• Protection

    From Sam Penwright@1:123/120 to All on Sun Jan 30 10:06:10 2022
    Greetings Everyone!

    I have a question for everyone !
    What are you using to protect your computer and bbs
    like peerblock firewall, pfsense- with like a check point hardware or
    any other hardware? I receive a lot of hits from Russia, Korean
    Republic, China etc. So I thought I would see what everyone is
    using! So if you would tell me.
    I'm using a check point T110 running pfsense software..
    Thanks for your time.
    Datalus


    Bye for now...
    Sam

    --- Ezycom V3.00 01FB064B
    * Origin: Deep Space Gateway BBS Running EZYCOM V3.0 (1:123/120)
  • From Richard Menedetter@2:310/31 to Sam Penwright on Sun Jan 30 18:46:04 2022
    Hi Sam!

    30 Jan 2022 10:06, from Sam Penwright -> All:

    What are you using to protect your computer and bbs
    like peerblock firewall, pfsense- with like a check point hardware or
    any other hardware? I receive a lot of hits from Russia, Korean
    Republic, China etc.

    What good is a firewall for that?
    If you open a port for a service, then the port is open in the firewall.
    If there is nothing listening on a port, it makes zero difference.

    I just use fail2ban to on demand block IPs that are currently doing too many failed SSH logins.

    CU, Ricsi

    ... The only thing faster than the speed of light is word of mouth.
    --- GoldED+/LNX
    * Origin: 1 + 2 = 3; Therefore, 4 + 5 = 6 (2:310/31)
  • From Daniel Path@2:371/52 to Sam Penwright on Sun Jan 30 22:03:50 2022
    Hello Sam.

    30 Jan 22 10:06, you wrote to All:

    I have a question for everyone !
    What are you using to protect your computer and bbs
    like peerblock firewall, pfsense- with like a check point hardware or
    any other hardware? I receive a lot of hits from Russia, Korean
    Republic, China etc. So I thought I would see what everyone is
    using! So if you would tell me.
    I'm using a check point T110 running pfsense software..

    i've just switched the BBS port from the default 23 to 1212..

    --
    Daniel

    ... 11:57pm up 17 days, 10:54:47, load: 74 processes, 276 threads.
    --- GoldED+/EMX 1.1.4.7
    * Origin: Roon's BBS - Budapest, HUNGARY (2:371/52)
  • From Chris Hizny@1:218/860 to Sam Penwright on Wed Feb 2 09:11:29 2022
    What are you using to protect your computer and bbs
    like peerblock firewall, pfsense- with like a check point hardware or
    any other hardware? I receive a lot of hits from Russia, Korean
    Republic, China etc. So I thought I would see what everyone is

    Well, for what it's worth, before I put up my board I was interested in what exactly these were, so using Netcat and a shell script, I made a kind of honeypot which prints a login and password prompt, logs those, then prints a fake shell prompt ($ or # depending on the attempted login).

    Nearly all hits to telnet ports are bots/worms spraying-and-praying across the net, looking for -- so far as I can tell -- cheapo security cameras and other IoT devices with known default logins and passwords. (I could determine this by watching what login/password combinations were being tried, then searching for devices with known defaults of these combinations)

    Most are webcams - for some reason - with brand names they don't sell in my country - as to your comment, most are from places like China and Russia.

    Once they are "logged in," nearly all of them attempt to run busybox with a payload. Some attempt to wget the payload from an external site although for some reason those have mostly faded away. The busybox command line assumes the payload is already baked into busybox (i.e. the device already has a compromised busybox executable).

    The scripts are rather dumb; they don't check for result text or error text from the commands they run.

    The larger point here is that unless you're running a system with common default logins and passwords, these present no threat to your system. They are nuisances.

    Moving your system off of the default ports completely stops them, since these scripts are looking for low-hanging fruit and targets of opportunity. This isn't really security-through-obscurity so much as it is moving out of the way of an indiscriminately fired machine gun.

    fail2ban and similar techniques are fine as far as they go but there are so many of these coming from so many different IP addresses, it's whack-a-mole. Maybe since it is automated, no big deal.

    There's no real threat here. Not that better security is a bad thing; have at it, but I figured I'd post this just to provide some additional information.

    Of the ports I watch (basically everything in /etc/services), these are the most common hits (note the most hammered port -- hence the issue SysOps have to put up with):

    | Port | Hits | Description

    23 37940 telnet
    22 27589 ssh - SSH Remote Login Protocol
    443 20170 https - http protocol over TLS/SSL
    80 18976 http www - WorldWideWeb HTTP
    123 15946 ntp - Network Time Protocol
    389 5430 ldap - Lightweight Directory Access Protocol
    111 2711 sunrpc portmapper - RPC 4.0 portmapper
    21 2465 ftp
    67 2448 bootps
    68 2291 bootpc
    1194 1687 openvpn
    873 1132 rsync

    None of the ports you see in this list are open/provide services on the servers I monitor, so no one should be legitimately hitting them.

    The other traffic you see are from research/scanning IPs - shodan.io is one, which are people mapping the net or searching for vulnerabilities - generally good guys (like Arbor Observatory).

    Anyway slightly off-topic to your question but I hope there's something interesting in here of interest to someone.

    --- Mystic BBS v1.12 A47 2021/09/24 (Linux/64)
    * Origin: Shipwrecks & Shibboleths [San Francisco, CA - USA] (1:218/860)
  • From Sam Penwright@1:123/120 to Chris Hizny on Wed Feb 2 08:30:28 2022
    Hey Chris,

    What are you using to protect your computer and bbs
    like peerblock firewall, pfsense- with like a check point hardware or
    any other hardware? I receive a lot of hits from Russia, Korean
    Republic, China etc. So I thought I would see what everyone is
    doing

    Well, for what it's worth, before I put up my board I was interested in what exactly these were, so using Netcat and a shell script, I made a kind of honeypot which prints a login and password prompt

    Anyway slightly off-topic to your question but I hope there's something interesting in here of interest to someone.
    Very Intresting read, Thanks Chris.
    I have a odd number port but I still get a lot of logs showing a lot
    of different countries. This wasnt what I expected being on a port
    thats not very common.

    I just wanted to see what others do, I have ample protection so it was
    just for a discussion!
    Thanks Sam


    Bye for now...
    Sam

    --- Ezycom V3.00 01FB064B
    * Origin: Deep Space Gateway BBS Running EZYCOM V3.0 (1:123/120)
  • From Greg Youngblood@1:123/130 to Sam Penwright on Mon Dec 12 05:26:06 2022
    What are you using to protect your computer and bbs
    like peerblock firewall, pfsense- with like a check point hardware or
    any other hardware? I receive a lot of hits from Russia, Korean
    Republic, China etc. So I thought I would see what everyone is

    If your using pfSence like me, why are you not using the addon pfBlocker?
    I have NO trouble with any of those countries unless they use a proxy from
    a safe (white list) country!



    |11|15-*|04 Hav|12ok |15*-

    ... I'd love to help you out. Which way did you come in?

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: After Hours BBS|ah-bbs.com:2333|SSH:2220 (1:123/130)