One thing I do is that I take the hack.log and pull out the IPI would block them using iptables (or ntf or whatever they're using
Addresses. Then I feed those IP Addresses into a Fail2Ban Jail for
SSH, Telnet, FTP, and RLOGIN (5513). I use a bash script that runs
regularly through cron.
---
Synchronet My Brand-New BBS
nelgin wrote to Jordanjm <=-
I would block them using iptables (or ntf or whatever they're using
these days). I actually use ipsets with a rule to use the set in
iptables. This is incredibility fast and reduces the workload on the system.
ipset create hackers hash:ip
If you plan on blocking and entire network like a /24 then you can use hash:net instead.
You can make a corresponding ipv6
ipset create hackers6 hash:ip family ipv6
Then early in your iptables filter rules you'll want
-A INPUT -m set --match-set hackers src -j DROP
nelgin wrote to Jordanjm <=-
I would block them using iptables (or ntf or whatever they're
using these days). I actually use ipsets with a rule to use the
set in iptables. This is incredibility fast and reduces the
workload on the system.
ipset create hackers hash:ip
If you plan on blocking and entire network like a /24 then you
can use hash:net instead.
Is this a command in a script, or something you add to the iptables
config?
You can make a corresponding ipv6
ipset create hackers6 hash:ip family ipv6
Then early in your iptables filter rules you'll want
-A INPUT -m set --match-set hackers src -j DROP
Thanks!
... Keep your stick on the iceipset is a command. The -A thing is something you put in your iptables.
--- MultiMail/DOS v0.52
Synchronet CAPCITY2 * Capitol City Online
On Sat, 20 Jun 2026 22:56:37 -0600 "Jordanjm" (VERT/JORDANJM) <VERT/JORDANJM!Jordanjm@endofthelinebbs.com> wrote:
One thing I do is that I take the hack.log and pull out the IP Addresses. Then I feed those IP Addresses into a Fail2Ban Jail for SSH, Telnet, FTP, and
RLOGIN (5513). I use a bash script that runs regularly through cron.
---I would block them using iptables (or ntf or whatever they're using these days). I actually use ipsets with a rule to use the set in iptables. This is
þ Synchronet þ My Brand-New BBS
incredibility fast and reduces the workload on the system. ipset create hackers hash:ip If you plan on blocking and entire network like a /24 then you can
use hash:net instead.
You can make a corresponding ipv6 ipset create hackers6 hash:ip family ipv6 Then early in your iptables filter rules you'll want -A INPUT -m set
--match-set hackers src -j DROP If you have a contrack rule for established connections, like this one -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT you'll probably might want to put the hack rule before it so it'll kill off any existing connections. If you're not to worries then put it
afterwards. I have it before in mine but maybe that doesn't make sense. -- End Of The Line BBS - Plano, TX telnet endofthelinebbs.com 23 --- þ
Synchronet þ End Of The Line BBS - endofthelinebbs.com
Standard is now nftables far as a few days ago on where things are going, at least on gentoo.
Re: Re: Protecting from Attacks
By: Darksix to nelgin on Mon Jun 22 2026 15:08:30
Standard is now nftables far as a few days ago on where things are
going, at least on gentoo.
I don't like how nft doesn't use ipset. I end up with a separate
include file with all the blocked networks so I don't mess up my
main table on my Arch system.
ipset is a command. The -A thing is something you put in your iptables.
I don't like how nft doesn't use ipset. I end up with a separate include
file with all the blocked networks so I don't mess up my main table on my
Arch system.
https://imgur.com/wvtIQTx
ipset is a command. The -A thing is something you put in your iptables.
In Ubuntu that's likely /etc/iptables/rules.v4.
You'll also want netfilter-persistent and ipset-persistent packages.
Whenever you create an ipset or add/remove from it, you want to run netfilter-persistent save to make sure it's written back to disk
otherwise it'll be lost on reboot. It'll also ensure they're loaded at
boot time.
ipset create hackers hash:ip
On 22 Jun 2026, nelgin said the following...
ipset is a command. The -A thing is something you put in your iptables.
this might not matter much if you fully dump and reload your firewall every time you change something (which can leave it wide open briefly!) but..
-A is add (to the bottom)
-I is insert (on top or wherever)
that at least matters because iptables works top to bottom through the chain and will bail on the first matching rule.
ipset is a command. The -A thing is something you put in your iptables.
In Ubuntu that's likely /etc/iptables/rules.v4.
It is here on debian also. I have several rules set to forward inbound ports (like 23 inbound to 2323 local, 80 inbound to 8080 local, etc.) so that the bbs sofware doesn't have to run as root and bind to low ports. I
am guessing I'd want that -A/DROP line to go before those so it covers all traffic.
ipset create hackers hash:ip
I presume you set up some ipset config options that tell it how to detect a potential hacker and add it to "hackers"?
This could be very useful. Thanks!
ipset is a command. The -A thing is something you put in your
iptables. In Ubuntu that's likely /etc/iptables/rules.v4.
It is here on debian also. I have several rules set to forward
inbound ports (like 23 inbound to 2323 local, 80 inbound to 8080
local, etc.) so that the bbs sofware doesn't have to run as root
and bind to low ports. I am guessing I'd want that -A/DROP line to
go before those so it covers all traffic.
Disregard my questions. I got curious and started researching it
myself. iptables automatically put the ipset commands at the top, in
the *filter section, before all the *nat rules.
ipset create hackers hash:ip
I presume you set up some ipset config options that tell it how to
detect a potential hacker and add it to "hackers"?
This could be very useful. Thanks!
This, of course, works with a list of IPAs and nets that you alreadyYou should probably put your IP at the top, if you ssh into your box,
know are bad. I will have to work around some to see about
monitoring and picking up new IPA and nets that need adding.
At any rate, I got ipset (and the -persistent) packages installed and
set up. thanks!
$$
---
Synchronet CAPCITY2 * Capitol City Online
Re: Re: Protecting from Attacks By: Darksix to nelgin on Mon Jun 22 2026 15:08:30
Standard is now nftables far as a few days ago on where things are going, at least on gentoo.
I don't like how nft doesn't use ipset. I end up with a separate include file with all the blocked networks so I don't mess up my main table on my Arch
system.
*nat
-A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j REDIRECT --to-ports 1111
(etc. for other ports)
COMMIT
Are you saying adding the line as an -A *above* the existing first -A
line won't cause it to be first?
-A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j REDIRECT --to-ports 1111
On 22 Jun 2026, nelgin said the following...
ipset is a command. The -A thing is something you put in your iptables.
this might not matter much if you fully dump and reload your firewall every time you change something (which can leave it wide open briefly!) but..
-A is add (to the bottom) -I is insert (on top or wherever)
that at least matters because iptables works top to bottom through the chain and will bail on the first matching rule.
say you have commands to accept telnet, ftp, binkd, etc then you DROP everything else (all pretty standard)
then you -A something (like dropping one pesky IP address temporarily) .. it goes BELOW the DROP mentioned above, so what happens is:
pesky IP connects, iptables goes down the list and finds YEAH, telnet is accepted, and then sends the connection along as if you had never blocked it.
-I will throw it on the TOP of the chain as the first thing to check (or a line number can be provided for where it should go)
the default examples in Mystic's Event Editor for example are useless because of this.
--- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
On 22 Jun 2026, nelgin said the following...
ipset is a command. The -A thing is something you put in your iptables.
this might not matter much if you fully dump and reload your firewall every time you change something (which can leave it wide open briefly!) but..
-A is add (to the bottom) -I is insert (on top or wherever)
that at least matters because iptables works top to bottom through the chain and will bail on the first matching rule.
Say I have something like this in my rules.v4:
# Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *filter :INPUT ACCEPT [5477:286466] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT
[4483:9434151] COMMIT # Completed on Mon Aug 18 12:21:10 2025 # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *nat :PREROUTING
ACCEPT [3:830] :INPUT ACCEPT [36:2810] :OUTPUT ACCEPT [136:8160] :POSTROUTING ACCEPT [136:8160] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j
REDIRECT --to-ports 1111 (etc. for other ports) COMMIT # Completed on Mon Aug 18 12:21:10 2025
Are you saying adding the line as an -A *above* the existing first -A line won't cause it to be first?
You have a badly configured firewall, should not have more than one COMMIT.
fusion wrote to Dumas Walker <=-
now we try:
iptables -I INPUT -s 71.95.196.34 -j DROP
and dump again:
*filter
-A INPUT -s 71.95.196.34 -j DROP
-A INPUT -p tcp --dport 23 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "badguy: "
--log-level 7 -A INPUT -j REJECT
COMMIT
NOW the badguy gets the boot before we even check if the connection is going to port 23.
-A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j REDIRECT --to-ports 1111
interestingly, this moves the connection's destination from the INPUT chain to the FORWARD chain because it's an alias for
-j DNAT --to-destination 127.0.0.1:1111
so nothing in INPUT will match it..
-I FORWARD -m set --match-set blacklist src -j DROP
anyways, sorry if this is just rehashing stuff you already know :)
The purpose of thta line is to route all incoming traffic on port 11 to port 1111 (the one that synchronet is set to listen on).
Are you saying the *filter rules above this section will be ignored
unless I set them as "FORWARD" instead of "INPUT," even though these
rules come after the *filter section?
# Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *filter :INPUT ACCEPT [5477:286466] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT
[4483:9434151] COMMIT # Completed on Mon Aug 18 12:21:10 2025 # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *nat :PREROUTING
ACCEPT [3:830] :INPUT ACCEPT [36:2810] :OUTPUT ACCEPT [136:8160] :POSTROUTING ACCEPT [136:8160] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j
REDIRECT --to-ports 1111 (etc. for other ports) COMMIT # Completed on Mon Aug 18 12:21:10 2025
Are you saying adding the line as an -A *above* the existing first -A line won't cause it to be first?
You have a badly configured firewall, should not have more than one COMMIT.
fusion wrote to Dumas Walker <=-
The purpose of thta line is to route all incoming traffic on port 11 to port 1111 (the one that synchronet is set to listen on).
Are you saying the *filter rules above this section will be ignored
unless I set them as "FORWARD" instead of "INPUT," even though these
rules come after the *filter section?
ah sorry my bad.. looking at it now the nat table will put the packets
to INPUT (or automatically recognize 'localhost', 127.0.0.1, the ipv6 one.. etc) ..
but will move it to FORWARD if, for example, you have a separate BBS machine and IP that you forward (<- heh) the port to.
i guess the point i was trying to get across is it's pretty easy to accidentally put in do-nothing rules
# Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *filter :INPUT ACCEPT [5477:286466] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT
[4483:9434151] COMMIT # Completed on Mon Aug 18 12:21:10 2025 # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *nat
:PREROUTING ACCEPT [3:830] :INPUT ACCEPT [36:2810] :OUTPUT ACCEPT [136:8160] :POSTROUTING ACCEPT [136:8160] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp
--dport 11 -j REDIRECT --to-ports 1111 (etc. for other ports) COMMIT # Completed on Mon Aug 18 12:21:10 2025
Are you saying adding the line as an -A *above* the existing first -A line won't cause it to be first?
You have a badly configured firewall, should not have more than one COMMIT.
I didn't key that in there. iptables generated it that way. <shrugs>
That's kind of weird that it did COMMIT more than once, and also to the other fella, you can have more than one commit
but it should all be commited fully on one go if using iptables-save
even if this is nftables wrapper. But I guess
still didn't change the fact it wasn't correct you could say besides the commit.
| Sysop: | Eastside75 |
|---|---|
| Location: | Tupelo, MS |
| Users: | 9 |
| Nodes: | 4 (0 / 4) |
| Uptime: | 146:04:02 |
| Calls: | 309 |
| Files: | 1,346 |
| Messages: | 39,813 |