Does anyone have an effective way to reduce or block Telnet port 23 attacks?

Thanks.

Terry Roati

... Platinum Xpress & Wildcat!..... Nice!!!!
--- Platinum Xpress/Win/WINServer v7.0
* Origin: The File Bank BBS! https://tfb-bbs.org (21:5/101) (21:5/101)

Does anyone have an effective way to reduce or block Telnet port 23 attacks?

Something that automatically blocks them after a certain number of attempts if your BBS doesn't do that already. Other than that I don't have ideas. I set my port to 2323 sometimes if I don't want to get hammered constantly.

--- Mystic BBS v1.12 A46 2020/03/10 (Windows/64)
* Origin: Sector 7 (21:1/108)

On Mar 10, 2020 04:58pm, g00r00 wrote to Terry Roati:

Something that automatically blocks them after a certain number of
attempts if your BBS doesn't do that already. Other than that I don't
have ideas. I set my port to 2323 sometimes if I don't want to get hammered constantly.

Wildcat does block telnet connections after a certain number of attempts and it works well for me but it seems some sysops do get hammered at times.

Some sysyops I know use PeerBlock which is supposed to be effective.

If ok can I ask what forumla is used in Mystic to block these telnet attacks?

It seems to be getting worse, most attacks are scripts hitting a few nodes at the same time.

Terry Roati

... Platinum Xpress & Wildcat!..... Nice!!!!
--- Platinum Xpress/Win/WINServer v7.0
* Origin: The File Bank BBS! https://tfb-bbs.org (21:5/101) (21:5/101)

If ok can I ask what forumla is used in Mystic to block these telnet attacks?

Mystic can automatically block IP addresses based on some configurable number of attempts within a time period. It can also block based on origin (country). It can prevent multiple connections from the same IP address. But none of those actually prevent connections in the first place.

The only thing Mystic can provide to assist with actually preventing a connection entirely is by using an IPBlock event which can add IPs into iptables (or something similar) which will prevent them from ever connecting to your BBS.

(Although I have heard there can be some long-term performance issues by
adding thousands of IPs into those types of systems, it does prevent their connections entirely).

--- Mystic BBS v1.12 A46 2020/03/10 (Windows/64)
* Origin: Sector 7 (21:1/108)

On Mar 10, 2020 06:56pm, g00r00 wrote to Terry Roati:

Mystic can automatically block IP addresses based on some configurable number of attempts within a time period. It can also block based on
origin (country). It can prevent multiple connections from the same IP address. But none of those actually prevent connections in the first
place.

I beleive Wildcat does the same and GeoIP blocking which gets rid of a lot of them.

The only thing Mystic can provide to assist with actually preventing a connection entirely is by using an IPBlock event which can add IPs into iptables (or something similar) which will prevent them from ever connecting to your BBS.

Wildcat only does a temporary block as most of these attacks come from dynamic IP's.

(Although I have heard there can be some long-term performance issues by adding thousands of IPs into those types of systems, it does prevent
their connections entirely).

Wildcat has a blacklist, but it's manual only that I know of.

Maybe if a IP was repetative over certain period, it could be moved from a temporary list to a permanent black list then would help the above.

Thanks for the info.


Terry Roati

... Platinum Xpress & Wildcat!..... Nice!!!!
--- Platinum Xpress/Win/WINServer v7.0
* Origin: The File Bank BBS! https://tfb-bbs.org (21:5/101) (21:5/101)

Mystic can automatically block IP addresses based on some configurable number of attempts within a time period. It can also block based on origin (country). It can prevent multiple connections from the same IP address. But none of those actually prevent connections in the first place.

I have had some success with the above, coupled with three mods on my BBS
(more or less):
1. The "press <esc> twice to login" one with a 15 second timer
2. System password (actually a disclaimer where you have to type "yes")
3. Threat Sentry mod doing additional country lookup stuff

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: monterey bbs (21:1/168)

My automatic IP Banned List is growing as we speak.

None of the attacks that I saw could pass from the LOGIN screen...

***
The Vault BBS!
Curated content for retro gaming, shareware
& ansi-ascii art (coming soon).

--- Mystic BBS v1.12 A45 2020/02/18 (Windows/64)
* Origin: The Vault BBS (21:4/167)

Hello Terry!

Peer block v1.2_r693 I have a script that blocks all the countries I want
that I add to the list manager


|07-= |15H|07a|15v|07o|15k =-
|08We'll leave the modem on for you!

--- Mystic BBS v1.12 A46 2020/03/07 (Windows/32)
* Origin: After Hours|The Villages,FL|afterhours-bbs.com (21:4/119)

On 10 Mar 2020, ryan said the following...

address. But none of those actually prevent connections in the first place.

Well, at least under a Unix-like OS such as Linux or *BSD, you can use
fail2ban for that. As one of the authors I am pretty sure I can make it work with mystic.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: DaRK Game BBS (21:2/161)

Terry Roati wrote to All <=-

Does anyone have an effective way to reduce or block Telnet port 23 attacks?

I ended up moving my port to some strange number.

It took them 2 years to bother to scan all the port numbers and start attacking me again.


... It was so cold, I almost got married.
--- MultiMail/Linux v0.52
* Origin: Diamond Mine Online BBS bbs.dmine.net:24 (21:1/194)

WINS 8 has it built in, SSI has switched telnet ports to 24 which doesn't make sense to me for a business to do that, even if there still is an issue of too many hits even though there is GeoIP and temporary IP blocking.

On Mar 10, 2020 04:49pm, Havok wrote to Terry Roati:

Hello Terry!

Peer block v1.2_r693 I have a script that blocks all the countries I want that I add to the list manager

|07-= |15H|07a|15v|07o|15k =-
|08We'll leave the modem on for you!

--- Mystic BBS v1.12 A46 2020/03/07 (Windows/32)
* Origin: After Hours|The Villages,FL|afterhours-bbs.com (21:4/119)

Terry Roati

... Platinum Xpress & Wildcat!..... Nice!!!!
--- Platinum Xpress/Win/WINServer v7.0
* Origin: The File Bank BBS! https://tfb-bbs.org (21:5/101) (21:5/101)

It is no bad enough to have to do that with the protection I already have,
just wanted to find out what others do or use for protection.

Personally I prefer to use standard port numbers.

On Mar 10, 2020 06:44pm, Dr. What wrote to Terry Roati:

Terry Roati wrote to All <=-

Does anyone have an effective way to reduce or block Telnet port 23
attacks?

I ended up moving my port to some strange number.

It took them 2 years to bother to scan all the port numbers and start attacking me again.

... It was so cold, I almost got married.
--- MultiMail/Linux v0.52
* Origin: Diamond Mine Online BBS bbs.dmine.net:24 (21:1/194)

Terry Roati

... Platinum Xpress & Wildcat!..... Nice!!!!
--- Platinum Xpress/Win/WINServer v7.0
* Origin: The File Bank BBS! https://tfb-bbs.org (21:5/101) (21:5/101)

Well, at least under a Unix-like OS such as Linux or *BSD, you can use fail2ban for that. As one of the authors I am pretty sure I can make it work with mystic.

I considered using fail2ban myself but never bothered to write the detection scripts.

Which logfile would you use to inform fail2ban?

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: monterey bbs (21:1/168)

Re: RE: Telnet Port 23 Attacks
By: Terry Roati to Dr. What on Wed Mar 11 2020 09:27 am

Personally I prefer to use standard port numbers.

So do I.

It is no bad enough to have to do that with the protection I already have, just wanted to find out what others do or use for protection.

So I have port 23 open - but my firewall (opnsense), is country blocking. I noticed I would get lots of connects from China/Russia and a couple of others -
so they are blocked.
...deon


... This tagline is SHAREWARE! To register, send me $10
--- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Something that automatically blocks them after a certain number of

If the connections have fail logging anywhere and you're in linux you've got fail2ban. Its just a matter of giving it a regex to match to the login failure. And then how many failures in how much time are worth blocking.

Spec


*** THE READER V4.50 [freeware]
--- SuperBBS v1.17-3 (Eval)
* Origin: Scrawled in haste at The Lower Planes (21:3/101)

On 10 Mar 2020, Terry Roati said the following...

Does anyone have an effective way to reduce or block Telnet port 23 attacks?

Most of the modern BBS softwares allow for IP blocking. Even with over 10,000 IPs block so far I still get hit but nothing getting hurt. I just leave
enough nodes open so that it's not an issue.

-=>Richard Miles<=-
-=>Captain Obvious<=-
-=>bbs.shadowscope.com<=-

--- Mystic BBS v1.12 A46 2020/03/07 (Windows/32)
* Origin: * Shadowscope BBS * (21:1/157)

Which logfile would you use to inform fail2ban?

You have choices depending whats happening. It might be the BBS log, it could also be syslog, or auth.log. They're all points where the detection could be made, but the information in each one tends to be slightly different, so you'd need a custom match for each log.

Spec


--- SuperBBS v1.17-3 (Eval)
* Origin: < Scrawled in blood at The Lower Planes > (21:3/101)

You have choices depending whats happening. It might be the BBS log, it could also be syslog, or auth.log. They're all points where the
detection could be made, but the information in each one tends to be slightly different, so you'd need a custom match for each log.

I didn't see anything interesting in syslog but the BBS log seems promising. Maybe I'll configure this myself and do a little writeup.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: monterey bbs (21:1/168)

Same here, was trying to find out if someone found a better solution.

On Mar 10, 2020 09:53pm, Captain Obvious wrote to Terry Roati:

On 10 Mar 2020, Terry Roati said the following...

Does anyone have an effective way to reduce or block Telnet port 23
attacks?

Most of the modern BBS softwares allow for IP blocking. Even with over 10,000 IPs block so far I still get hit but nothing getting hurt. I
just leave enough nodes open so that it's not an issue.

-=>Richard Miles<=-
-=>Captain Obvious<=-
-=>bbs.shadowscope.com<=-

--- Mystic BBS v1.12 A46 2020/03/07 (Windows/32)
* Origin: * Shadowscope BBS * (21:1/157)

Terry Roati

... Platinum Xpress & Wildcat!..... Nice!!!!
--- Platinum Xpress/Win/WINServer v7.0
* Origin: The File Bank BBS! https://tfb-bbs.org (21:5/101) (21:5/101)

Hi Terry,

the connects you see on your bbs are completely normal.

Imagine a fence that someone is walking along and test all of the wooden bars if one is loose... that's what you see as the connections.

A login is nearly imposible because you have to know an username and a password. if your setup only allows strong passwords then you are safe.

After you know the IP-Address of an "attacer" you can block them.

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: XIONUM-BBS (21:1/149)

I understand the issue, was just trying to find out if there was a way to reduce the hits from the same IP address. I have 16 nodes so it's very rare that I get hit with more than 10 nodes at one time.

On Mar 10, 2020 01:44pm, dragonmaster wrote to Terry Roati:

Hi Terry,

the connects you see on your bbs are completely normal.

Imagine a fence that someone is walking along and test all of the wooden bars if one is loose... that's what you see as the connections.

A login is nearly imposible because you have to know an username and a password. if your setup only allows strong passwords then you are safe.

After you know the IP-Address of an "attacer" you can block them.

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: XIONUM-BBS (21:1/149)

Terry Roati

... Platinum Xpress & Wildcat!..... Nice!!!!
--- Platinum Xpress/Win/WINServer v7.0
* Origin: The File Bank BBS! https://tfb-bbs.org (21:5/101) (21:5/101)

On 11 Mar 2020, Terry Roati said the following...


You can use netsh to block at the OS level so that they never get to the BBS, if you use Windows Firewall.

-=>Richard Miles<=-
-=>Captain Obvious<=-
-=>bbs.shadowscope.com<=-

--- Mystic BBS v1.12 A46 2020/03/07 (Windows/32)
* Origin: * Shadowscope BBS * (21:1/157)

On Mar 10th 11:20 pm Dr. What said...

Does anyone have an effective way to reduce or block Telnet port
23

attacks?

fail2ban is one of the better ways in my opinion but you do need a way for it to detect a failed login. You could try a brute force slow down limiting the number of new connections per second for a particular source:

for SSH for example:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name
SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 10 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force"
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 10 --hitcount 4 --rttl --nane SSH -j DROP





--- ENiGMA 1/2 v0.0.11-beta (linux; arm; 12.16.1)
* Origin: sbb systems ~ https://bbs.sbbsystems.com (21:2/159)

On 10 Mar 2020, ryan said the following...

Which logfile would you use to inform fail2ban?

mis.log

Snippet from a recently banned IP as shown in the mis console:

mis.log:+ 2020.03.11 13:35:43 TELNET 2-Auto banning IP 86.99.43.239

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: DaRK Game BBS (21:2/161)

Actually, I just made fail2ban work with mystic bbs. I created a filter file and a jail definition, then ran fail2ban-regex:

fail2ban-regex /mystic/logs/mis.log /etc/fail2ban/filter.d/mystic.conf

Skipping output here, but it got 579 IPs to be banned.

How may i share the config files with you?

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: DaRK Game BBS (21:2/161)

Well, at least under a Unix-like OS such as Linux or *BSD, you can us fail2ban for that. As one of the authors I am pretty sure I can make work with mystic.

I considered using fail2ban myself but never bothered to write the detection scripts.

Which logfile would you use to inform fail2ban?

If you're talking about Mystic you can set up an event to run whenever it blocks an IP that will give you the IP address. You can have it shell out
and add the IP to any third party stuff you want without the need to scrape logs.

There is a default event that puts entries into IPTables which is the same thing fail2ban does.

--- Mystic BBS v1.12 A46 2020/03/10 (Windows/64)
* Origin: Sector 7 (21:1/108)

Something that automatically blocks them after a certain number of

If the connections have fail logging anywhere and you're in linux you've got fail2ban. Its just a matter of giving it a regex to match to the login failure. And then how many failures in how much time are worth blocking.

Mystic already has interfacing with external programs covered for IP blocking without log scraping, which is how it can be used to automate iptables.

fail2ban just scraps logs and adds entries into iptables.

In otherwords, Mystic can ultimately use the same system fail2ban uses to
block connections without actually needing to use fail2ban at all. Of course you can still use it, but its just adding a middle layer than may not really offer anything more to help you.

--- Mystic BBS v1.12 A46 2020/03/10 (Windows/64)
* Origin: Sector 7 (21:1/108)

How may i share the config files with you?

Nice! Thanks :) Can you throw them on pastebin or something similar and share the links?

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: monterey bbs (21:1/168)

If you're talking about Mystic you can set up an event to run whenever it blocks an IP that will give you the IP address. You can have it shell
out and add the IP to any third party stuff you want without the need to scrape logs.

Since I run mystic as a non-root user, this won't work for me. I'm sure I
could probably add a rule with visudo but my preference would be to use a
true IPS/IDS service like fail2ban to handle this :)

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: monterey bbs (21:1/168)

In otherwords, Mystic can ultimately use the same system fail2ban uses to block connections without actually needing to use fail2ban at all. Of course you can still use it, but its just adding a middle layer than may not really offer anything more to help you.

The thing I like about fail2ban is that I don't need to run mis as root for fail2ban to make changes to iptables :)

Plus, I use ufw, and fail2ban can map to ufw rather easily. But I agree that having an event in mis automate the iptables rule changes is slick and otherwise would be ideal.

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: monterey bbs (21:1/168)

In otherwords, Mystic can ultimately use the same system fail2ban
uses to block connections without actually needing to use fail2ban
at all. Of course you can still use it, but its just adding a middle
layer than may not really offer anything more to help you.

Woohoo! Good If anything depending on the logic, you might stop mystic
having to check for them at all, or it'll be picking up everything your F2B setup is missing. I've kept F2B chasing down continuous 404's on the web server
too. :)

Spec


--- SuperBBS v1.17-3 (Eval)
* Origin: < Scrawled in blood at The Lower Planes > (21:3/101)

Thanks, that sounds very interesting.

On Mar 11, 2020 10:26am, Captain Obvious wrote to Terry Roati:

On 11 Mar 2020, Terry Roati said the following...

You can use netsh to block at the OS level so that they never get to
the BBS, if you use Windows Firewall.

-=>Richard Miles<=-
-=>Captain Obvious<=-
-=>bbs.shadowscope.com<=-

--- Mystic BBS v1.12 A46 2020/03/07 (Windows/32)
* Origin: * Shadowscope BBS * (21:1/157)

Terry Roati

... Platinum Xpress & Wildcat!..... Nice!!!!
--- Platinum Xpress/Win/WINServer v7.0
* Origin: The File Bank BBS! https://tfb-bbs.org (21:5/101) (21:5/101)

On 11 Mar 2020, ryan said the following...

How may i share the config files with you?

Nice! Thanks :) Can you throw them on pastebin or something similar and share the links?

Absolutely. Go here: http://darkgame.buanzo.org/mystic/

(no https there now)

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: DaRK Game BBS (21:2/161)

Absolutely. Go here: http://darkgame.buanzo.org/mystic/

:highfive:

Thanks!

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: monterey bbs (21:1/168)

On 12 Mar 2020, ryan said the following...

Absolutely. Go here: http://darkgame.buanzo.org/mystic/

Thanks!

;) my pleasure. o7!

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: DaRK Game BBS (21:2/161)

Thanks for this information!

--- Mystic BBS v1.12 A45 2020/02/18 (Raspberry Pi/32)
* Origin: Hispania BBS (21:4/170)