j b l wrote in a message to mark lewis:

 jbl>  Re: Unwanted connections to port 23.
 jbl>  By: mark lewis to Ignatius on Mon Jun 12 2017 04:35 am


 ML> intrusion detection systems are the only things i've seen that
 ML> come close
 ML> but the connection and attempted login still has to take place... the
 ML> *ONLY* other option is to get off of port 23 and the other few
 ML> that MIRAI
 ML> specifically targets... that includes the default SSH port as well...

 jbl> I've just come across a utility, called "PSAD", it is a port
 jbl> scanning utility.. if the "danger level" meets a certain
 jbl> threshold, it will automatically block the offending IP address.
 jbl> Pretty cool. I'm still testing it out at the moment, but this may
 jbl> be what i've been looking for.

I have minimized these attempts with the following entries in sbbs.ini:

LoginAttemptDelay = 50000
LoginAttemptThrottle = 50000
LoginAttemptHackThreshold = 3
LoginAttemptBanThreshold = 3

Assume a bot attempts a login as Root. Root does not exist in the user files.
The 50000 value will pause the next login prompt 45 seconds before another
login name can be entered. This is usually enough time for the bot to move on
to its next victim. The downside is, if a real user accidentally places a typo
in their login name, they will have to wait 45 seconds before they are prompted
for their login name again. That can be remedied with a warning screen prior to
the login prompt, letting your users know that because of automated hacking
bots, failed login attempts will be paused 45 seconds before the next login
attempt will be accepted.

It works well here.

Regards,

 Joe 
--- timEd/386 1.10+