Non SGA connections and general hack nonsense

Discussion on running your own board and editing MajorMUD.
Larsen1906
Posts: 37
Joined: Fri Apr 19, 2013 3:04 pm

Non SGA connections and general hack nonsense

Post by Larsen1906 »

Does anyone have a way of blocking ips based on invalid login attempts or suspended accounts?

I regularly have connections trying to log in as admin/root/shell etc etc....

I have created accounts for all the usual suspects and suspended them so now they get rejected instead of clogging my lines with endless login attempts. Id rather not use nat translation and alternate ports.

I don't see a way to deny non SGA (seems like most if not all connections not supporting SGA are not legitimate users)

My firewall supports Geo ip but the license is expensive so it is not an option.

Ideally a way to auto add ips to the blocklist.txt based on login attempts would be good. Just looking for alternative options.


telnet tdrbbs.ddns.net
User avatar
syntax
Site Admin
Posts: 517
Joined: Tue Jun 02, 2009 10:02 am

Re: Non SGA connections and general hack nonsense

Post by syntax »

I believe what people typically do to solve this issue is move their listening IP off of port 23.


Larsen1906
Posts: 37
Joined: Fri Apr 19, 2013 3:04 pm

Re: Non SGA connections and general hack nonsense

Post by Larsen1906 »

syntax wrote:I believe what people typically do to solve this issue is move their listening IP off of port 23.

I was trying to avoid that if possible.


telnet tdrbbs.ddns.net
User avatar
BearFather
Posts: 652
Joined: Sun Feb 09, 2014 6:27 pm
Location: Portland, OR
Contact:

Re: Non SGA connections and general hack nonsense

Post by BearFather »

What I did at first is parse the audit log and when someone hit it more then twice it would add it to my VM server iptables to block. But this just became a waste of time cause every day the IP's would change. So I kinda let it go and forgot about it. I have very active board and get about 2 lines taken all the time from these bot's.

In the end of the day it only fills up your log files. But if it bugs you and you by chance have an linux box controlling the network you can build a script that parses the log file for multi attempts from the same IP to add them to the IPTables to deny traffic.


Larsen1906
Posts: 37
Joined: Fri Apr 19, 2013 3:04 pm

Re: Non SGA connections and general hack nonsense

Post by Larsen1906 »

BearFather wrote:What I did at first is parse the audit log and when someone hit it more then twice it would add it to my VM server iptables to block. But this just became a waste of time cause every day the IP's would change. So I kinda let it go and forgot about it. I have very active board and get about 2 lines taken all the time from these bot's.

In the end of the day it only fills up your log files. But if it bugs you and you by chance have an linux box controlling the network you can build a script that parses the log file for multi attempts from the same IP to add them to the IPTables to deny traffic.

That is pretty much what im looking for. I'm on a windows box though. Maybe powershell or vb and just add it to the block file for wg directly. Thanks.


telnet tdrbbs.ddns.net
User avatar
BearFather
Posts: 652
Joined: Sun Feb 09, 2014 6:27 pm
Location: Portland, OR
Contact:

Re: Non SGA connections and general hack nonsense

Post by BearFather »

I have no clue about windows powershell or VB scripting, I work with unix at work. As far as WG goes not sure it has built in IP blocking, but think dialglo has Ip stuff in it. But then you need to figure out how it stores block IP's and can you edit that on the fly.


User avatar
MiOw
Posts: 113
Joined: Tue Nov 15, 2016 7:40 pm

Re: Non SGA connections and general hack nonsense

Post by MiOw »

BearFather wrote:I have no clue about windows powershell or VB scripting, I work with unix at work. As far as WG goes not sure it has built in IP blocking, but think dialglo has Ip stuff in it. But then you need to figure out how it stores block IP's and can you edit that on the fly.
There is a spot in the telnet server general settings to reference a file for IP's to block.


ClassicMUD... lightly seasoned with no dupes!
www.mudinfo.net/viewtopic.php?f=64&t=2357
Larsen1906
Posts: 37
Joined: Fri Apr 19, 2013 3:04 pm

Re: Non SGA connections and general hack nonsense

Post by Larsen1906 »

MiOw wrote:
BearFather wrote:I have no clue about windows powershell or VB scripting, I work with unix at work. As far as WG goes not sure it has built in IP blocking, but think dialglo has Ip stuff in it. But then you need to figure out how it stores block IP's and can you edit that on the fly.
There is a spot in the telnet server general settings to reference a file for IP's to block.
That's what I want to use, but needed an automated way to add IPs


telnet tdrbbs.ddns.net
User avatar
BearFather
Posts: 652
Joined: Sun Feb 09, 2014 6:27 pm
Location: Portland, OR
Contact:

Re: Non SGA connections and general hack nonsense

Post by BearFather »

So try adding an IP to the file while the board is running and see if it begins to block the Ip's, or does it take restart to take it on.

If it works then you can just write a script that looks at the last say 50 lines of agsaudit.adt file and log the ip's and the attempts. Have it look for "INVALID PASSWORD ATTEMPT Chan 06 177.40.???.???:23 attempt on" parse out the IP and then if that IP shows more then once "echo "???.???.???.??? > c:\wgserv\banfile.txt".


User avatar
syntax
Site Admin
Posts: 517
Joined: Tue Jun 02, 2009 10:02 am

Re: Non SGA connections and general hack nonsense

Post by syntax »

Can you post a sample of the audit log and ip blocking file format? I like writing scripts :)


Post Reply