Synchronet now have a built-in support to block incomming connections (see Blocking "Hackers") but it's feature protect SBBS services only (which in most cases is sufficient).
If you running another services/daemons on same server, you can use Fail2Ban and to block at firewall level the ip address from the attacker.
You must config and setup the sbbs log file that are explained here: UNIX
NOTE: These examples where made on Debian GNU/Linux, but you can adjust and apply for another distribution like Ubuntu, Arch, Fedora, etc.
First step, install fail2ban package:
apt-get install fail2ban
Create the file /etc/fail2ban/jail.d/sbbs.conf
[sbbs-main] enabled = true filter = sbbs-main action = iptables-allports[name=SBBS-main, protocol=all] logpath = /var/log/sbbs.log maxretry = 3 findtime = 21600 bantime = 21600 [sbbs-ddos] enabled = true filter = sbbs-ddos action = iptables-allports[name=SBBS-ddos, protocol=all] logpath = /var/log/sbbs.log maxretry = 8 findtime = 600 bantime = 21600 [sbbs-hack] enabled = true filter = sbbs-hack action = iptables-allports[name=SBBS-hack, protocol=all] logpath = /sbbs/data/hack.log maxretry = 3 findtime = 21600 bantime = 21600 [sbbs-smtp] enabled = true filter = sbbs-smtp action = iptables-allports[name=SBBS-smtp, protocol=all] logpath = /var/log/sbbs.log maxretry = 3 findtime = 21600 bantime = 21600 [sbbs-spam] enabled = true filter = sbbs-spam action = iptables-allports[name=SBBS-spam, protocol=all] logpath = /sbbs/data/spam.log maxretry = 3 findtime = 21600 bantime = 21600
Create the filter file /etc/fail2ban/filter.d/sbbs-main.conf
[INCLUDES] before = common.conf [Definition] failregex = Bad password from: <HOST> Throttling suspicious connection from: <HOST> ignoreregex =
Filter for ddos (/etc/fail2ban/filter.d/sbbs-ddos.conf)
[INCLUDES] before = common.conf [Definition] failregex = !Maximum concurrent connections without login (.*) reached from host: <HOST> ignoreregex =
Filter for hack.log (/etc/fail2ban/filter.d/sbbs-hack.conf)
[INCLUDES] before = common.conf [Init] maxlines=6 [Definition] failregex = ^SUSPECTED FTP HACK ATTEMPT from .* on .* \nUsing port .* at .* \[<HOST>\]\nDetails: .* \n ignoreregex =
Filter for smtp (/etc/fail2ban/filter.d/sbbs-smtp.conf)
[INCLUDES] before = common.conf [Definition] failregex = .* !TEMPORARY BAN of .* <HOST> .* SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\] ^.*\[<HOST>\].*\!TEMPORARY BAN.*$ ignoreregex =
Filter for spam (/etc/fail2ban/filter.d/sbbs-spam.conf)
[INCLUDES] before = common.conf [Definition] failregex = SMTP BLACKLISTED SERVER on .* \(.*\)\: .* \[<HOST>\] Host\: .* \[<HOST>\] ignoreregex =
Reload or restart the service and verify if you jail is loaded:
# fail2ban-client status Status |- Number of jail: 7 `- Jail list: asterisk, nginx-botsearch, *sbbs-hack, *sbbs-main, *sbbs-smtp, *sbbs-spam, *sbbs-ddos, sshd
(*) your sbbs active jail's
After some time, you can observe via iptables that severals ip address was blocked
# iptables -L -n Chain fail2ban-SBBS-main (1 references) target prot opt source destination REJECT all -- 49.64.51.116 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 187.161.208.161 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 190.130.22.81 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 94.123.59.80 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 118.175.228.237 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 220.240.252.176 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 71.248.179.3 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 185.29.71.147 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 201.69.90.121 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 78.186.210.14 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 117.247.90.134 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 37.130.109.12 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 189.110.122.99 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 24.70.18.200 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 112.164.94.30 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 37.109.137.13 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-SBBS-ddos (1 references) target prot opt source destination REJECT all -- 110.53.221.190 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0