egghelp.org community Forum Index
[ egghelp.org home | forum home ]
egghelp.org community
Discussion of eggdrop bots, shell accounts and tcl scripts.
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

unauthorized Telnet connection
Goto page 1, 2  Next
 
Post new topic   Reply to topic    egghelp.org community Forum Index -> Eggdrop Help
View previous topic :: View next topic  
Author Message
KhashayaR
Voice


Joined: 19 Jul 2007
Posts: 12
Location: World

PostPosted: Tue Jan 22, 2019 6:21 am    Post subject: unauthorized Telnet connection Reply with quote

Hello Everyone

I wonder if anyone can help me with this, my eggdrop logs indication someone or a robot keep sending telnet request please see below, is there any way I can avoid this? what they are trying to achieve by doing this? any article you can read and get more knowledge about this?

appreciate your help and suggestions


[13:05:07] Telnet connection: 212.92.115.207/61995
[13:05:07] Telnet connection: 212.92.115.207/61997
[13:05:07] Telnet connection: 212.92.115.207/61998
[13:05:07] Timeout/EOF ident connection
[13:05:07] Last message repeated 2 time(s).
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61997
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61995
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61998
[13:07:13] Telnet connection: tsn77-247-182-242.dyn.nltelcom.net/54266
[13:07:13] Timeout/EOF ident connection
[13:07:13] Lost telnet connection to telnet@tsn77-247-182-242.dyn.nltelcom.net/54266
[13:16:45] Last message repeated 1 time(s).
[13:16:45] Telnet connection: 212.92.105.217/62365
[13:16:45] Telnet connection: 212.92.105.217/62368
[13:16:45] Timeout/EOF ident connection
[13:16:45] Last message repeated 1 time(s).
[13:16:45] Lost telnet connection to telnet@212.92.105.217/62365
[13:16:45] Lost telnet connection to telnet@212.92.105.217/62368
[13:17:41] Telnet connection: 212.92.124.151/54055
[13:17:41] Timeout/EOF ident connection
[13:17:41] Lost telnet connection to telnet@212.92.124.151/54055
[13:17:50] Telnet connection: worker-18.sfj.corp.censys.io/13702
[13:17:50] Timeout/EOF ident connection
[13:18:54] Telnet connection: 92.53.76.214/60000
[13:19:00] Timeout/EOF ident connection
[13:19:06] Lost telnet connection to telnet@92.53.76.214/60000
[13:19:07] Telnet connection: 212.92.124.151/58225
[13:19:07] Timeout/EOF ident connection
_________________
===
IRC Network: DALnet
Nick: KhashayaR
===
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
willyw
Revered One


Joined: 15 Jan 2009
Posts: 1007

PostPosted: Tue Jan 22, 2019 10:05 am    Post subject: Re: unauthorized Telnet connection Reply with quote

KhashayaR wrote:
Hello Everyone

I wonder if anyone can help me with this, my eggdrop logs indication someone or a robot keep sending telnet request please see below, is there any way I can avoid this? what they are trying to achieve by doing this? any article you can read and get more knowledge about this?

appreciate your help and suggestions


I can tell you that you are not alone .... occasionally I see it in some of my bots, too.

What I do (for simplicity) : use .+ignore , and put that address on ignore for about a week. I have found that when the ignore automatically expires then, that they have quit trying.

At first I tried by putting the offending address on ignore for shorter periods. Like six hours. Then even up to twenty four hours. Those didn't work. A week works.

It will be interesting to see what other responses you get here.
_________________
For a fun (and popular) Trivia game, visit us at: irc.librairc.net #science-fiction . Over 300K Q & A to play in BogusTrivia !
Back to top
View user's profile Send private message
KhashayaR
Voice


Joined: 19 Jul 2007
Posts: 12
Location: World

PostPosted: Tue Jan 22, 2019 10:46 am    Post subject: unauthorized Telnet connection Reply with quote

Willyw, Thanks for your quick respond, I have done that, and it seems like they are now giving up, I used to add them to iptables via SSH
Exp:
sudo iptables -A INPUT -s 116.10.191. 121 -j DROP
To block 116.10.191.* addresses:
$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP
To block 116.10.*.* addresses:
$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP
To block 116.*.*.* addresses:
$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP
However, itís a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?
_________________
===
IRC Network: DALnet
Nick: KhashayaR
===
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
willyw
Revered One


Joined: 15 Jan 2009
Posts: 1007

PostPosted: Tue Jan 22, 2019 11:07 am    Post subject: Re: unauthorized Telnet connection Reply with quote

KhashayaR wrote:
Willyw, ... I used to add them to iptables via SSH
...



That's probably even better.
Whatever works best / easiest for you.
Smile

Quote:

However, itís a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?


Tracking? It's all in the bot's log, isn't it?

As for harm to the bot - not that I know of.

Who knows what they are trying to do ... ? I suppose there could be a lot of different nefarious things....
_________________
For a fun (and popular) Trivia game, visit us at: irc.librairc.net #science-fiction . Over 300K Q & A to play in BogusTrivia !
Back to top
View user's profile Send private message
caesar
Mint Rubber


Joined: 14 Oct 2001
Posts: 3578
Location: Mint Factory

PostPosted: Tue Jan 22, 2019 12:37 pm    Post subject: Reply with quote

I would at first change the telnet port to something else, something not common.

Instead of multiple iptables rules that in time will make the firewall run slower (I've read about this and can't be bothered to lookup the article) I would use ipset. For example:
Code:

ipset create eggdrop hash:net
iptables -I INPUT -m set --match-set eggdrop src -j DROP

and each offending IP add to the list with:
Code:

ipset add eggdrop <ip>


Looked up some of the IP's that try to connect to your bot and they are listed for port scanning, brute-force access and so on on a few abuse websites like AbuseIPDB, Blocklist.de for example.

I made a Perl script to maintain a list updated once 24 hours from Blocklist.de for example for SSH:
Code:

#!/usr/bin/perl

use strict;
use warnings;

my $setup = {
        file => 'blacklist.txt',
        filter => 'blacklist',
        url => 'https://lists.blocklist.de/lists/ssh.txt',
};

system(`wget -qO- $setup->{url} > $setup->{file}`);

my $file = $setup->{file};
open my $data, $file or die "Could not open $file: $!";

system(`ipset flush $setup->{filter}`);

my $count = 0;
my $total = 0;
while (my $ip = <$data>)  {
        if ($ip =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
                `ipset add $setup->{filter} $ip`;
                $count = $count + 1;
        }
        $total = $total + 1;
}

close $data;

print "Filtered: $count/$total\n";

the ipset table and iptables rules for this are:
Code:

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP

and just run that perl script every 24 hours via crontab to keep it updated. Smile

Result:
Code:

Filtered: 9012/9012

_________________
I tawt I taw a puddy tat!
Back to top
View user's profile Send private message
KhashayaR
Voice


Joined: 19 Jul 2007
Posts: 12
Location: World

PostPosted: Tue Jan 22, 2019 3:46 pm    Post subject: Reply with quote

Caesar, Thank you, I guess all I need to do is figure out how to run the code you copied here , Iím not sure if I have to copy it on /script? Or there is other way?
_________________
===
IRC Network: DALnet
Nick: KhashayaR
===
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
caesar
Mint Rubber


Joined: 14 Oct 2001
Posts: 3578
Location: Mint Factory

PostPosted: Tue Jan 22, 2019 3:54 pm    Post subject: Reply with quote

The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.
_________________
I tawt I taw a puddy tat!
Back to top
View user's profile Send private message
KhashayaR
Voice


Joined: 19 Jul 2007
Posts: 12
Location: World

PostPosted: Tue Jan 22, 2019 3:58 pm    Post subject: Reply with quote

caesar wrote:
The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.
Thanks Caesar, yes i do have root access.
_________________
===
IRC Network: DALnet
Nick: KhashayaR
===
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
caesar
Mint Rubber


Joined: 14 Oct 2001
Posts: 3578
Location: Mint Factory

PostPosted: Wed Jan 23, 2019 2:15 am    Post subject: Reply with quote

Then put the code into a file called for instance badips.pl, then chmod a+x badips.pl and run it with ./badips.pl

On, you need to execute the:
Code:

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP

only once to create the rules then can use ./badips.pl on a daily basis.
_________________
I tawt I taw a puddy tat!
Back to top
View user's profile Send private message
KhashayaR
Voice


Joined: 19 Jul 2007
Posts: 12
Location: World

PostPosted: Wed Jan 23, 2019 5:55 am    Post subject: Reply with quote

Caesar Thanks you very much Very Happy
_________________
===
IRC Network: DALnet
Nick: KhashayaR
===
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
KhashayaR
Voice


Joined: 19 Jul 2007
Posts: 12
Location: World

PostPosted: Wed Jan 23, 2019 6:13 am    Post subject: Can't exec "ipset": No such file or directory at . Reply with quote

did i do something worng ?

Can't exec "ipset": No such file or directory at ./badips.pl line 23, <$data> li ne 9261.

_________________
===
IRC Network: DALnet
Nick: KhashayaR
===
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
caesar
Mint Rubber


Joined: 14 Oct 2001
Posts: 3578
Location: Mint Factory

PostPosted: Wed Jan 23, 2019 6:59 am    Post subject: Reply with quote

You don't have it installed then. What Linux version do you have? On Debian (and all that come from it like Ubuntu and so on) all you have to do is:
Code:

apt install ipset

You didn't run only once the first two commands that are mandatory:
Code:

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP

before running the badips.pl script.
_________________
I tawt I taw a puddy tat!
Back to top
View user's profile Send private message
KhashayaR
Voice


Joined: 19 Jul 2007
Posts: 12
Location: World

PostPosted: Thu Jan 24, 2019 11:27 am    Post subject: Reply with quote

Thank you very much Smile it work Very Happy
_________________
===
IRC Network: DALnet
Nick: KhashayaR
===
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
caesar
Mint Rubber


Joined: 14 Oct 2001
Posts: 3578
Location: Mint Factory

PostPosted: Thu Jan 24, 2019 12:40 pm    Post subject: Reply with quote

The amount of attempts should be narrowed down a notch. Do you have a router before the server that you run the eggdrop from?
_________________
I tawt I taw a puddy tat!
Back to top
View user's profile Send private message
KhashayaR
Voice


Joined: 19 Jul 2007
Posts: 12
Location: World

PostPosted: Wed Feb 27, 2019 3:38 am    Post subject: Reply with quote

Hi Caesar, i hope all well, im still facing the same issue even after running the script, Confused any idea what should i do. i can forward you the log , till now its been hramless however this will cuz the eggdrop to disconnect from irc server
_________________
===
IRC Network: DALnet
Nick: KhashayaR
===
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    egghelp.org community Forum Index -> Eggdrop Help All times are GMT - 4 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Forum hosting provided by Reverse.net

Powered by phpBB © 2001, 2005 phpBB Group
subGreen style by ktauber