Bots are crashing mystic. Maybe?
When it crashes I see a research bot is on a node. Why mystic crashes at
100% cpu and continues to use 100% cpu indefinitely puzzles me a lot.

I'm going to have to write a script to keep my device from burning itself up. Did anyone already write something that they would like to share?

--- Mystic BBS v1.12 A29 (Raspberry Pi)
* Origin: Solar BBS (21:1/151)

This can be run from cron. I'll give it a test drive and see how things work out.



#!/bin/bash

# tries to kill process with highest CPU load
# (if it is part of a specified list of troublemakers)

TROUBLEMAKERS="mystic mrc"


sleep 1 # wait a few seconds (just as a precaution)

TOPPROCESS=$(top -b -n 1 | sed 1,6d | sed -n 2p)
TOPPID=$(echo "$TOPPROCESS" | awk '{print $1}')
TOPNAME=$(echo "$TOPPROCESS" | awk '{print $12}')

if [[ "$TROUBLEMAKERS" == *"$TOPNAME"* ]]
then
echo "Cause of high CPU load: "$TOPNAME" ("$TOPPID")"
echo "In troublemaker list. Killing..."
kill -9 $TOPPID
else
echo "Cause of high CPU load: "$TOPNAME" ("$TOPPID")"
echo "Not in troublemaker list. Exiting..."
exit 1
fi

exit 0

--- Mystic BBS v1.12 A29 (Raspberry Pi)
* Origin: Solar BBS (21:1/151)

On 11/01/16, Solarbaby pondered and said...

Bots are crashing mystic. Maybe?
When it crashes I see a research bot is on a node. Why mystic crashes at

They have been crashing MIS at Agency in recent days. Not sure what they are doing when the do manage to down it but I think all nodes may be busy and the blocked activity is running hard.. :(

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

On 11/02/16, Avon said the following...

On 11/01/16, Solarbaby pondered and said...

Bots are crashing mystic. Maybe?
When it crashes I see a research bot is on a node. Why mystic crashe

They have been crashing MIS at Agency in recent days. Not sure what they are doing when the do manage to down it but I think all nodes may be
busy and the blocked activity is running hard.. :(

They managed to get Cyberia BBS as well, been getting BUSY from his system a lot lately.

|08+- |10$s.s$s.s$ |08------------------------------------+
|08| |10$ý"$$$"ý$ |15tbbs.homeip.net |08|
|08| |10 .$$$. winkle |02BB|10S |07tbbs.homeip.net:8080 |08|
|08+--|10 .$$$$$. |08-------------------------------------+
|10 $ý"~"ý$ |07Christopher Malo |15aka |07Pequito!

--- Mystic BBS v1.12 A31 (Linux)
* Origin: Twinkle BBS (21:1/126)

Avon wrote to Solarbaby <=-

They have been crashing MIS at Agency in recent days. Not sure what
they are doing when the do manage to down it but I think all nodes may
be busy and the blocked activity is running hard.. :(

The bots are starting to give my Synchronet system some grief. I think I'm going to have to go down the road of using fail2ban to block the attempts of banned IPs altogether, before they hit the BBS. Let iptables do the dirty work. :)


... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

On 11/01/16, Pequito pondered and said...

They managed to get Cyberia BBS as well, been getting BUSY from his
system a lot lately.

fsxNet HUB took a hit today but as it does not run Telnet I can not be sure what caused the outage. I posted the logs over in the general chat echo.. Humm....

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

On 11/02/16, Vk3jed pondered and said...

The bots are starting to give my Synchronet system some grief. I think I'm going to have to go down the road of using fail2ban to block the attempts of banned IPs altogether, before they hit the BBS. Let
iptables do the dirty work. :)

I wonder if this is an area for future development for g00r00 as if this sort of stuff keeps up I figure we could all benefit from advances in 'smarts' to help combat it in MIS and MIS2.

Just a thought.

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

Avon wrote to Vk3jed <=-

I wonder if this is an area for future development for g00r00 as if
this sort of stuff keeps up I figure we could all benefit from advances
in 'smarts' to help combat it in MIS and MIS2.

The issue is such that the block really needs to happen before the connection gets to MIS/MIS2. In Linux, iptables can do the deed. Windows, I don't know (haven't run a Windows server for donkeys years, especially one exposed on the Internet). :)

Or you might have to have a process that answers incoming requests and quarantines them, and passing those determined to be a real human to MIS/MIS2. Bit like the mailers of old, where you press a key such as ESC to get to the BBS. :) This process would need to be able to handle a gazillion connections, so the bots don't tie it up, but your nodes would be free.

But for me, I'll be looking into fail2ban for now. I want to offload as much as possible from the BBSs as possible. I have hardly any users, 4 or 5 lines and I can't get on half the time because of ghosts. :(


... "42? 7 and a half million years and all you can come up with is 42?!"
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

On 11/02/16, Vk3jed pondered and said...

The issue is such that the block really needs to happen before the connection gets to MIS/MIS2. In Linux, iptables can do the deed.

But for me, I'll be looking into fail2ban for now. I want to offload as much as possible from the BBSs as possible. I have hardly any users, 4
or 5 lines and I can't get on half the time because of ghosts. :(

Is this a linux only tool I suspect. I'll need to find a windows equivalent
me thinks.

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

Avon wrote to Vk3jed <=-

Is this a linux only tool I suspect. I'll need to find a windows equivalent me thinks.

Yep. :)


... Being seven points behind gives you a definite psychological advantage.
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

On 11/02/16, Vk3jed pondered and said...

Avon wrote to Vk3jed <=-

Is this a linux only tool I suspect. I'll need to find a windows equivalent me thinks.

Yep. :)

Perhaps easier said than done... will dig around...

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

Avon wrote to vk3jed <=-

Perhaps easier said than done... will dig around...

*hands Paul a Linux CD* :P


... Vegetarian (n.), Ancient native word meaning "lousy hunter".
___ MultiMail/Win32 v0.49

--- Mystic BBS/QWK v1.12 A31 (Raspberry Pi)
* Origin: The Bridge - bridge.vkradio.com (21:1/143)

On 11/02/16, Avon said the following...

On 11/01/16, Pequito pondered and said...

They managed to get Cyberia BBS as well, been getting BUSY from his system a lot lately.

fsxNet HUB took a hit today but as it does not run Telnet I can not be sure what caused the outage. I posted the logs over in the general chat echo.. Humm....

Connect/busy/connect/busy/CRASH!

|08+- |10$s.s$s.s$ |08------------------------------------+
|08| |10$ý"$$$"ý$ |15tbbs.homeip.net |08|
|08| |10 .$$$. winkle |02BB|10S |07tbbs.homeip.net:8080 |08|
|08+--|10 .$$$$$. |08-------------------------------------+
|10 $ý"~"ý$ |07Christopher Malo |15aka |07Pequito!

--- Mystic BBS v1.12 A31 (Linux)
* Origin: Twinkle BBS (21:1/126)

On 11/02/16, Avon said the following...

On 11/02/16, Vk3jed pondered and said...

The bots are starting to give my Synchronet system some grief. I thi I'm going to have to go down the road of using fail2ban to block the attempts of banned IPs altogether, before they hit the BBS. Let iptables do the dirty work. :)

I wonder if this is an area for future development for g00r00 as if this sort of stuff keeps up I figure we could all benefit from advances in 'smarts' to help combat it in MIS and MIS2.

Which one are you using and which one is crashing?

|08+- |10$s.s$s.s$ |08------------------------------------+
|08| |10$ý"$$$"ý$ |15tbbs.homeip.net |08|
|08| |10 .$$$. winkle |02BB|10S |07tbbs.homeip.net:8080 |08|
|08+--|10 .$$$$$. |08-------------------------------------+
|10 $ý"~"ý$ |07Christopher Malo |15aka |07Pequito!

--- Mystic BBS v1.12 A31 (Linux)
* Origin: Twinkle BBS (21:1/126)

On 11/02/16, Avon said the following...

On 11/02/16, Vk3jed pondered and said...

Avon wrote to Vk3jed <=-

Is this a linux only tool I suspect. I'll need to find a windows equivalent me thinks.

Yep. :)

We have IPTables, you mr. windows have Windows Firewall or your router take
aim and pickk wisely!

Cheers!
Pequito

|08+- |10$s.s$s.s$ |08------------------------------------+
|08| |10$ý"$$$"ý$ |15tbbs.homeip.net |08|
|08| |10 .$$$. winkle |02BB|10S |07tbbs.homeip.net:8080 |08|
|08+--|10 .$$$$$. |08-------------------------------------+
|10 $ý"~"ý$ |07Christopher Malo |15aka |07Pequito!

--- Mystic BBS v1.12 A31 (Linux)
* Origin: Twinkle BBS (21:1/126)

Hi Tony!

02 Nov 2016 08:14, from Tony Langdon -> Avon:

Perhaps easier said than done... will dig around...

*hands Paul a Linux CD* :P

Tony ... you have beaten me to it.

But better you do it, postage is so high when sending it from here ;)))

CU, Ricsi

--- GoldED+/LNX
* Origin: The price of greatness is responsibility (21:1/104)

Quoting Vk3jed to Avon <=-

The bots are starting to give my Synchronet system some grief. I
think I'm going to have to go down the road of using fail2ban to block
the attempts of banned IPs altogether, before they hit the BBS. Let iptables do the dirty work. :)

I'm thinking there is a way to do that stuff in the router with DD-WRT.
I'm going to have to get off my ass and look into that one day. ;)
Especialy as I bought the damn router specifically for features like that.

Shawn

... I've pretended to be me for so long that now I am.

--- EzyBlueWave V3.00 01FB001F
* Origin: Tiny's BBS - www.tinysbbs.com (21:1/130)

On 11/01/16, Pequito said the following...

On 11/02/16, Avon said the following...

On 11/01/16, Solarbaby pondered and said...

Bots are crashing mystic. Maybe?
When it crashes I see a research bot is on a node. Why mystic c

They have been crashing MIS at Agency in recent days. Not sure what t are doing when the do manage to down it but I think all nodes may be busy and the blocked activity is running hard.. :(

They managed to get Cyberia BBS as well, been getting BUSY from his
system a lot lately.

Yeah, I've noticed that too. I get a busy signal once in a while and I have
to SSH in to the command line and clear the nodes. I'm wondering why MIS/Mystic isn't killing the nodes ones the timeout has been reached. If Mystic would kill the nodes once timeout was reached, I wouldn't be having
this problem.

"No matter where you go, there you are!" - Buckaroo Bonzai

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | Kingwood, TX (21:1/120)

On 11/02/16, Vk3jed said the following...

Avon wrote to Vk3jed <=-

I wonder if this is an area for future development for g00r00 as if this sort of stuff keeps up I figure we could all benefit from advanc in 'smarts' to help combat it in MIS and MIS2.

The issue is such that the block really needs to happen before the connection gets to MIS/MIS2. In Linux, iptables can do the deed. Windows, I don't know (haven't run a Windows server for donkeys years, especially one exposed on the Internet). :)

There was a time when I was adding blocked IPs to IPTABLES on a regular
basis. What started happening was that IPTABLES would take several minutes
to load and refresh because I had so many blocked IPs. It almost became worthless at that point. That when I stopped adding blocked IP and just let Mystic do the blocking. The only thing I block is SSH and I leave a whole in it so that I can ssh in from my local network, and from my work network. Beyond that, nobody can connect via ssh.

"No matter where you go, there you are!" - Buckaroo Bonzai

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | Kingwood, TX (21:1/120)

Richard Menedetter wrote to Tony Langdon <=-

Perhaps easier said than done... will dig around...

*hands Paul a Linux CD* :P

Tony ... you have beaten me to it.

But better you do it, postage is so high when sending it from here ;)))

Haha, yeah wouldn't cost too much to post from here. International post for small items like that isn't too expensive. :)


... The manner in which it is given is worth more than the gift.
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

Tiny wrote to Vk3jed <=-

I'm thinking there is a way to do that stuff in the router with
DD-WRT. I'm going to have to get off my ass and look into that one day.
;) Especialy as I bought the damn router specifically for features like that.

Hmm, then the router has to be able to tell what is valid and invalid traffic. Or be told by the systems behind it (this would be doable for Linux based routers that you can load your own scripts and software on to).


... Help support helpless victims of computer error!
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

Gryphon wrote to Vk3jed <=-

There was a time when I was adding blocked IPs to IPTABLES on a regular basis. What started happening was that IPTABLES would take several minutes to load and refresh because I had so many blocked IPs. It
almost became worthless at that point. That when I stopped adding
blocked IP and just let Mystic do the blocking. The only thing I block
is SSH and I leave a whole in it so that I can ssh in from my local network, and from my work network. Beyond that, nobody can connect via ssh.

That is an interesting point. I wonder how many of those IPs in the block list are actively probing at any given time. Some must be dynamic IPs that change from time to time, in which case, temporary bans might reduce the size of the list.

With the current state of the BBS blocking, having the BBS do it isn't cutting it either, because all available sessions can be easily consumed by bots and ghosts. :(


... A life? Where can I download that?
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

On 11/03/16, Vk3jed said the following...

Tiny wrote to Vk3jed <=-

I'm thinking there is a way to do that stuff in the router with DD-WRT. I'm going to have to get off my ass and look into that one da ;) Especialy as I bought the damn router specifically for features li that.

Hmm, then the router has to be able to tell what is valid and invalid traffic. Or be told by the systems behind it (this would be doable for Linux based routers that you can load your own scripts and software on to).

This would be fairly easy to accomplish with fail2ban. I think I looked to
see if this could be incorporated into dd-wrt but dont remember what I found. Fail2ban also lets you add rules to the firewall whic can automatically be removed after a configurable period of no attacks.

--
Karl
The Search BBS

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: The Search BBS (21:1/161)

On 11/02/16, Gryphon said the following...

On 11/01/16, Pequito said the following...

On 11/02/16, Avon said the following...

On 11/01/16, Solarbaby pondered and said...

Bots are crashing mystic. Maybe?
When it crashes I see a research bot is on a node. Why mys

They have been crashing MIS at Agency in recent days. Not sure w are doing when the do manage to down it but I think all nodes ma busy and the blocked activity is running hard.. :(

They managed to get Cyberia BBS as well, been getting BUSY from his system a lot lately.

Yeah, I've noticed that too. I get a busy signal once in a while and I have to SSH in to the command line and clear the nodes. I'm wondering
why MIS/Mystic isn't killing the nodes ones the timeout has been
reached. If Mystic would kill the nodes once timeout was reached, I wouldn't be having this problem.

Maybe lower the timeout to 2-3 minutes? Should be enough for new users to create a new account and others to login before a timeout is reached.

Cheer!
Pequito

|08+- |10$s.s$s.s$ |08------------------------------------+
|08| |10$ý"$$$"ý$ |15tbbs.homeip.net |08|
|08| |10 .$$$. winkle |02BB|10S |07tbbs.homeip.net:8080 |08|
|08+--|10 .$$$$$. |08-------------------------------------+
|10 $ý"~"ý$ |07Christopher Malo |15aka |07Pequito!

--- Mystic BBS v1.12 A31 (Linux)
* Origin: Twinkle BBS (21:1/126)

karl wrote to Vk3jed <=-

This would be fairly easy to accomplish with fail2ban. I think I
looked to see if this could be incorporated into dd-wrt but dont
remember what I found. Fail2ban also lets you add rules to the firewall whic can automatically be removed after a configurable period of no attacks.

Sounds worth a shot. :)


... They couldn't hit an elephant at this dist...
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

Quoting Vk3jed to Tiny <=-

Hmm, then the router has to be able to tell what is valid and invalid traffic. Or be told by the systems behind it (this would be doable for Linux based routers that you can load your own scripts and software on to).

DD-WRT allows that... it's the most complex thing I've ever used. hahaha.
I'm going to try to get that working and let you all know how I make out.

Shawn

... Man does not live by coffee alone. Have a danish.

--- EzyBlueWave V3.00 01FB001F
* Origin: Tiny's BBS - www.tinysbbs.com (21:1/130)

On 11/01/16, Solarbaby said the following...

Bots are crashing mystic. Maybe?
When it crashes I see a research bot is on a node. Why mystic crashes at 100% cpu and continues to use 100% cpu indefinitely puzzles me a lot.
I'm going to have to write a script to keep my device from burning
itself up. Did anyone already write something that they would like to share?
--- Mystic BBS v1.12 A29 (Raspberry Pi)
* Origin: Solar BBS (21:1/151)

Shouldn't be a problem on the Pi. I'm running on a Pi B+, bots attack all the time - they attack both the Pi and an AMD based Ubuntu 14.04 and get nowhere
on both (do have a huge ban list and a number of countries in badcountry.txt). Have you looked at badip.txt and the log files? mutil.log, server_telnet.log, node1.log? Do they show anything other than Normal Exit (0)?
Sounds like something else to me (than just the bots). Try Solarbaby's script first to try and kill off possible 'bad' tasks.

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)

On 11/02/16, Avon said the following...

They have been crashing MIS at Agency in recent days. Not sure what they are doing when the do manage to down it but I think all nodes may be
busy and the blocked activity is running hard.. :(

Best, Paul
--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

I'd say set the Pi up as a front end like some others have done. Mine isn't really having that much trouble rejecting the bots. Try it as a front end
like others have done. It might stop the 100% cpu usage and after getting it tweaked to work well would make a good video and wiki entry.

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)

On 11/02/16, Gryphon said the following...

There was a time when I was adding blocked IPs to IPTABLES on a regular basis. What started happening was that IPTABLES would take several minutes to load and refresh because I had so many blocked IPs. It
almost became worthless at that point. That when I stopped adding
blocked IP and just let Mystic do the blocking. The only thing I block
is SSH and I leave a whole in it so that I can ssh in from my local network, and from my work network. Beyond that, nobody can connect via ssh.

Really don't need to block the ssh, they don't have a way to deal with that.
I don't block any of mine and never have trouble getting in that way. I did
add my internal IPs to the goodip.txt so once I'm in there are no issues.
As for IPTABLES, really need to group bad ones like 41.212.200.* (that is one of them) for IPTABLES to be effective.

G00r00 had to put that kill ghosts in their for a reason - there must be some type of hangs on the various systems he can't timeout properly. I guess we
need to figure out how to detect them and kill the task and put it in a shell run by cron every 15 minutes or so. It we can make that work then g00r00 can
do the same in the real code. I think it's the 'detect them' part that no one has solidly figured out yet ;) I see them in 'w' output (Linux), need to see
if I can figure out a proper 'detect' for them.

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)

Tiny wrote to Vk3jed <=-

DD-WRT allows that... it's the most complex thing I've ever used. hahaha. I'm going to try to get that working and let you all know how I make out.

Good luck. :)


... Jesus turned water into wine....the ultimate party guest!!!!
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

bots). Try Solarbaby's script first to try and kill off possible 'bad' tasks.

So far that script is working pretty well.

--- Mystic BBS v1.12 A29 (Raspberry Pi)
* Origin: Solar BBS (21:1/151)

On 11/02/16, bcw142 pondered and said...

I'd say set the Pi up as a front end like some others have done. Mine isn't really having that much trouble rejecting the bots. Try it as a front end like others have done. It might stop the 100% cpu usage and after getting it tweaked to work well would make a good video and wiki entry.

Yes.. but is it really (for want of a better way of describing it) best practice to suggest this to everyone as the 'solution' I am not sure it is.

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

On 11/03/16, Vk3jed said the following...

Gryphon wrote to Vk3jed <=-

There was a time when I was adding blocked IPs to IPTABLES on a regul basis. What started happening was that IPTABLES would take several minutes to load and refresh because I had so many blocked IPs. It almost became worthless at that point. That when I stopped adding blocked IP and just let Mystic do the blocking. The only thing I blo is SSH and I leave a whole in it so that I can ssh in from my local network, and from my work network. Beyond that, nobody can connect vi ssh.

That is an interesting point. I wonder how many of those IPs in the
block list are actively probing at any given time. Some must be dynamic IPs that change from time to time, in which case, temporary bans might reduce the size of the list.

I wonder if they are the are IP's that keep changing, or if it is just a compromised device that has been zombified to start doing the same attacks
that compromised it.

"No matter where you go, there you are!" - Buckaroo Bonzai

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | Kingwood, TX (21:1/120)

On 11/02/16, Pequito said the following...

On 11/02/16, Gryphon said the following...

On 11/01/16, Pequito said the following...

On 11/02/16, Avon said the following...

On 11/01/16, Solarbaby pondered and said...

Bots are crashing mystic. Maybe?
When it crashes I see a research bot is on a node. Wh

They have been crashing MIS at Agency in recent days. Not s are doing when the do manage to down it but I think all nod busy and the blocked activity is running hard.. :(

They managed to get Cyberia BBS as well, been getting BUSY from system a lot lately.

Yeah, I've noticed that too. I get a busy signal once in a while and have to SSH in to the command line and clear the nodes. I'm wonderin why MIS/Mystic isn't killing the nodes ones the timeout has been reached. If Mystic would kill the nodes once timeout was reached, I wouldn't be having this problem.

Maybe lower the timeout to 2-3 minutes? Should be enough for new users
to create a new account and others to login before a timeout is reached.

I tried that once. The timeout isn't only for the logon process; it's for
any inactive timeout. So 2-3 minutes of inactivity and a user gets booted.
I had set it to 2 minutes ones and I started getting complaints that the bbs would drop people.

"No matter where you go, there you are!" - Buckaroo Bonzai

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | Kingwood, TX (21:1/120)

On 11/03/16, Gryphon pondered and said...

I tried that once. The timeout isn't only for the logon process; it's
for any inactive timeout. So 2-3 minutes of inactivity and a user gets booted. I had set it to 2 minutes ones and I started getting complaints that the bbs would drop people.

There is a separate setting for login time vs timeout for inactivity ... or
am I misunderstanding you? :)

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

Gryphon wrote to Vk3jed <=-

I wonder if they are the are IP's that keep changing, or if it is just
a compromised device that has been zombified to start doing the same attacks that compromised it.

Hard to tell either way. :/


... I'm working on my master's thesis on Amish road rage.
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (21:1/109)

On 11/04/16, Avon said the following...

On 11/03/16, Gryphon pondered and said...

I tried that once. The timeout isn't only for the logon process; it' for any inactive timeout. So 2-3 minutes of inactivity and a user ge booted. I had set it to 2 minutes ones and I started getting complain that the bbs would drop people.

There is a separate setting for login time vs timeout for inactivity ... or am I misunderstanding you? :)

Yes, I see now that there is a separate setting for login and inactivity.
But I'm finding that neither one of them will drop carrier on a node if it hasn't at least hit ENTER on the USERNAME prompt. I've got the login time
set to 6 minutes, but I find that some nodes have been sitting idle like that for hours.

To that end, I have written a new script that will kill all duplicate mystic processes if there are more than 2 with the same -IP<IPADDRESS>. It will also check to see if the IP is in the goodip.txt file and if it kills the process, it will add the IP to the badip.txt.

============= Begin code =============
#!/bin/sh

GOODIP=/home/bbs/data/goodip.txt
BADIP=/home/bbs/data/badip.txt
LOGFILE=/home/bbs/logs/dupeIP.log
THRESHOLD=3

IPS=`ps -ef | grep mystic | grep IP | grep HOST | awk '{print $11}' | cut -c
4- | sort | uniq -c`

if [ "${IPS}" = "" ]; then
exit
fi

for I in "${IPS}"; do
COUNT=`echo "${I}"| awk '{print $1}'`
THEIP=`echo "${I}"| awk '{print $2}'`

if [ ${COUNT} -ge ${THRESHOLD} ]; then
pids=`ps -ef | grep mystic | grep IP${THEIP} | awk '{print $2}'`
if [ `grep -c ${THEIP} ${GOODIP}` -gt 0 ]; then
echo "`date` : The IP ${THEIP} is allowed" >> ${LOGFILE}
else
if [ `grep -c ${THEIP} ${BADIP}` -gt 0 ]; then
echo "`date` : The IP ${THEIP} is not allowed" >> ${LOGFILE}
else
echo "`date` : Adding IP ${THEIP} to ${BADIP}" >> ${LOGFILE}
echo "${THEIP}" >> ${BADIP}
kill ${pids}
fi
fi
fi
done
============== end code ===============

"No matter where you go, there you are!" - Buckaroo Bonzai

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | Kingwood, TX (21:1/120)

Quoting Vk3jed to Tiny <=-

hahaha. I'm going to try to get that working and let you all know how I make out.

Good luck. :)

Thanks. Found some interesting websites about it, so I'm quite sure it
can be done. Just need to find time when I don't have anything else on the
go to do it.

Shawn

... Ambition is the last refuge of the failure.

--- EzyBlueWave V3.00 01FB001F
* Origin: Tiny's BBS - www.tinysbbs.com (21:1/130)

On 11/04/16, Gryphon pondered and said...

To that end, I have written a new script that will kill all duplicate mystic processes if there are more than 2 with the same -IP<IPADDRESS>. It will also check to see if the IP is in the goodip.txt file and if it kills the process, it will add the IP to the badip.txt.

Looks good, thanks for sharing this. Perhaps something to add as a option for Linux systems to use in the Wiki FAQ - would you be OK if I put it there?

Best, Paul

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

Tiny wrote to vk3jed <=-

Thanks. Found some interesting websites about it, so I'm quite sure
it can be done. Just need to find time when I don't have anything else
on the go to do it.

I know that feeling. :-)


... Why get even, when you can get odd?
___ MultiMail/Win32 v0.49

--- Mystic BBS/QWK v1.12 A31 (Raspberry Pi)
* Origin: The Bridge - bridge.vkradio.com (21:1/143)

On 11/04/16, Avon said the following...

On 11/02/16, bcw142 pondered and said...

I'd say set the Pi up as a front end like some others have done. Mine

Yes.. but is it really (for want of a better way of describing it) best practice to suggest this to everyone as the 'solution' I am not sure it is.

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

I doubt there is a 'solution', just various things that help keep the BBS up and running ;( Kind of using the Pi/Mystic as a firewall - of course could
run a real firewall and maybe some python scripts to help deal with what's being sent and sort out the bots. As the Pi gets more powerful it can do more and more, helping to take on the bots ;)

...(A)bort, (R)etry, (P)retend this never happened...

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)

Hi Bcw142!

05 Nov 2016 11:17, from bcw142 -> Avon:

I doubt there is a 'solution', just various things that help keep the
BBS up and running ;(

What is the actual problem??

Any daemon connected to the Internet should be able to cope with scans.
Or do you guys see massive denial of service attachs with at least multiple megabits of constant traffic coming from wildly distributed IPs?

CU, Ricsi

--- GoldED+/LNX
* Origin: Two heads are better than none (21:1/104)

On 11/09/16, Richard Menedetter said the following...

Hi Bcw142!

I doubt there is a 'solution', just various things that help keep the BBS up and running ;(

What is the actual problem??

The botnets and the massive DDoS attacks. I suspect one took down FSXNet last night, which caused fidopoll to hang on my system. Oddly retronet also
appeared to be down or there are issues with fidopoll on mystic A31.

Any daemon connected to the Internet should be able to cope with scans.

Basic scans I don't even notice.

Or do you guys see massive denial of service attachs with at least multiple megabits of constant traffic coming from wildly distributed IPs?

That's It! We need to be able to clean the stuff 'they' infected to cut the attacks or put many firewalls throughout the internet to filter them out.

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)

On Nov 10th 2:06 am Richard Menedetter said...

Any daemon connected to the Internet should be able to cope with scans.

It should, but it seems mystic doesn't. Probably the biggest problem with mystic (and Magicka, and probably others) is that they assign node numbers before authentication. That means the nodes get tied up with attackers sitting at the login screen.

Also, keep in mind that many people running BBSes are doing so on their home connections, which are already limited bandwith, so it doesn't take so much traffic to soak it all up.

But yeah, it would seem there are stability problems with Mystic under some circumstances as we have seen with the agency hub crashing. It's not open source and gooroo is away, so no one can fix them, so it's about trying to work
around it.

Andrew




--- ENiGMA 1/2 v0.0.1-alpha (sunos; x64; 4.6.0)
* Origin: Underland - andrew.homeunix.org:2023 (21:1/140)

Hi Bcw142!

09 Nov 2016 11:44, from bcw142 -> Richard Menedetter:

Or do you guys see massive denial of service attachs with at
least multiple megabits of constant traffic coming from wildly
distributed IPs?

That's It! We need to be able to clean the stuff 'they' infected to
cut the attacks or put many firewalls throughout the internet to
filter them out.

The problem is that the mirai source is now on github.
Prepare for even more attachks :(

I had a look, and it is really easy to set up an instance of mirai :(

CU, Ricsi

--- GoldED+/LNX
* Origin: What youth deemed crystal, age finds was dew (21:1/104)

Hi Andrew!

10 Nov 2016 11:46, from andrew -> Richard Menedetter:

Any daemon connected to the Internet should be able to cope with
scans.

It should, but it seems mystic doesn't.

Yes ... that is what I assumed.
There are also many, many SSH connections where they try to guess user/password
pairs.
Still I never noticed except by the rapidly growing log files ;)

Probably the biggest problem with mystic (and Magicka, and probably others) is that they assign node numbers before authentication.

If they do not adapt to the realities of todays Internet, then those SW packages will no longer be usable.

Also, keep in mind that many people running BBSes are doing so on
their home connections, which are already limited bandwith, so it
doesn't take so much traffic to soak it all up.

The traffic used is really minimal.
The goal is to as quickly and efficiently scan as possible.
So they do everything NOT to delay trying by sending more then necessary.

But yeah, it would seem there are stability problems with Mystic under some circumstances as we have seen with the agency hub crashing. It's
not open source and gooroo is away, so no one can fix them, so it's
about trying to work around it.

Yes ... sadly.
Same is true with QWK where Mystic (at least the recent beta) generates duplicate MSGIDs.

CU, Ricsi

--- GoldED+/LNX
* Origin: How can I be over the hill when I never got to the top? (21:1/104)

On Nov 14th 8:01 pm Richard Menedetter said...

Same is true with QWK where Mystic (at least the recent beta) generates duplicate MSGIDs.

It's not just QWK, the bot posts are generating duplicate msgids. Enigma throws
out the duplicates, and I've noticed particularly when necromaster posts his necronomicon and retronet adds, the retronet one gets tossed out because it's the same as the necronomicon one. Same with idbbs and pinet ads.

My theory (I'm not sure if I said before) is it uses timestamps to generate MSGIDs, so when more than one message is generated in a second, it shares message ids.

Anyway. I hope it gets fixed some time..

Andrew

--- ENiGMA 1/2 v0.0.1-alpha (linux; x64; 4.6.2)
* Origin: Underland - andrew.homeunix.org:2023 (21:1/140)

Hi Andrew!

14 Nov 2016 20:41, from andrew -> Richard Menedetter:

It's not just QWK, the bot posts are generating duplicate msgids.
Enigma throws out the duplicates, and I've noticed particularly when necromaster posts his necronomicon and retronet adds

Anyway. I hope it gets fixed some time..

Same here for both passages ;)

CU, Ricsi

--- GoldED+/LNX
* Origin: The universe is laughing behind your back (21:1/104)

On 11/14/16, andrew pondered and said...

It's not just QWK, the bot posts are generating duplicate msgids. Enigma throws out the duplicates, and I've noticed particularly when
necromaster posts his necronomicon and retronet adds, the retronet one gets tossed out because it's the same as the necronomicon one. Same with idbbs and pinet ads.

My theory (I'm not sure if I said before) is it uses timestamps to generate MSGIDs, so when more than one message is generated in a second, it shares message ids.

I can confirm that if you use MUTIL function to post a text file to multiple message bases it generates the post to each base using the same message ID. I solve this for the posts I publish using this tool for file hatch
announcements by calling MUTIL separately for each announcement post I make
and running them 3-5 seconds apart to ensure unique message IDs are created :)

--- Mystic BBS v1.12 A31 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

It's not just QWK, the bot posts are generating duplicate msgids. Enigma throws out the duplicates, and I've noticed particularly when
necromaster posts his necronomicon and retronet adds, the retronet one gets tossed out because it's the same as the necronomicon one. Same with idbbs and pinet ads.

Hmmm.. interesting.. I've never experienced that before.. I'll have to pay closer attention to the kludge lines and see if anything really is getting double tossed

--- Mystic BBS v1.12 A31 (Raspberry Pi)
* Origin: internal dimension ÷ idbbs.dlinkddns.com ÷ port 59 (21:1/178)

Hmmm.. interesting.. I've never experienced that before.. I'll have to pay closer attention to the kludge lines and see if anything really is getting double tossed

I believe that Mystic has additional Dupe detection methods than
other BBS packages, in that it checks more than just the MSGID, so you shouldn't see the "dupes" in Mystic.

Andrew

--- Ezycom V3.00 01FA002E
* Origin: Serpent's Shrine (21:1/125.1)