El 31/3/20 a las 17:03, Digital Man escribió:
>   Re: smtp attack
>   By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09 pm
> 
>  > can you detect this attack? for throtle the smtp connection or log error
>  > + remote ip address to help to add a fail2ban rule ?
> 
> I think you're referring to this:
> 
>  > Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN
>  > username argument
> 
> These are counted as a login failure and the loginAttempt settings apply
> (hack-logging, auto-filtering). And the login attempt delay is applicable
here as well, if configured.
> 
> So... I'm not sure what you're asking for.
> 
>                                             digital man
Yes, but i do not see the !TEMPORARY BAN or Throttling as TELNET (just
this 3 lines at all log)


Mar 31 07:47:32 scarlet synchronet: term Node 1 Throttling suspicious
connection from: 190.19.114.20 (5 login attempts)
Mar 31 07:47:53 scarlet synchronet: term Node 2 Throttling suspicious
connection from: 190.19.114.20 (7 login attempts)
Mar 31 08:59:40 scarlet synchronet: term 0093 Telnet !TEMPORARY BAN of
45.224.41.9 (2 login attempts, last: Root) - remaining: 9:55
Mar 31 13:45:09 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of
59.29.152.201 (2 login attempts, last: Root) - remaining: 9:56
Mar 31 15:01:58 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of
181.210.88.2 (3 login attempts, last: Root) - remaining: 9:56


you can see the smtp parts log here:

http://test.bbs.docksud.com.ar/tmp/sbbs-smtp.txt

my sbbs.ini setting are the dafault:

    LoginAttemptDelay = 5000


    LoginAttemptThrottle = 1000


    LoginAttemptHackThreshold = 10


    LoginAttemptFilterThreshold = 0


    LoginAttemptTempBanThreshold = 20


    LoginAttemptTempBanDuration = 600

I guess that the login fail counter is not working over the smtp
service. The hack.log and spam.log file are empty.

---
 ￭ Synchronet ￭ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar