You can do two types of blocks with fail2ban:
1) Attempts to login with supervisor, support, root, etc., as shown below, can be blocked on the first try. I see two repeats of most of the IPs in that short time window. So blocking after the first one should slow down things by at least half.
2) Perhaps there are more repeats in the log outside of that short 3 minute window. If so, then 3 x "bad login" fails should slow things down even more and catch any login names you didn't think of in the first list. Once you start blocking enough of the IPs, you may break the botnet's ability to continue.
Use NAT so that port 23 is not available outside your site network. That's not a panacea since port scanners can eventually find a port ... if they bother to look long enough and if you allow them to look long enough. But most attackers go for the easy targets and folks who haven't even used NAT are easy targets.
Use your firewall or IPtables and fail2ban to detect and block port scanning.
As Brian suggested, restrict logins by pre-defined IP address range. Or, if you firewall has the feature, use Geo-based IP blocking. Again, not perfect. But a combination of traps will usually get the job done.
Michael N6MEF
-----Original Message----- From: 44Net [mailto:44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu] On Behalf Of Pedro Converso Sent: Sunday, June 12, 2016 11:40 AM To: AMPRNet working group 44net@hamradio.ucsd.edu Subject: [44net] Help MBOX flood
(Please trim inclusions from previous messages) _______________________________________________ Hello,
Since last months my JNOS MBOX is being attacked:
15:24:59 94.53.236.39:55248 - MBOX (supervisor) bad login 15:25:07 113.162.86.77:35247 - MBOX (support) bad login 15:25:09 190.140.17.22:53348 - MBOX (root) bad login 15:25:14 92.27.102.224:38887 - MBOX (support) bad login 15:25:14 114.109.125.48:42069 - MBOX (administrator) bad login 15:25:35 190.140.17.22:54146 - MBOX (root) bad login 15:25:50 92.27.102.224:40191 - MBOX (support) bad login 15:26:33 182.184.71.162:41259 - MBOX (root) bad login 15:26:49 182.184.71.162:41259 - MBOX (sh) bad login 15:26:50 89.22.213.165:33979 - MBOX (root) bad login 15:27:52 89.22.213.165:34979 - MBOX (root) bad login
None of the users tried have granted permit.
Installed fail2ban but not avail. Attacking IPs change continuosly, routing to loopback no help Due heavy load jnos eventually hangs.
Is it there any way/suggestion to stop this ?
Appreciate any help. 73, lu7abf, Pedro Converso 44.153.0.1 or conversoft.com.ar pconver@gmail.com _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net