egghelp/eggheads community

unauthorized Telnet connection

2019-03-01T02:40:53-04:00

Thanks alot for your help, i will do as you advise and hopefully no more attack,

Statistics: Posted by KhashayaR — Fri Mar 01, 2019 2:40 am

unauthorized Telnet connection

2019-02-28T10:54:17-04:00

I get a lot of SSH brute-force attack attempts on my server (where authentication is done via a private key anyway), so it's no surprise to me that your server has been port scanned and now your telnet gets a lot of attention.

The best way to end with this pesky issue once and forever is to set the telnet host on your bot to the IP or lis of IP you trust. If you look at *.user (where * is what you set in eggdrop.conf file at set userfile line), for example LamestBot.user (in my case) you should see at the top of your user a line like this:

Code:

--HOSTS -telnet!*@*

that basically translates it will accept a telnet connection from anyone (the * behind @ means everyone). So, if you change that line for example to:

Code:

--HOSTS -telnet!*@1.2.3.4

then it will accept a telnet connection ONLY from 1.2.3.4, and any other IP connection is dropped.

Statistics: Posted by caesar — Thu Feb 28, 2019 10:54 am

unauthorized Telnet connection

2019-02-27T03:38:30-04:00

Hi Caesar, i hope all well, im still facing the same issue even after running the script, any idea what should i do. i can forward you the log , till now its been hramless however this will cuz the eggdrop to disconnect from irc server

Statistics: Posted by KhashayaR — Wed Feb 27, 2019 3:38 am

unauthorized Telnet connection

2019-01-24T12:40:01-04:00

The amount of attempts should be narrowed down a notch. Do you have a router before the server that you run the eggdrop from?

Statistics: Posted by caesar — Thu Jan 24, 2019 12:40 pm

unauthorized Telnet connection

2019-01-24T11:27:59-04:00

Thank you very much it work

Statistics: Posted by KhashayaR — Thu Jan 24, 2019 11:27 am

unauthorized Telnet connection

2019-01-23T06:59:14-04:00

You don't have it installed then. What Linux version do you have? On Debian (and all that come from it like Ubuntu and so on) all you have to do is:

Code:

apt install ipset

You didn't run only once the first two commands that are mandatory:

Code:

ipset create blacklist hash:netiptables -I INPUT -m set --match-set blacklist src -j DROP

before running the badips.pl script.

Statistics: Posted by caesar — Wed Jan 23, 2019 6:59 am

Can't exec "ipset": No such file or directory at .

2019-01-23T06:13:17-04:00

did i do something worng ?

Can't exec "ipset": No such file or directory at ./badips.pl line 23, <$data> li ne 9261.

Statistics: Posted by KhashayaR — Wed Jan 23, 2019 6:13 am

unauthorized Telnet connection

2019-01-23T05:55:38-04:00

Caesar Thanks you very much

Statistics: Posted by KhashayaR — Wed Jan 23, 2019 5:55 am

unauthorized Telnet connection

2019-01-23T02:15:49-04:00

Then put the code into a file called for instance badips.pl, then chmod a+x badips.pl and run it with ./badips.pl

On, you need to execute the:

Code:

ipset create blacklist hash:netiptables -I INPUT -m set --match-set blacklist src -j DROP

only once to create the rules then can use ./badips.pl on a daily basis.

Statistics: Posted by caesar — Wed Jan 23, 2019 2:15 am

unauthorized Telnet connection

2019-01-22T15:58:24-04:00

The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.

Thanks Caesar, yes i do have root access.

Statistics: Posted by KhashayaR — Tue Jan 22, 2019 3:58 pm

unauthorized Telnet connection

2019-01-22T15:54:10-04:00

The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.

Statistics: Posted by caesar — Tue Jan 22, 2019 3:54 pm

unauthorized Telnet connection

2019-01-22T15:46:14-04:00

Caesar, Thank you, I guess all I need to do is figure out how to run the code you copied here , I’m not sure if I have to copy it on /script? Or there is other way?

Statistics: Posted by KhashayaR — Tue Jan 22, 2019 3:46 pm

unauthorized Telnet connection

2019-01-22T12:37:31-04:00

I would at first change the telnet port to something else, something not common.

Instead of multiple iptables rules that in time will make the firewall run slower (I've read about this and can't be bothered to lookup the article) I would use ipset. For example:

Code:

ipset create eggdrop hash:netiptables -I INPUT -m set --match-set eggdrop src -j DROP

and each offending IP add to the list with:

Code:

ipset add eggdrop

Looked up some of the IP's that try to connect to your bot and they are listed for port scanning, brute-force access and so on on a few abuse websites like AbuseIPDB, Blocklist.de for example.

I made a Perl script to maintain a list updated once 24 hours from Blocklist.de for example for SSH:

Code:

#!/usr/bin/perluse strict;use warnings;my $setup = {        file => 'blacklist.txt',        filter => 'blacklist',        url => 'https://lists.blocklist.de/lists/ssh.txt',};system(`wget -qO- $setup->{url} > $setup->{file}`);my $file = $setup->{file};open my $data, $file or die "Could not open $file: $!";system(`ipset flush $setup->{filter}`);my $count = 0;my $total = 0;while (my $ip = <$data>)  {        if ($ip =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {                `ipset add $setup->{filter} $ip`;                $count = $count + 1;        }        $total = $total + 1;}close $data;print "Filtered: $count/$total\n";

the ipset table and iptables rules for this are:

Code:

ipset create blacklist hash:netiptables -I INPUT -m set --match-set blacklist src -j DROP

and just run that perl script every 24 hours via crontab to keep it updated.

Result:

Code:

Filtered: 9012/9012

Statistics: Posted by caesar — Tue Jan 22, 2019 12:37 pm

Re: unauthorized Telnet connection

2019-01-22T11:07:11-04:00

Willyw, ... I used to add them to iptables via SSH
...

That's probably even better.
Whatever works best / easiest for you.

However, it’s a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?

Tracking? It's all in the bot's log, isn't it?

As for harm to the bot - not that I know of.

Who knows what they are trying to do ... ? I suppose there could be a lot of different nefarious things....

Statistics: Posted by willyw — Tue Jan 22, 2019 11:07 am

unauthorized Telnet connection

2019-01-22T10:46:43-04:00

Willyw, Thanks for your quick respond, I have done that, and it seems like they are now giving up, I used to add them to iptables via SSH
Exp:
sudo iptables -A INPUT -s 116.10.191. 121 -j DROP
To block 116.10.191.* addresses:
$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP
To block 116.10.*.* addresses:
$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP
To block 116.*.*.* addresses:
$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP
However, it’s a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?

Statistics: Posted by KhashayaR — Tue Jan 22, 2019 10:46 am