Greetings and Salutations! I am having an issue with a hacker who trys to crack my system password eventually making all of my nodes busy so that users cannot login. When I periodically check Nodespy, all three of my nodes show a couple of system password attempts (in asterisk form) and a third prompt and the screen is hung. I have to Alt(K)ick each node 2 or three times until it autobans the IP address. Is there something I can do other than removing the system password prompt to keep this from happening? (Linux Mint - Mystic 1.12 A48)

... Never laugh at live dragons.

--- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
* Origin: ARDA-BBS (21:4/153)

Greetings and Salutations! I am having an issue with a hacker who trys
to crack my system password eventually making all of my nodes busy so
that users cannot login. When I periodically check Nodespy, all three
of my nodes show a couple of system password attempts (in asterisk form) and a third prompt and the screen is hung. I have to Alt(K)ick each
node 2 or three times until it autobans the IP address. Is there something I can do other than removing the system password prompt to
keep this from happening? (Linux Mint - Mystic 1.12 A48)

Check out two Mystic mods that might help you with bots. Mystic is good at kicking them after multiple attempts, but here are two options - you can even install both if you like. Actually, I know of THREE:

ThreatSentry; check geo-location per the rules you set in the .ini's...

BotChecker; this is where you have to press ESC 2x to even start the Mystic bbs

MAPTCHA; A 'captcha-like' mod that requires you to enter some text prior to being let in

They can all be found on 2oFB @ 20ForBeers.com:1337; search the File Menu. (And other BBSes/fsxNet File Areas)



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

Greetings and Salutations! I am having an issue with a hacker who trys
to crack my system password eventually making all of my nodes busy so
that users cannot login. When I periodically check Nodespy, all three
of my nodes show a couple of system password attempts (in asterisk form) and a third prompt and the screen is hung. I have to Alt(K)ick each
node 2 or three times until it autobans the IP address. Is there something I can do other than removing the system password prompt to
keep this from happening? (Linux Mint - Mystic 1.12 A48)

That sounds like a botnet :) My advice would be to do some country blocking. I believe if you looked at each of the IP addresses attempting this you'd find they come from specific places.

Also, I have the "botcheck" mod from phenom. It requires someone to press the escape key twice to proceed to the system password screen. This one confounds botnets pretty well.

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: m O N T E R E Y b B S . c O M (21:4/173)

On 13 Feb 2023, Gandalf said the following...

Greetings and Salutations! I am having an issue with a hacker who trys
to crack my system password eventually making all of my nodes busy so
that users cannot login.

something I can do other than removing the system password prompt to
keep this from happening?

Check out botcheck.mps in your mystic/themes/default/scripts directory:

[ begin quote botcheck.mps ]
BOTCHECK.MPS: Example script to force users to immediately press ESCAPE
twice upon connection within 15 seconds or else their
connection will be closed.

To install: Copy this as "connect.mps" in your theme's script directory
and then use MPLC to compile it (mplc -T will compile all theme scripts)
[ end quote botcheck.mps ]

You may want to paste this in right after "Begin" in the script:
If ACS('OS') Then break

This will skip asking people to press ESC twice if they connect via SSH as they'd already be authenticated.


I have this in place along with blocking a bunch of countries with iptables:

ipset create block4 hash:net
ipset create block6 hash:net family inet6
iptables -A INPUT -m set --match-set block4 src -j DROP
iptables -A OUTPUT -m set --match-set block4 dst -j DROP
ip6tables -A INPUT -m set --match-set block6 src -j DROP
ip6tables -A OUTPUT -m set --match-set block6 dst -j DROP


[ begin geoip.sh ]
#!/bin/bash
tmpdir=`mktemp -d`
cd $tmpdir

countries=("ru" "ua" "by" "bg" "br" "cn" "hk" "kr" "kp" "ir")

for i in ${countries[@]}; do
curl -f -s -k https://www.ipdeny.com/ipblocks/data/aggregated/$i-aggregated.zone >> block4.zone
curl -f -s -k https://www.ipdeny.com/ipv6/ipaddresses/aggregated/$i-aggregated.zone >> block6.zone
done

ipset flush
for i in $( cat block4.zone ); do ipset -A block4 $i; done
for i in $( cat block6.zone ); do ipset -A block6 $i; done

ipset save > /etc/iptables/ipsets

rm -f $tmpdir/*
rmdir $tmpdir
[ end geoip.sh ]


Jay

... When cheese gets its picture taken, what does it say?

--- Mystic BBS v1.12 A49 2023/01/27 (Linux/64)
* Origin: Northern Realms | bbs.nrbbs.net | 289-424-5180 (21:3/110)

Greetings and Salutations! I am having an issue with a hacker who trys
to crack my system password eventually making all of my nodes busy so
that users cannot login. When I periodically check Nodespy, all three
of my nodes show a couple of system password attempts (in asterisk form) and a third prompt and the screen is hung. I have to Alt(K)ick each
node 2 or three times until it autobans the IP address. Is there

I have the same problem, but not with the the screen getting hung up. 24 hours a day, every ten minutes or so, someone is trying to hack my board. I don't want people to automatically get to my login screen, and I want to slow these morons down a bit so this is what I did. I set up the board so that it is ANSI-only. Then I edited the prompt that usually asks if you want ANSI or ASCII to this menu:

It says...
PLEASE READ CAREFULLY - This is a menu, not a command line. Typing random sh*t will do nothing. Slapping your ENTER key will do nothing. Your bots will do nothing. See that number 1 on your keyboard? Poke it! Go ahead, poke it! What are you waiting for? You have four chances to get this right.

[1} Yes, I want to use this BBS
[0} No,disconnect

This slows them down a bit.

... I know a good tagline when I steal one!

--- Mystic BBS v1.12 A47 2021/12/25 (Windows/64)
* Origin: The Unmarked Van (21:1/130)

Thank you @paulie420, I have ThreatSentry v1.1 installed. I will check out the other two you mentioned. Thanks again for your reply.

... Deeds will not be less valiant because they are unpraised.

--- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
* Origin: ARDA-BBS (21:4/153)

Thank you @esc I will check out BotChecker that sounds like it would work for me. I appreciate it.

... Short cuts make long delays.

--- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
* Origin: ARDA-BBS (21:4/153)

Thank you @Warpslide, BotCheck is definately the suggested fix for my issue. I thank you for the time and effort to provide configuration and installation instruction. I will work on it now. I appreciate it.

... Faithless is he that says farewell when the road darkens.

--- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
* Origin: ARDA-BBS (21:4/153)

@Alonzo LOL Awesome! Thank you! I appreciate it.

... I will not walk backward in life.

--- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
* Origin: ARDA-BBS (21:4/153)

Botcheck1_2 installed. However, using the standard install instructions where you modify the theme prompt "|TE detected" to "!botcheck1_2 |TE detected", the botcheck works, but is displayed after the system password so it does not help at that point of the login process. I tried editing the system password prompt line where in my case it is: "|CR|14Speak friend and enter: |XX" to "!botcheck1_2 |CR|14Speak friend and enter: |XX", which the botcheck runs in ASCII (no color) then when you hit ESC twice, it does not prompt the text before the input prompt. I can type the system password at that point, which allows me to continue but that does not let the user know that there is a system password prompt waiting for input. I tried adding |CR carriage return and |CL clear screen codes at different points but cannot find a config that works. Is there another prompt line I should be using or something I can add to the script? Looks like the only option is to turn off the system password. I like that feature. I use it as an initial user qualification puzzle. If you know what ARDA is and that it is related to LOTR then you will understand the prompt and enter the correct password. If you don't, then it is a challenge and maybe using a LOTR themed BBS is not for you anyway. It would be nice to figure out a solution that allows this puzzle to remain. Thank you, I appreciate your input and help!

... In a hole in the ground there lived a hobbit.

--- Mystic BBS v1.12 A48 2022/04/03 (Linux/64)
* Origin: ARDA-BBS (21:4/153)

Greetings and Salutations! I am having an issue with a hacker who trys
to crack my system password eventually making all of my nodes busy so
that users cannot login. When I periodically check Nodespy, all three

Limit the number of connections your board will allow from the same IP. I think I have mine set to like 2 if I remember correctly, and only THAT high so that I can be logged into my sysop account and my test account at the some time when making changes remotely.

--- Mystic BBS v1.12 A48 (Windows/64)
* Origin: Legends of Yesteryear (furmenservices.net:23322) (21:4/102)

Limit the number of connections your board will allow from the same IP. I think I have mine set to like 2 if I remember correctly, and only THAT high so that I can be logged into my sysop account and my test account at the some time when making changes remotely.

If you are supporting HTTP(S), you should allow 6-10 connections as browsers make multiple connections to download supporting files in parallel (js, css, images etc).


--
Michael J. Ryan
+o roughneckbbs.com
tracker1@roughneckbbs.com
--- SBBSecho 3.15-Linux
* Origin: Roughneck BBS - roughneckbbs.com (21:3/149)