TIP: Click on subject to list as thread! ANSI
echo: synchronet
to: RAGNAROK
from: DIGITAL MAN
date: 2020-03-31 16:32:00
subject: Re: smtp attack
  Re: Re: smtp attack
  By: Ragnarok to Digital Man on Tue Mar 31 2020 05:51 pm

 > El 31/3/20 a las 17:03, Digital Man escribi¢:
 > >   Re: smtp attack
 > >   By: Ragnarok to DOVE-Net.Synchronet_Discussion on Tue Mar 31 2020 04:09
 > > pm
 >
 > >  > can you detect this attack? for throtle the smtp connection or log
 > >  > error
 > >  > + remote ip address to help to add a fail2ban rule ?
 >
 > > I think you're referring to this:
 >
 > >  > Mar 31 16:07:16 scarlet synchronet: mail 0128 SMTP !missing AUTH LOGIN
 > >  > username argument
 >
 > > These are counted as a login failure and the loginAttempt settings apply
 > > (hack-logging, auto-filtering). And the login attempt delay is applicable
 > > here as well, if configured.
 >
 > > So... I'm not sure what you're asking for.
 >
 > >                                             digital man
 > Yes, but i do not see the !TEMPORARY BAN or Throttling as TELNET (just
 > this 3 lines at all log)
 >
 >
 > Mar 31 07:47:32 scarlet synchronet: term Node 1 Throttling suspicious
 > connection from: 190.19.114.20 (5 login attempts)
 > Mar 31 07:47:53 scarlet synchronet: term Node 2 Throttling suspicious
 > connection from: 190.19.114.20 (7 login attempts)
 > Mar 31 08:59:40 scarlet synchronet: term 0093 Telnet !TEMPORARY BAN of
 > 45.224.41.9 (2 login attempts, last: Root) - remaining: 9:55
 > Mar 31 13:45:09 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of
 > 59.29.152.201 (2 login attempts, last: Root) - remaining: 9:56
 > Mar 31 15:01:58 scarlet synchronet: term 0096 Telnet !TEMPORARY BAN of
 > 181.210.88.2 (3 login attempts, last: Root) - remaining: 9:56
 >
 >
 > you can see the smtp parts log here:
 >
 > http://test.bbs.docksud.com.ar/tmp/sbbs-smtp.txt
 >
 > my sbbs.ini setting are the dafault:
 >
 >     LoginAttemptDelay = 5000
 >     LoginAttemptThrottle = 1000
 >     LoginAttemptHackThreshold = 10
 >     LoginAttemptFilterThreshold = 0
 >     LoginAttemptTempBanThreshold = 20
 >     LoginAttemptTempBanDuration = 600

In which section(s) of the .ini file are those values? Each section (e.g.
[mail]) can have over-rides of the defaults specified in the [globa] section.

 > I guess that the login fail counter is not working over the smtp
 > service. The hack.log and spam.log file are empty.

It's certainly working for me:
$ grep -c SMTP /sbbs/data/hack.log
51184

$ grep -c SMTP /sbbs/data/spam.log
190513

But the spam.log has nothing to with LoginAttempt's.

                                            digital man

This Is Spinal Tap quote #1:
Nigel Tufnel: These go to eleven.
Norco, CA WX: 73.3øF, 43.0% humidity, 9 mph ENE wind, 0.00 inches rain/24hrs
--- SBBSecho 3.10-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.