| View previous topic :: View next topic |
| Author |
Message |
KhashayaR
Voice
Joined: 19 Jul 2007
Posts: 22
Location: World
|
 Posted: Tue Jan 22, 2019 6:21 am Post subject: unauthorized Telnet connection |
 |
|
Hello Everyone
I wonder if anyone can help me with this, my eggdrop logs indication someone or a robot keep sending telnet request please see below, is there any way I can avoid this? what they are trying to achieve by doing this? any article you can read and get more knowledge about this?
appreciate your help and suggestions
[13:05:07] Telnet connection: 212.92.115.207/61995
[13:05:07] Telnet connection: 212.92.115.207/61997
[13:05:07] Telnet connection: 212.92.115.207/61998
[13:05:07] Timeout/EOF ident connection
[13:05:07] Last message repeated 2 time(s).
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61997
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61995
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61998
[13:07:13] Telnet connection: tsn77-247-182-242.dyn.nltelcom.net/54266
[13:07:13] Timeout/EOF ident connection
[13:07:13] Lost telnet connection to telnet@tsn77-247-182-242.dyn.nltelcom.net/54266
[13:16:45] Last message repeated 1 time(s).
[13:16:45] Telnet connection: 212.92.105.217/62365
[13:16:45] Telnet connection: 212.92.105.217/62368
[13:16:45] Timeout/EOF ident connection
[13:16:45] Last message repeated 1 time(s).
[13:16:45] Lost telnet connection to telnet@212.92.105.217/62365
[13:16:45] Lost telnet connection to telnet@212.92.105.217/62368
[13:17:41] Telnet connection: 212.92.124.151/54055
[13:17:41] Timeout/EOF ident connection
[13:17:41] Lost telnet connection to telnet@212.92.124.151/54055
[13:17:50] Telnet connection: worker-18.sfj.corp.censys.io/13702
[13:17:50] Timeout/EOF ident connection
[13:18:54] Telnet connection: 92.53.76.214/60000
[13:19:00] Timeout/EOF ident connection
[13:19:06] Lost telnet connection to telnet@92.53.76.214/60000
[13:19:07] Telnet connection: 212.92.124.151/58225
[13:19:07] Timeout/EOF ident connection
_________________
===
IRC Network: DALnet
Nick: KhashayaR
=== |
|
| Back to top |
|
 |
willyw
Revered One
Joined: 15 Jan 2009
Posts: 1175
|
| Posted: Tue Jan 22, 2019 10:05 am Post subject: Re: unauthorized Telnet connection |
|
|
| KhashayaR wrote: | Hello Everyone
I wonder if anyone can help me with this, my eggdrop logs indication someone or a robot keep sending telnet request please see below, is there any way I can avoid this? what they are trying to achieve by doing this? any article you can read and get more knowledge about this?
appreciate your help and suggestions |
I can tell you that you are not alone .... occasionally I see it in some of my bots, too.
What I do (for simplicity) : use .+ignore , and put that address on ignore for about a week. I have found that when the ignore automatically expires then, that they have quit trying.
At first I tried by putting the offending address on ignore for shorter periods. Like six hours. Then even up to twenty four hours. Those didn't work. A week works.
It will be interesting to see what other responses you get here.
_________________
For a fun (and popular) Trivia game, visit us at: irc.librairc.net #science-fiction . Over 300K Q & A to play in BogusTrivia ! |
|
| Back to top |
|
|
KhashayaR
Voice
Joined: 19 Jul 2007
Posts: 22
Location: World
|
| Posted: Tue Jan 22, 2019 10:46 am Post subject: unauthorized Telnet connection |
|
|
Willyw, Thanks for your quick respond, I have done that, and it seems like they are now giving up, I used to add them to iptables via SSH
Exp:
sudo iptables -A INPUT -s 116.10.191. 121 -j DROP
To block 116.10.191.* addresses:
$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP
To block 116.10.*.* addresses:
$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP
To block 116.*.*.* addresses:
$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP
However, it’s a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?
_________________
===
IRC Network: DALnet
Nick: KhashayaR
=== |
|
| Back to top |
|
|
willyw
Revered One
Joined: 15 Jan 2009
Posts: 1175
|
| Posted: Tue Jan 22, 2019 11:07 am Post subject: Re: unauthorized Telnet connection |
|
|
| KhashayaR wrote: | Willyw, ... I used to add them to iptables via SSH
...
|
That's probably even better.
Whatever works best / easiest for you.
| Quote: |
However, it’s a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop? |
Tracking? It's all in the bot's log, isn't it?
As for harm to the bot - not that I know of.
Who knows what they are trying to do ... ? I suppose there could be a lot of different nefarious things....
_________________
For a fun (and popular) Trivia game, visit us at: irc.librairc.net #science-fiction . Over 300K Q & A to play in BogusTrivia ! |
|
| Back to top |
|
|
caesar
Mint Rubber
Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
|
| Posted: Tue Jan 22, 2019 12:37 pm Post subject: |
|
|
I would at first change the telnet port to something else, something not common.
Instead of multiple iptables rules that in time will make the firewall run slower (I've read about this and can't be bothered to lookup the article) I would use ipset. For example:
| Code: |
ipset create eggdrop hash:net
iptables -I INPUT -m set --match-set eggdrop src -j DROP
|
and each offending IP add to the list with:
| Code: |
ipset add eggdrop <ip>
|
Looked up some of the IP's that try to connect to your bot and they are listed for port scanning, brute-force access and so on on a few abuse websites like AbuseIPDB, Blocklist.de for example.
I made a Perl script to maintain a list updated once 24 hours from Blocklist.de for example for SSH:
| Code: |
#!/usr/bin/perl
use strict;
use warnings;
my $setup = {
file => 'blacklist.txt',
filter => 'blacklist',
url => 'https://lists.blocklist.de/lists/ssh.txt',
};
system(`wget -qO- $setup->{url} > $setup->{file}`);
my $file = $setup->{file};
open my $data, $file or die "Could not open $file: $!";
system(`ipset flush $setup->{filter}`);
my $count = 0;
my $total = 0;
while (my $ip = <$data>) {
if ($ip =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
`ipset add $setup->{filter} $ip`;
$count = $count + 1;
}
$total = $total + 1;
}
close $data;
print "Filtered: $count/$total\n";
|
the ipset table and iptables rules for this are:
| Code: |
ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP
|
and just run that perl script every 24 hours via crontab to keep it updated.
Result:
| Code: |
Filtered: 9012/9012
|
_________________
Once the game is over, the king and the pawn go back in the same box. |
|
| Back to top |
|
|
KhashayaR
Voice
Joined: 19 Jul 2007
Posts: 22
Location: World
|
| Posted: Tue Jan 22, 2019 3:46 pm Post subject: |
|
|
Caesar, Thank you, I guess all I need to do is figure out how to run the code you copied here , I’m not sure if I have to copy it on /script? Or there is other way?
_________________
===
IRC Network: DALnet
Nick: KhashayaR
=== |
|
| Back to top |
|
|
caesar
Mint Rubber
Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
|
| Posted: Tue Jan 22, 2019 3:54 pm Post subject: |
|
|
The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.
_________________
Once the game is over, the king and the pawn go back in the same box. |
|
| Back to top |
|
|
KhashayaR
Voice
Joined: 19 Jul 2007
Posts: 22
Location: World
|
| Posted: Tue Jan 22, 2019 3:58 pm Post subject: |
|
|
| caesar wrote: | | The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access. |
Thanks Caesar, yes i do have root access.
_________________
===
IRC Network: DALnet
Nick: KhashayaR
=== |
|
| Back to top |
|
|
caesar
Mint Rubber
Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
|
| Posted: Wed Jan 23, 2019 2:15 am Post subject: |
|
|
Then put the code into a file called for instance badips.pl, then chmod a+x badips.pl and run it with ./badips.pl
On, you need to execute the:
| Code: |
ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP
|
only once to create the rules then can use ./badips.pl on a daily basis.
_________________
Once the game is over, the king and the pawn go back in the same box. |
|
| Back to top |
|
|
KhashayaR
Voice
Joined: 19 Jul 2007
Posts: 22
Location: World
|
| Posted: Wed Jan 23, 2019 5:55 am Post subject: |
|
|
Caesar Thanks you very much 
_________________
===
IRC Network: DALnet
Nick: KhashayaR
=== |
|
| Back to top |
|
|
KhashayaR
Voice
Joined: 19 Jul 2007
Posts: 22
Location: World
|
| Posted: Wed Jan 23, 2019 6:13 am Post subject: Can't exec "ipset": No such file or directory at . |
|
|
did i do something worng ?
Can't exec "ipset": No such file or directory at ./badips.pl line 23, <$data> li ne 9261.
_________________
===
IRC Network: DALnet
Nick: KhashayaR
=== |
|
| Back to top |
|
|
caesar
Mint Rubber
Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
|
| Posted: Wed Jan 23, 2019 6:59 am Post subject: |
|
|
You don't have it installed then. What Linux version do you have? On Debian (and all that come from it like Ubuntu and so on) all you have to do is:
You didn't run only once the first two commands that are mandatory:
| Code: |
ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP
|
before running the badips.pl script.
_________________
Once the game is over, the king and the pawn go back in the same box. |
|
| Back to top |
|
|
KhashayaR
Voice
Joined: 19 Jul 2007
Posts: 22
Location: World
|
| Posted: Thu Jan 24, 2019 11:27 am Post subject: |
|
|
Thank you very much it work
_________________
===
IRC Network: DALnet
Nick: KhashayaR
=== |
|
| Back to top |
|
|
caesar
Mint Rubber
Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
|
| Posted: Thu Jan 24, 2019 12:40 pm Post subject: |
|
|
The amount of attempts should be narrowed down a notch. Do you have a router before the server that you run the eggdrop from?
_________________
Once the game is over, the king and the pawn go back in the same box. |
|
| Back to top |
|
|
KhashayaR
Voice
Joined: 19 Jul 2007
Posts: 22
Location: World
|
| Posted: Wed Feb 27, 2019 3:38 am Post subject: |
|
|
Hi Caesar, i hope all well, im still facing the same issue even after running the script,  any idea what should i do. i can forward you the log , till now its been hramless however this will cuz the eggdrop to disconnect from irc server
_________________
===
IRC Network: DALnet
Nick: KhashayaR
=== |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
