Subj : Re: Protection
To   : Sam Penwright
From : Chris Hizny
Date : Wed Feb 02 2022 09:11 am

 SP> What are you using to protect your computer and bbs
 SP> like peerblock firewall, pfsense- with like a check point hardware or
 SP> any other hardware? I receive a lot of hits from Russia, Korean
 SP> Republic, China etc. So I thought I would see what everyone is

Well, for what it's worth, before I put up my board I was interested in what 
exactly these were, so using Netcat and a shell script, I made a kind of 
honeypot which prints a login and password prompt, logs those, then prints a 
fake shell prompt ($ or # depending on the attempted login).

Nearly all hits to telnet ports are bots/worms spraying-and-praying across the 
net, looking for -- so far as I can tell -- cheapo security cameras and other 
IoT devices with known default logins and passwords.  (I could determine this 
by watching what login/password combinations were being tried, then searching 
for devices with known defaults of these combinations)

Most are webcams - for some reason - with brand names they don't sell in my 
country - as to your comment, most are from places like China and Russia.

Once they are "logged in," nearly all of them attempt to run busybox with a 
payload.  Some attempt to wget the payload from an external site although for 
some reason those have mostly faded away.  The busybox command line assumes the 
payload is already baked into busybox (i.e. the device already has a 
compromised busybox executable).

The scripts are rather dumb; they don't check for result text or error text 
from the commands they run.

The larger point here is that unless you're running a system with common 
default logins and passwords, these present no threat to your system.  They are 
nuisances.

Moving your system off of the default ports completely stops them, since these 
scripts are looking for low-hanging fruit and targets of opportunity.  This 
isn't really security-through-obscurity so much as it is moving out of the way 
of an indiscriminately fired machine gun.

fail2ban and similar techniques are fine as far as they go but there are so 
many of these coming from so many different IP addresses, it's whack-a-mole. 
Maybe since it is automated, no big deal.

There's no real threat here.  Not that better security is a bad thing; have at 
it, but I figured I'd post this just to provide some additional information.

Of the ports I watch (basically everything in /etc/services), these are the 
most common hits (note the most hammered port -- hence the issue SysOps have to 
put up with):

|  Port |    Hits | Description
                                             
     23     37940   telnet
     22     27589   ssh - SSH Remote Login Protocol
    443     20170   https - http protocol over TLS/SSL
     80     18976   http www - WorldWideWeb HTTP
    123     15946   ntp - Network Time Protocol
    389      5430   ldap - Lightweight Directory Access Protocol
    111      2711   sunrpc portmapper - RPC 4.0 portmapper
     21      2465   ftp
     67      2448   bootps
     68      2291   bootpc
   1194      1687   openvpn
    873      1132   rsync

None of the ports you see in this list are open/provide services on the servers 
I monitor, so no one should be legitimately hitting them.

The other traffic you see are from research/scanning IPs - shodan.io is one, 
which are people mapping the net or searching for vulnerabilities - generally 
good guys (like Arbor Observatory).

Anyway slightly off-topic to your question but I hope there's something 
interesting in here of interest to someone.

--- Mystic BBS v1.12 A47 2021/09/24 (Linux/64)
 * Origin: Shipwrecks & Shibboleths [San Francisco, CA - USA] (1:218/860)

.