29 Sep
2016
29 Sep
'16
3:10 p.m.
As always, the best practice recommendation is to
disable telnet logins
entirely as it represents a security issue because passwords pass over
the connection in clear plaintext.
- Brian
Well, the issue is not really the passwords being in plaintext. The issue is the
availability
of a remote login feature with possibly weak passwords. It affects SSH just as much as
it
affects telnet. The malvolents are scanning the IPv4 space and when they can connect
to a remote logon service (telnet, SSH, RDP, VNC) they try a number of common usernames
and passwords. They are not listening in on your traffic. While it is clear that telnet
is not
the most secure login service, it really doesn't make a difference.
I have a fake telnetd running on one of my systems that simply presents the user with a
login prompt and logs what is being typed, and it shows endless connections trying things
like root/12345 root/password admin/admin etc. They probably get into certain routers
or other systems like that, then install some trojan that does further scanning. This is
also
indicated by certain loggings where they apparently believe they got logged in and then
send a long string like "wget something; chmod a+x something; ./something" or
similar.
Rob
29 Sep
29 Sep
3:17 p.m.
New subject: Security - Telnet (port tcp/23)
Rob, if you wouldn't mind emailing me privately (jim(a)photojim.ca) - unless
discussing it here is OK - I wouldn't mind hearing how you did the fake
telnetd. I think that's a brilliant idea.
Jim VE5EIS
-----Original Message-----
From: 44Net [mailto:44net-bounces+jim=photojim.ca@hamradio.ucsd.edu] On
Behalf Of Rob Janssen
Sent: September-29-16 1:10 PM
To: 44net(a)hamradio.ucsd.edu
Subject: Re: [44net] Security - Telnet (port tcp/23)
I have a fake telnetd running on one of my systems that simply presents the
user with a login prompt and logs what is being typed, and it shows endless
connections trying things like root/12345 root/password admin/admin etc.
They probably get into certain routers or other systems like that, then
install some trojan that does further scanning. This is also indicated by
certain loggings where they apparently believe they got logged in and then
send a long string like "wget something; chmod a+x something; ./something"
or similar.
4:04 p.m.
New subject: Security - Telnet (port tcp/23)
The term to search for is 'honeypot'. There are many such scripts out there
on github and on the web in general.
-----Original Message-----
From: 44Net [mailto:44net-bounces+don=00100100.net@hamradio.ucsd.edu] On
Behalf Of Jim MacKenzie
Sent: Thursday, September 29, 2016 12:17 PM
To: 'AMPRNet working group' <44net(a)hamradio.ucsd.edu>
Subject: Re: [44net] Security - Telnet (port tcp/23)
(Please trim inclusions from previous messages)
_______________________________________________
Rob, if you wouldn't mind emailing me privately (jim(a)photojim.ca) - unless
discussing it here is OK - I wouldn't mind hearing how you did the fake
telnetd. I think that's a brilliant idea.
Jim VE5EIS
-----Original Message-----
From: 44Net [mailto:44net-bounces+jim=photojim.ca@hamradio.ucsd.edu] On
Behalf Of Rob Janssen
Sent: September-29-16 1:10 PM
To: 44net(a)hamradio.ucsd.edu
Subject: Re: [44net] Security - Telnet (port tcp/23)
I have a fake telnetd running on one of my systems that simply presents the
user with a login prompt and logs what is being typed, and it shows endless
connections trying things like root/12345 root/password admin/admin etc.
They probably get into certain routers or other systems like that, then
install some trojan that does further scanning. This is also indicated by
certain loggings where they apparently believe they got logged in and then
send a long string like "wget something; chmod a+x something; ./something"
or similar.
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
4:07 p.m.
New subject: Security - Telnet (port tcp/23)
On 9/29/16 4:04 PM, Don Fanning wrote:
(Please trim inclusions from previous messages)
_______________________________________________
The term to search for is 'honeypot'. There are many such scripts out there
on github and on the web in general.
I have a SIP honey pot that plays a continuous loop of screaming monkeys
to anyone who connects to it.
30 Sep
30 Sep
2:49 a.m.
New subject: Security - Telnet (port tcp/23)
Hi,
Le 29/09/2016 à 21:10, Rob Janssen a écrit :
Well, the issue is not really the passwords being in
plaintext. The
issue is the availability
of a remote login feature with possibly weak passwords. It affects
SSH just as much as it
I usually allow remote access (SSH, RDP, etc...) through VPN only.
When access from Internet is absolutely required (because it's not
possible to have a VPN), then I usually add a firewall rule to allow
access only from a list of known WAN IP addresses.
2974
days inactive
2975
days old
4 comments
5 participants
participants (5)
-
Don Fanning -
James Sharp -
Jim MacKenzie -
Rob Janssen -
Toussaint OTTAVI