j b l wrote in a message to mark lewis:

 jbl>  Re: Unwanted connections to port 23.
 jbl>  By: mark lewis to Ignatius on Mon Jun 12 2017 04:35 am


 ML> intrusion detection systems are the only things i've seen that
 ML> come close
 ML> but the connection and attempted login still has to take place... the
 ML> *ONLY* other option is to get off of port 23 and the other few
 ML> that MIRAI
 ML> specifically targets... that includes the default SSH port as well...

 jbl> I've just come across a utility, called "PSAD", it is a port
 jbl> scanning utility.. if the "danger level" meets a certain
 jbl> threshold, it will automatically block the offending IP address.
 jbl> Pretty cool. I'm still testing it out at the moment, but this may
 jbl> be what i've been looking for.

I have minimized these attempts with the following entries in sbbs.ini:

LoginAttemptDelay = 50000
LoginAttemptThrottle = 50000
LoginAttemptHackThreshold = 3
LoginAttemptBanThreshold = 3

Assume a bot attempts a login as Root. Root does not exist in the user
files. The 50000 value will pause the next login prompt 45 seconds before
another login name can be entered. This is usually enough time for the bot
to move on to its next victim. The downside is, if a real user accidentally
places a typo in their login name, they will have to wait 45 seconds before
they are prompted for their login name again. That can be remedied with a
warning screen prior to the login prompt, letting your users know that
because of automated hacking bots, failed login attempts will be paused 45
seconds before the next login attempt will be accepted.

It works well here.

Regards,

 Joe 
--- timEd/386 1.10+