El 31/3/20 a las 17:03, Digital Man escribió:
> Re: smtp attack
> By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09 pm
>
> > can you detect this attack? for throtle the smtp connection or log error
> > + remote ip address to help to add a fail2ban rule ?
>
> I think you're referring to this:
>
> > Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN
> > username argument
>
> These are counted as a login failure and the loginAttempt settings apply
> (hack-logging, auto-filtering). And the login attempt delay is applicable
here as well, if configured.
>
> So... I'm not sure what you're asking for.
>
> digital man
Yes, but i do not see the !TEMPORARY BAN or Throttling as TELNET (just
this 3 lines at all log)
Mar 31 07:47:32 scarlet synchronet: term Node 1 Throttling suspicious
connection from: 190.19.114.20 (5 login attempts)
Mar 31 07:47:53 scarlet synchronet: term Node 2 Throttling suspicious
connection from: 190.19.114.20 (7 login attempts)
Mar 31 08:59:40 scarlet synchronet: term 0093 Telnet !TEMPORARY BAN of
45.224.41.9 (2 login attempts, last: Root) - remaining: 9:55
Mar 31 13:45:09 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of
59.29.152.201 (2 login attempts, last: Root) - remaining: 9:56
Mar 31 15:01:58 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of
181.210.88.2 (3 login attempts, last: Root) - remaining: 9:56
you can see the smtp parts log here:
http://test.bbs.docksud.com.ar/tmp/sbbs-smtp.txt
my sbbs.ini setting are the dafault:
LoginAttemptDelay = 5000
LoginAttemptThrottle = 1000
LoginAttemptHackThreshold = 10
LoginAttemptFilterThreshold = 0
LoginAttemptTempBanThreshold = 20
LoginAttemptTempBanDuration = 600
I guess that the login fail counter is not working over the smtp
service. The hack.log and spam.log file are empty.
---
■ Synchronet ■ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
|