Re: [44net] JNOS2 vulnerable to outside hack

Hello Don, Many thanks for the info. Unfortunately the BPQ32/FBB gateway user seems to present the sysop's FBB gateway callsign to JNOS which happens to be the only ftpuser with the sysop bit set. Hence if you don't put an mbox password in autoexec.nos file, free access! But yes, I have added the mbox password and the outside user does get the 5 digit password. I do not use the JNOS mbox so that's why I have been caught out. The real answer of course is never enable the FBB BBS gateway if it has telnet access and other connections. I hope this has helped others with a similar setup. Regards -----Original Message----- From: 44net-bounces+vk1kw=netspace.net.au(a)hamradio.ucsd.edu [mailto:44net-bounces+vk1kw=netspace.net.au@hamradio.ucsd.edu] On Behalf Of Don Moore Sent: Sunday, February 01, 2015 12:06 AM To: AMPRNet working group Subject: Re: [44net] JNOS2 vulnerable to outside hack (Please trim inclusions from previous messages) _______________________________________________ You can set up a password for that. In your autoexec.nos file at the following line. mbox password <newpassword> This sets a new remote sysop password. A remote sysop is a user whose entry in the ftpusers file has the SYSOP_CMD bit set. When a remote sysop enters the '@' command to the Jnos mailbox, and there is a non-null mbox password established, five random numbers are displayed. The remote sysop is expected to then transmit the letters corresponding to these numbers, taken as zero-relative positions in the password string. Several lines of five letters can be sent, only one of which need be correct. The last line sent must be empty, ie, just a CR. If the response is correct, the remote sysop is then given the Jnos command-line prompt, and may issue most Jnos console commands. Commands which would require creation of a new session are disallowed. Use the "exit" command to exit from the Jnos command level. On Sat, Jan 31, 2015 at 7:51 AM, vk1kw &lt;vk1kw(a)netspace.net.au&gt; wrote: -- cheers, Don