Synchronet v3.19b-Win32 (install) has been released (Jan-2022).

You can donate to the Synchronet project using PayPal.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
howto:block-hackers [2016/11/28 23:43] – [The Risk] Added denial of service risk and mitigation description. digital manhowto:block-hackers [2024/05/14 22:11] (current) – [Synchronet's Defense] mention the failed login list sem files digital man
Line 1: Line 1:
 ====== Blocking "Hackers" ====== ====== Blocking "Hackers" ======
 ===== Definition of "Hacker" ===== ===== Definition of "Hacker" =====
-For the purpose of this article, the term "hacker" refers to automated systems which attempt to login to your Synchronet TCP/IP servers and services using common, well-known, or randomly selected credentials (user names and passwords). These "hackers" are usually not humans sitting at keyboards and typing names and passwords but rather automated systems (e.g. scripts) which scan the Internet looking for systems with user accounts with guessable credentials and/or known vulnerabilities in their system software.+For the purpose of this article, the term "hacker" ((Yes, I know there are alternative definitions of Hacker: http://www.mithral.com/~beberg/hacker.html)) refers to automated systems which attempt to login to your Synchronet TCP/IP servers and services using common, well-known, or randomly selected credentials (user names and passwords). These "hackers" are usually not humans sitting at keyboardstyping names and passwordsbut rather automated systems (e.g. scripts, a.k.a "robots") which scan the Internet looking for systems with user accounts with guessable credentials and/or known vulnerabilities in their system software. Sort of like a modern version of "[[wp>Wardialing]]".
  
 ===== The Risk ===== ===== The Risk =====
Line 7: Line 7:
  
 ==== Denial of Service ==== ==== Denial of Service ====
-One thing these attacks can do, though it's usually not their intention, is to tie up your BBS's resources (e.g. Terminal Server nodes for Telnet, RLogin, SSH connections and logins). If you find that your [[server:Terminal]] Server's nodes all are being occupied by "hackers" attempting brute-force logins (or just sitting stupidly idle until disconnected due to inactivity), you can mitigate this problem by setting the ''**MaxConcurrentConnections**'' value in the ''[BBS]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file to a non-zero value which is fewer than the number of BBS nodes you have setup in [[util:SCFG]].+One thing these attacks can do, though it's usually not their intention, is to tie up your BBS's resources (e.g. Terminal Server nodes for Telnet, RLogin, SSH connections and logins). If you find that your [[server:Terminal]] Server's nodes all are being occupied by "hackers" attempting brute-force logins (or just sitting stupidly idle until disconnected due to inactivity), you can mitigate this problem by setting the ''**MaxConcurrentConnections**'' value in the ''**[BBS]**'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file to a non-zero value which is fewer than the number of BBS nodes you have setup in [[util:SCFG]].
  
-For example, if you have 4 nodes configured in SCFG, then you might want to limit the maximum concurrent connections to 2 (from the same client IP address). IP addresses listed in your ''[[dir:ctrl]]/ipfilter_exempt.cfg'' file are not connection-limited.+For example, if you have 4 nodes configured in SCFG, then you might want to limit the maximum concurrent connections (from the same client IP address) to 2 (e.g. ''**MaxConcurrentConnections=2**''). IP addresses listed in your ''[[dir:ctrl]]/ipfilter_exempt.cfg'' file are not connection-limited. Clients that are successfully logged into your BBS do not count against the concurrent-connections limit, if one is configured. 
 + 
 +The default configuration (in ''[[dir:ctrl]]/[[config:sbbs.ini]]'') contains //no// concurrent-connections limit (i.e. ''**MaxConcurrentConnections=0**'').
  
 This protection mechanism was introduced in Synchronet v3.17 (November, 2016). This protection mechanism was introduced in Synchronet v3.17 (November, 2016).
 +
 +=== Inactivity ===
 +
 +One potential annoyance is when dumb bots connect to your BBS terminal nodes and just sit there idle for a long period of time, tying up that node. A couple of counter measures are available here:
 +  * Set the ''inactive_hangup'' setting in the ''[login]'' section of your ''[[dir:ctrl]]/[[config:modopts.ini]]'' file to terminate such //dumb// connections after just a short amount of inactivity (e.g. 30 seconds)
 +  * Make sure if you're using any "login matrix" or other 3rd party login module, especially those with animated prompts, that they include some kind of user-inactivity timeout and disconnection support((this is a surprisingly common flaw in custom animated pause prompt mods))
 +  * Synchronet v3.20 added a new configuration option to help with this scenario: SCFG->Servers->Terminal Server->Max Login Inactivity (default: 10 minutes), also ''MaxLoginInactivity'' in the ''[BBS]'' section of ''[[config:sbbs.ini]]''
 ===== Synchronet's Defense ===== ===== Synchronet's Defense =====
 Synchronet normally disallows the use of common passwords by users (see the ''[[dir:text]]/password.can'' file) and system operator accounts are protected with a secondary "system password", so there should be little chance of a dictionary-based login attack actually succeeding. You can run ''[[dir:exec]]/badpasswords.js'' (e.g. using [[util:jsexec]]) to check your user database for common passwords if you wish. Synchronet normally disallows the use of common passwords by users (see the ''[[dir:text]]/password.can'' file) and system operator accounts are protected with a secondary "system password", so there should be little chance of a dictionary-based login attack actually succeeding. You can run ''[[dir:exec]]/badpasswords.js'' (e.g. using [[util:jsexec]]) to check your user database for common passwords if you wish.
Line 18: Line 27:
  
 To protect against "brute force" style attacks, that is, where an attacker may iterate through every possible password for a given user, Synchronet: To protect against "brute force" style attacks, that is, where an attacker may iterate through every possible password for a given user, Synchronet:
-  - Will delay a configurable amount of time before responding to failed login attempts (default: 5 seconds) +  - Will delay a configurable amount of time before responding to failed login attempts (default: 5 seconds, see [[config:sbbs.ini|LoginAttemptDelay]]
-  - Will throttle TCP/IP connections from attackers, increasing the configurable delay with each login failure (default: 1 second per failure) +  - Will throttle TCP/IP connections from attackers, increasing the configurable delay with each login failure (default: 1 second per failure, see [[config:sbbs.ini|LoginAttemptThrottle]]
-  - Can create an entry in the ''[[dir:data]]/hack.log'' file to notify the system operator(s) of the suspicious activity (default: after 10 failed login attempts) +  - Can create an entry in the ''[[dir:data]]/hack.log'' file to notify the system operator(s) of the suspicious activity (default: after 10 failed login attempts, see [[config:sbbs.ini|LoginAttemptHackThreshold]]
-  - Can temporarily ban (block connections) from an attacking IP address after a configurable number of failed login attempts (default: after 20 failed login attempts, duration: 10 minutes) +  - Can temporarily ban (block connections) from an attacking IP address after a configurable number of failed login attempts (default: after 20 failed login attempts, duration: 10 minutes, see [[config:sbbs.ini|LoginAttemptTempBanThreshold]] and [[config:sbbs.ini|LoginAttemptTempBanDuration]]
-  - Permanently block all future connections from the attacking IP address by adding an entry to the ''[[dir:text]]/[[config:ip.can]]'' file (default: disabled) +  - Persistently block all future connections from the attacking IP address by adding an entry to the ''[[dir:text]]/[[config:ip.can]]'' file (default: disabled, see [[config:sbbs.ini|LoginAttemptFilterThreshold]]
-  - Limit the number of concurrent connections to the Terminal Server from a common host/client IP address (default: disabled)+  - Limit the number of concurrent connections to the Terminal Server from a common host/client IP address (default: disabled, see [[config:sbbs.ini|MaxConcurrentConnections]])
  
 To do this, Synchronet tracks the source IP address of all failed login attempts. The sysop can list the failed login attempts: To do this, Synchronet tracks the source IP address of all failed login attempts. The sysop can list the failed login attempts:
Line 31: Line 40:
 Note: Note:
   * These IP addresses are only tracked during a single continuous invocation of the Synchronet process (rerunning the BBS clears the list and resets any temporary bans in effect)   * These IP addresses are only tracked during a single continuous invocation of the Synchronet process (rerunning the BBS clears the list and resets any temporary bans in effect)
 +  * Temporary IP address bans can be cleared (without resetting a server) by using [[config:semfiles#clear_failed_login_list_semaphore_files]]
 +  * Consecutive failed login attempts with the //same credentials// (name and password) are counted as a //single// failed login attempt
   * When a client successfully authenticates, its IP address is removed from the failed login list (if it exists there)   * When a client successfully authenticates, its IP address is removed from the failed login list (if it exists there)
  
Line 39: Line 50:
   * or edit your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file and set the ''LoginAttemptTempBanThreshold'' and ''LoginAttemptTempBanDuration'' values...   * or edit your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file and set the ''LoginAttemptTempBanThreshold'' and ''LoginAttemptTempBanDuration'' values...
  
-... to values you are comfortable with. +... to numbers you are comfortable with. 
  
 The default temporary ban Threshold is 20 (failed login attempts) while the default temporary ban duration is 10 minutes. The default temporary ban Threshold is 20 (failed login attempts) while the default temporary ban duration is 10 minutes.
Line 45: Line 56:
 Note: Setting the Temp Ban Threshold to 0 will disable temporary bans based on failed login attempt counters, but a failed login with a blocked name (from ''[[dir:text]]/name.can'') will still result in an immediate temporary ban, regardless of the Temp Ban Threshold value. Note: Setting the Temp Ban Threshold to 0 will disable temporary bans based on failed login attempt counters, but a failed login with a blocked name (from ''[[dir:text]]/name.can'') will still result in an immediate temporary ban, regardless of the Temp Ban Threshold value.
  
-=== Permanent Filtering ===+=== Persistent Filtering ===
  
-To permanently block future connections from an IP address that has performed multiple consecutive failed login attempts: +To persistently block future connections from an IP address that has performed multiple consecutive failed login attempts: 
-  * In the Synchronet Control Panel for Windows, set File->Properties->Security->Failed Login Attempts->Perm Filter Threshold value... (used to be called "IP Filter Threshold")+  * In the Synchronet Control Panel for Windows, set File->Properties->Security->Failed Login Attempts->Auto Filter Threshold value... (used to be called "IP Filter Threshold", then "Perm Filter Threshold")
   * or edit your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file and set the ''LoginAttemptFilterThreshold'' value...   * or edit your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file and set the ''LoginAttemptFilterThreshold'' value...
  
Line 55: Line 66:
 The default Filter Threshold value is 0 (disabled). The default Filter Threshold value is 0 (disabled).
  
-{{:monitor:sbbsctrl:sbbsctrl.security.png|}}+The //duration// of the persistent IP address filters that area automatically creates is also configurable (default: 0/infinite). 
 + 
 +{{:howto:sbbsctrl.3.20.security.png|}}
  
 Note: These ''LoginAttempt'' values may be set in your ''[[config:sbbs.ini]]'' to different values for each Synchronet server/service if you wish, but that's a configuration that most sysops won't need. Note: These ''LoginAttempt'' values may be set in your ''[[config:sbbs.ini]]'' to different values for each Synchronet server/service if you wish, but that's a configuration that most sysops won't need.