src/sbbs3/ftpsrvr.cpp mailsrvr.cpp main.cpp mqtt.c sbbs_ini.c src/sbbs

BBS:      TELESC.NET.BR
Assunto:  src/sbbs3/ftpsrvr.cpp mailsrvr.cpp main.cpp mqtt.c sbbs_ini.c src/sbbs
De:       Rob Swindell (on Windows 11)
Data:     Sat, 2 May 2026 17:27:15 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/1c591f2b638c7fa7a6b2abc5
Modified Files:
	src/sbbs3/ftpsrvr.cpp mailsrvr.cpp main.cpp mqtt.c sbbs_ini.c src/sbbs3/scfg/scfgsrvr.c src/sbbs3/services.cpp startup.h websrvr.cpp
Log Message:
sbbs3 terminal server: auto-filter IPs hitting max-concurrent limit

When a client repeatedly hits the per-IP max concurrent (unauthenticated)
connection limit, optionally add the IP to text/ip.can for a configurable
duration. Threshold and duration are tunable in SCFG via a new submenu
("Max Concurrent Connections...") and via two new sbbs.ini keys in [BBS]:
MaxConConnFilterThreshold and MaxConConnFilterDuration. A threshold of 0
(the default) disables the auto-filter and preserves prior behavior.

This is a useful mitigation (when enabled by setting the threshold to a
non-zero value) against the recent spate of terminal server bot attacks
(likely looking for CVE-2026-31431: Copy Fail vulnerability on Linux
hosts), which tend to tie up a BBS's terminal server nodes just sitting
at a login prompt, causing a denial-of-service.

The strike counter for an IP is held in memory and is cleared on: a
successful login from that IP, terminal server recycle/restart, the
clear*.term semaphore file, or the new MQTT "clear" topic. Bans are
written to ip.can with the existing e= field, so they expire
naturally without any cleanup pass. A failed filter_ip() call leaves
the strike count in place so we don't reset on transient errors.

Also added: an MQTT "clear" topic (under both  and 
scopes) that signals the corresponding server to clear its login-attempt
list. The polling hook is wired into all five servers (terminal, FTP,
mail, web, services) via a new clear_attempts_now flag in
STARTUP_COMMON_ELEMENTS. The auto-filter on max-concurrent itself is
terminal-only by design, since "nodes" are a scarce resource.

Co-Authored-By: Claude Opus 4.7 (1M context) 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]