sbbs/data/spam.log
    190513

    But the spam.log has nothing to with LoginAttempt's.

    digital man

    This Is Spinal Tap quote #1:
    Nigel Tufnel: These go to eleven.
    Norco, CA WX: 73.3øF, 43.0% humidity, 9 mph ENE wind, 0.00 inches rain/24hrs --- Synchronet 3.17c-Win32 NewsLink 1.111
    * Vertrauen - Riverside County, California - telnet://vert.synchro.net

    --- SoupGate-Win32 v1.05
    * Origin: www.darkrealms.ca (1:229/2)
  • From Digital Man@1:229/2 to All on Tuesday, March 31, 2020 16:27:49
    From: digital.man@vert.synchro.net.remove-p53-this

    To: Rampage
    Re: Re: smtp attack
    By: Rampage to Ragnarok on Tue Mar 31 2020 06:26 pm

    i'm using the following...

    LoginAttemptDelay = 5000
    LoginAttemptThrottle = 1000
    LoginAttemptHackThreshold = 2
    LoginAttemptFilterThreshold = 3
    LoginAttemptTempBanThreshold = 3
    LoginAttemptTempBanDuration = 10M

    When your FilterThreshold is <= your TempBanThreshold, you're effectively disabling the temp-ban feature (and just going straight to permanent filtering). Just an FYI.

    digital man

    This Is Spinal Tap quote #11:
    Nigel Tufnel: No. no. That's it, you've seen enough of that one.
    Norco, CA WX: 73.3øF, 43.0% humidity, 9 mph ENE wind, 0.00 inches rain/24hrs --- Synchronet 3.17c-Win32 NewsLink 1.111
    * Vertrauen - Riverside County, California - telnet://vert.synchro.net

    --- SoupGate-Win32 v1.05
    * Origin: www.darkrealms.ca (1:229/2)
  • From Rampage@1:229/2 to All on Tuesday, March 31, 2020 19:56:13
    From: rampage@SESTAR.remove-lud-this

    To: Digital Man
    Re: Re: smtp attack
    By: Digital Man to Rampage on Tue Mar 31 2020 16:27:49


    When your FilterThreshold is <= your TempBanThreshold, you're
    effectively disabling the temp-ban feature (and just going
    straight to permanent filtering). Just an FYI.

    yeah, i forgot to mention that ;)

    it works quite well, too... and i've even crafted IDS rules to catch the messages from sbbs going back to the offending IP and initiate a block of said IP almost instantly... the net result is they fail, sbbs tells them, and my IP effectively disappears
    from the internet for them as all their traffic is dropped directly into the bitbucket at my perimeter firewall and sbbs doesn't have to mess with them any more :LOL:


    )\/(ark

    ---
    þ Synchronet þ The SouthEast Star Mail HUB - SESTAR
    --- Synchronet 3.17c-Win32 NewsLink 1.111
    * Vertrauen - Riverside County, California - telnet://vert.synchro.net

    --- SoupGate-Win32 v1.05
    * Origin: www.darkrealms.ca (1:229/2)