As always, the best practice recommendation is to disable telnet logins entirely as it represents a security issue because passwords pass over the connection in clear plaintext.
- Brian
Well, the issue is not really the passwords being in plaintext. The issue is the availability of a remote login feature with possibly weak passwords. It affects SSH just as much as it affects telnet. The malvolents are scanning the IPv4 space and when they can connect to a remote logon service (telnet, SSH, RDP, VNC) they try a number of common usernames and passwords. They are not listening in on your traffic. While it is clear that telnet is not the most secure login service, it really doesn't make a difference.
I have a fake telnetd running on one of my systems that simply presents the user with a login prompt and logs what is being typed, and it shows endless connections trying things like root/12345 root/password admin/admin etc. They probably get into certain routers or other systems like that, then install some trojan that does further scanning. This is also indicated by certain loggings where they apparently believe they got logged in and then send a long string like "wget something; chmod a+x something; ./something" or similar.
Rob
Rob, if you wouldn't mind emailing me privately (jim@photojim.ca) - unless discussing it here is OK - I wouldn't mind hearing how you did the fake telnetd. I think that's a brilliant idea.
Jim VE5EIS
-----Original Message----- From: 44Net [mailto:44net-bounces+jim=photojim.ca@hamradio.ucsd.edu] On Behalf Of Rob Janssen Sent: September-29-16 1:10 PM To: 44net@hamradio.ucsd.edu Subject: Re: [44net] Security - Telnet (port tcp/23)
I have a fake telnetd running on one of my systems that simply presents the user with a login prompt and logs what is being typed, and it shows endless connections trying things like root/12345 root/password admin/admin etc. They probably get into certain routers or other systems like that, then install some trojan that does further scanning. This is also indicated by certain loggings where they apparently believe they got logged in and then send a long string like "wget something; chmod a+x something; ./something" or similar.
The term to search for is 'honeypot'. There are many such scripts out there on github and on the web in general.
-----Original Message----- From: 44Net [mailto:44net-bounces+don=00100100.net@hamradio.ucsd.edu] On Behalf Of Jim MacKenzie Sent: Thursday, September 29, 2016 12:17 PM To: 'AMPRNet working group' 44net@hamradio.ucsd.edu Subject: Re: [44net] Security - Telnet (port tcp/23)
(Please trim inclusions from previous messages) _______________________________________________ Rob, if you wouldn't mind emailing me privately (jim@photojim.ca) - unless discussing it here is OK - I wouldn't mind hearing how you did the fake telnetd. I think that's a brilliant idea.
Jim VE5EIS
-----Original Message----- From: 44Net [mailto:44net-bounces+jim=photojim.ca@hamradio.ucsd.edu] On Behalf Of Rob Janssen Sent: September-29-16 1:10 PM To: 44net@hamradio.ucsd.edu Subject: Re: [44net] Security - Telnet (port tcp/23)
I have a fake telnetd running on one of my systems that simply presents the user with a login prompt and logs what is being typed, and it shows endless connections trying things like root/12345 root/password admin/admin etc. They probably get into certain routers or other systems like that, then install some trojan that does further scanning. This is also indicated by certain loggings where they apparently believe they got logged in and then send a long string like "wget something; chmod a+x something; ./something" or similar.
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On 9/29/16 4:04 PM, Don Fanning wrote:
(Please trim inclusions from previous messages) _______________________________________________ The term to search for is 'honeypot'. There are many such scripts out there on github and on the web in general.
I have a SIP honey pot that plays a continuous loop of screaming monkeys to anyone who connects to it.
Hi,
Le 29/09/2016 à 21:10, Rob Janssen a écrit :
Well, the issue is not really the passwords being in plaintext. The issue is the availability of a remote login feature with possibly weak passwords. It affects SSH just as much as it
I usually allow remote access (SSH, RDP, etc...) through VPN only.
When access from Internet is absolutely required (because it's not possible to have a VPN), then I usually add a firewall rule to allow access only from a list of known WAN IP addresses.
-
Don Fanning -
James Sharp -
Jim MacKenzie -
Rob Janssen -
Toussaint OTTAVI