Non SGA connections and general hack nonsense

Discussion on running your own board and editing MajorMUD.
User avatar
BearFather
Posts: 652
Joined: Sun Feb 09, 2014 6:27 pm
Location: Portland, OR
Contact:

Re: Non SGA connections and general hack nonsense

Post by BearFather »

Well I quoted the line you need to look for...

INVALID PASSWORD ATTEMPT Chan 06 177.40.???.???:23 attempt on

As far as the block IP no clue never used the settings.


User avatar
syntax
Site Admin
Posts: 517
Joined: Tue Jun 02, 2009 10:02 am

Re: Non SGA connections and general hack nonsense

Post by syntax »

Nah I'd need to see the whole thing in order to write a good script.


User avatar
BearFather
Posts: 652
Joined: Sun Feb 09, 2014 6:27 pm
Location: Portland, OR
Contact:

Re: Non SGA connections and general hack nonsense

Post by BearFather »

20161106 214154 USER LOGON VIA TELNET Chan 0E User-ID: Dopechylde, from ???????
20161106 214156 USER LOGON VIA TELNET Chan 0C User-ID: Dolemite, from ???????
20161106 214158 USER LOGON VIA TELNET Chan 10 User-ID: Huggy Bear, from ?????????
20161106 214206 USER LOGON VIA TELNET Chan 11 User-ID: Ideal Confusion, from ????????
20161106 220122 INVALID PASSWORD ATTEMPT Chan 0D 177.67.34.???:??? attempt on "User"
20161106 221836 INVALID PASSWORD ATTEMPT Chan 0D 200.237.114.???:??? attempt on "User"
20161106 222624 TELNET SERVER - NON-SGA CLIENT Chan 0D Client at ????????? does not support SGA
20161106 222934 TELNET SERVER - NON-SGA CLIENT Chan 12 Client at ????????? does not support SGA
20161106 224130 INVALID PASSWORD ATTEMPT Chan 0F ???????? attempt on "User"


?'s are ip's.


User avatar
MiOw
Posts: 113
Joined: Tue Nov 15, 2016 7:40 pm

Re: Non SGA connections and general hack nonsense

Post by MiOw »

The lines with the "NON-SGA CLIENT" will show up in the log regardless of what other settings one has; connections, disconnects, rejections, etc... otherwise can all be set to not log so any script might be best to look for that NON-SGA line for its data.

EDIT : at least if the intent is to solely screen out block out these sniffers/non-sga clients.

Thanks!


ClassicMUD... lightly seasoned with no dupes!
www.mudinfo.net/viewtopic.php?f=64&t=2357
User avatar
BearFather
Posts: 652
Joined: Sun Feb 09, 2014 6:27 pm
Location: Portland, OR
Contact:

Re: Non SGA connections and general hack nonsense

Post by BearFather »

The non-SGA actually can come from other clients then mega. Like windows default telnet triggers this. Also my gosbot does the same thing. So blocking just non-SGA would block more then bots.


User avatar
MiOw
Posts: 113
Joined: Tue Nov 15, 2016 7:40 pm

Re: Non SGA connections and general hack nonsense

Post by MiOw »

BearFather wrote:The non-SGA actually can come from other clients then mega. Like windows default telnet triggers this. Also my gosbot does the same thing. So blocking just non-SGA would block more then bots.
Good call, something to test but I don't recall seeing it logged that way when I connect in from my Windows 10 or MacOS machines on a local test board. I was the only session, but then I wasn't watching specifically for it :/


ClassicMUD... lightly seasoned with no dupes!
www.mudinfo.net/viewtopic.php?f=64&t=2357
User avatar
syntax
Site Admin
Posts: 517
Joined: Tue Jun 02, 2009 10:02 am

Re: Non SGA connections and general hack nonsense

Post by syntax »

If you want me to write a script for you I need actual files. A sample audit trail file and sample (working) IP blocking file. When scraping text in files everything matters. Line feeds, character spacing, etc. I can't go by a few redacted lines pasted to a forum. PM me if you're paranoid about publicizing people's IPs.


Larsen1906
Posts: 37
Joined: Fri Apr 19, 2013 3:04 pm

Re: Non SGA connections and general hack nonsense

Post by Larsen1906 »

BearFather wrote:So try adding an IP to the file while the board is running and see if it begins to block the Ip's, or does it take restart to take it on.

If it works then you can just write a script that looks at the last say 50 lines of agsaudit.adt file and log the ip's and the attempts. Have it look for "INVALID PASSWORD ATTEMPT Chan 06 177.40.???.???:23 attempt on" parse out the IP and then if that IP shows more then once "echo "???.???.???.??? > c:\wgserv\banfile.txt".
Yeah i'll post it. its a blocklist.txt file and the restriction takes effect immediately and the file is checked per connection. I'll grab the log.


telnet tdrbbs.ddns.net
Larsen1906
Posts: 37
Joined: Fri Apr 19, 2013 3:04 pm

Re: Non SGA connections and general hack nonsense

Post by Larsen1906 »

MiOw wrote:
BearFather wrote:The non-SGA actually can come from other clients then mega. Like windows default telnet triggers this. Also my gosbot does the same thing. So blocking just non-SGA would block more then bots.
Good call, something to test but I don't recall seeing it logged that way when I connect in from my Windows 10 or MacOS machines on a local test board. I was the only session, but then I wasn't watching specifically for it :/
Yeah, but anyone that will be playing regularly will most likely be using megamud. I can always remove the IP if there is an issue.


telnet tdrbbs.ddns.net
Larsen1906
Posts: 37
Joined: Fri Apr 19, 2013 3:04 pm

Re: Non SGA connections and general hack nonsense

Post by Larsen1906 »

syntax wrote:If you want me to write a script for you I need actual files. A sample audit trail file and sample (working) IP blocking file. When scraping text in files everything matters. Line feeds, character spacing, etc. I can't go by a few redacted lines pasted to a forum. PM me if you're paranoid about publicizing people's IPs.
PM sent.


telnet tdrbbs.ddns.net
Post Reply