• How to handle the port 23 script kiddies

    From Björn Felten@2:203/2 to All on Wed Mar 14 00:41:13 2018
    I really do want to keep my port 23 open, so that my users can telnet to my BBS.

    But as most of you probably know, there's a huge operation going on with hijacked computers trying to connect to other port 23 computers.

    Well, if you like me have Argus setup to answer incoming port 23 calls, you probably know that there's very little double escape character response. So how
    do you handle this?

    In the Doors setup the only nonprintable character available is the escape character (a backslash). If character/return had something like that it would be much easier. But here's how I've done it:

    http://felten.se/ny.jpg

    Originally I was planning on sending a huge response (as in typing a big exe-file) but I abandoned that idea since it meant that my system was hanging after the remote system quickly disconnected.

    But the 'type' command does not compute (you need 'cmd type' to make it work), so the connection swiftly is disconnected.

    As always: RFC... 8-)

    ..

    --- Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.1.16) Gecko/20101125
    * Origin: news://eljaco.se (2:203/2)
  • From Tommi Koivula@2:221/0 to Bjrn Felten on Fri Mar 16 10:16:14 2018
    I really do want to keep my port 23 open, so that my users can telnet to my BBS.

    I don't have port 23 open to mailer/bbs anymore but I have a fake prompt
    in Xenia Mailer:

    + Xenia Mailer 1.98.06+ OS/2 (SN:399USBJ14); Node 2:221/360@fidonet - Task
    2
    + COPYRIGHT (C) 1987-1998 by Arjen G. Lentz & LENTZ SOFTWARE-DEVELOPMENT
    + This copy is licensed for use by: Tommi Koivula

    Hit <ESC> twice for BBS.

    OS/2 Login:

    And for login attempts as root, admin, sysop or shit like that the
    mailer just disconnects without loading the bbs.

    'Tommi

    --- Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 SeaMonkey/
    * Origin: SmapiNNTPd/Linux-Pi 1.11 (2:221/0)
  • From mark lewis@1:3634/12.73 to Björn Felten on Fri Mar 16 11:43:38 2018
    On 2018 Mar 14 00:41:12, you wrote to All:

    I really do want to keep my port 23 open, so that my users can telnet
    to my BBS.

    ok... you can do that...

    But as most of you probably know, there's a huge operation going on
    with hijacked computers trying to connect to other port 23 computers.

    "*a* huge operation"?? think again... try "several" or "numerous"... there are quite a few different groups fighting each other... many over farkin games... some are just cheating... in all cases, they are building botnets so they can DDOS other systems and cheat in their games or try to take someone else's botnet bit by bit... or just be a festering boil because they have no proper home training or upbringing... take your pick...

    Well, if you like me have Argus setup to answer incoming port 23
    calls, you probably know that there's very little double escape
    character response. So how do you handle this?

    block'em at the perimeter via IDS/IPS and be done with them... stop screwing around... if you don't have a perimeter firewall, you should get one... yeah, i
    mean replacing that POC in the ISP modem thing... preferably a firewall with an
    IDS/IPS so that you can write your own rules and block these MIRAI variants...

    Originally I was planning on sending a huge response (as in typing a
    big exe-file) but I abandoned that idea since it meant that my system
    was hanging after the remote system quickly disconnected.

    that type of retaliation won't do a damned thing... they won't even see it... just block them and move on... or get off of 23 and 2323 and live a quiet life... i've been writing about this stuff since july or august of MIRAI when i
    first started writing IDS rules to detect the shite and block it... it is exactly what my signature block talks of, too...

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... It's lonely at the top, but you eat better.
    ---
    * Origin: (1:3634/12.73)
  • From mark lewis@1:3634/12.73 to Björn Felten on Fri Mar 16 12:22:14 2018
    On 2018 Mar 16 11:43:38, I wrote to you:

    i've been writing about this stuff since july or august of MIRAI when
    i first started writing IDS rules to detect the shite and block it...
    it is exactly what my signature block talks of, too...

    damned lack of c0ffee :(

    "i've been writing about this stuff since july or august of 2016 when i first started writing IDS/IPS rules to detect this MIRAI shite and block it on my perimeter firewall..."

    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... I know the answers...as long as you ask the right questions.
    ---
    * Origin: (1:3634/12.73)