This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

unauthorized Telnet connection

General support and discussion of Eggdrop bots.
User avatar
KhashayaR
Voice
Posts: 22
Joined: Thu Jul 19, 2007 9:34 pm
Location: World
Contact:

unauthorized Telnet connection

Post by KhashayaR »

Hello Everyone

I wonder if anyone can help me with this, my eggdrop logs indication someone or a robot keep sending telnet request please see below, is there any way I can avoid this? what they are trying to achieve by doing this? any article you can read and get more knowledge about this?

appreciate your help and suggestions


[13:05:07] Telnet connection: 212.92.115.207/61995
[13:05:07] Telnet connection: 212.92.115.207/61997
[13:05:07] Telnet connection: 212.92.115.207/61998
[13:05:07] Timeout/EOF ident connection
[13:05:07] Last message repeated 2 time(s).
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61997
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61995
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61998
[13:07:13] Telnet connection: tsn77-247-182-242.dyn.nltelcom.net/54266
[13:07:13] Timeout/EOF ident connection
[13:07:13] Lost telnet connection to telnet@tsn77-247-182-242.dyn.nltelcom.net/54266
[13:16:45] Last message repeated 1 time(s).
[13:16:45] Telnet connection: 212.92.105.217/62365
[13:16:45] Telnet connection: 212.92.105.217/62368
[13:16:45] Timeout/EOF ident connection
[13:16:45] Last message repeated 1 time(s).
[13:16:45] Lost telnet connection to telnet@212.92.105.217/62365
[13:16:45] Lost telnet connection to telnet@212.92.105.217/62368
[13:17:41] Telnet connection: 212.92.124.151/54055
[13:17:41] Timeout/EOF ident connection
[13:17:41] Lost telnet connection to telnet@212.92.124.151/54055
[13:17:50] Telnet connection: worker-18.sfj.corp.censys.io/13702
[13:17:50] Timeout/EOF ident connection
[13:18:54] Telnet connection: 92.53.76.214/60000
[13:19:00] Timeout/EOF ident connection
[13:19:06] Lost telnet connection to telnet@92.53.76.214/60000
[13:19:07] Telnet connection: 212.92.124.151/58225
[13:19:07] Timeout/EOF ident connection
===
IRC Network: DALnet
Nick: KhashayaR
===
w
willyw
Revered One
Posts: 1203
Joined: Thu Jan 15, 2009 12:55 am

Re: unauthorized Telnet connection

Post by willyw »

KhashayaR wrote:Hello Everyone

I wonder if anyone can help me with this, my eggdrop logs indication someone or a robot keep sending telnet request please see below, is there any way I can avoid this? what they are trying to achieve by doing this? any article you can read and get more knowledge about this?

appreciate your help and suggestions
I can tell you that you are not alone .... occasionally I see it in some of my bots, too.

What I do (for simplicity) : use .+ignore , and put that address on ignore for about a week. I have found that when the ignore automatically expires then, that they have quit trying.

At first I tried by putting the offending address on ignore for shorter periods. Like six hours. Then even up to twenty four hours. Those didn't work. A week works.

It will be interesting to see what other responses you get here.
For a fun (and popular) Trivia game, visit us at: irc.librairc.net #science-fiction . Over 300K Q & A to play in BogusTrivia !
User avatar
KhashayaR
Voice
Posts: 22
Joined: Thu Jul 19, 2007 9:34 pm
Location: World
Contact:

unauthorized Telnet connection

Post by KhashayaR »

Willyw, Thanks for your quick respond, I have done that, and it seems like they are now giving up, I used to add them to iptables via SSH
Exp:
sudo iptables -A INPUT -s 116.10.191. 121 -j DROP
To block 116.10.191.* addresses:
$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP
To block 116.10.*.* addresses:
$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP
To block 116.*.*.* addresses:
$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP
However, it’s a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?
===
IRC Network: DALnet
Nick: KhashayaR
===
w
willyw
Revered One
Posts: 1203
Joined: Thu Jan 15, 2009 12:55 am

Re: unauthorized Telnet connection

Post by willyw »

KhashayaR wrote:Willyw, ... I used to add them to iptables via SSH
...
That's probably even better.
Whatever works best / easiest for you.
:)
However, it’s a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?
Tracking? It's all in the bot's log, isn't it?

As for harm to the bot - not that I know of.

Who knows what they are trying to do ... ? I suppose there could be a lot of different nefarious things....
For a fun (and popular) Trivia game, visit us at: irc.librairc.net #science-fiction . Over 300K Q & A to play in BogusTrivia !
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

I would at first change the telnet port to something else, something not common.

Instead of multiple iptables rules that in time will make the firewall run slower (I've read about this and can't be bothered to lookup the article) I would use ipset. For example:

Code: Select all

ipset create eggdrop hash:net
iptables -I INPUT -m set --match-set eggdrop src -j DROP
and each offending IP add to the list with:

Code: Select all

ipset add eggdrop <ip>
Looked up some of the IP's that try to connect to your bot and they are listed for port scanning, brute-force access and so on on a few abuse websites like AbuseIPDB, Blocklist.de for example.

I made a Perl script to maintain a list updated once 24 hours from Blocklist.de for example for SSH:

Code: Select all

#!/usr/bin/perl

use strict;
use warnings;

my $setup = {
        file => 'blacklist.txt',
        filter => 'blacklist',
        url => 'https://lists.blocklist.de/lists/ssh.txt',
};

system(`wget -qO- $setup->{url} > $setup->{file}`);

my $file = $setup->{file};
open my $data, $file or die "Could not open $file: $!";

system(`ipset flush $setup->{filter}`);

my $count = 0;
my $total = 0;
while (my $ip = <$data>)  {
        if ($ip =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
                `ipset add $setup->{filter} $ip`;
                $count = $count + 1;
        }
        $total = $total + 1;
}

close $data;

print "Filtered: $count/$total\n";
the ipset table and iptables rules for this are:

Code: Select all

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP
and just run that perl script every 24 hours via crontab to keep it updated. :)

Result:

Code: Select all

Filtered: 9012/9012
Once the game is over, the king and the pawn go back in the same box.
User avatar
KhashayaR
Voice
Posts: 22
Joined: Thu Jul 19, 2007 9:34 pm
Location: World
Contact:

Post by KhashayaR »

Caesar, Thank you, I guess all I need to do is figure out how to run the code you copied here , I’m not sure if I have to copy it on /script? Or there is other way?
===
IRC Network: DALnet
Nick: KhashayaR
===
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.
Once the game is over, the king and the pawn go back in the same box.
User avatar
KhashayaR
Voice
Posts: 22
Joined: Thu Jul 19, 2007 9:34 pm
Location: World
Contact:

Post by KhashayaR »

caesar wrote:The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.
Thanks Caesar, yes i do have root access.
===
IRC Network: DALnet
Nick: KhashayaR
===
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

Then put the code into a file called for instance badips.pl, then chmod a+x badips.pl and run it with ./badips.pl

On, you need to execute the:

Code: Select all

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP 
only once to create the rules then can use ./badips.pl on a daily basis.
Once the game is over, the king and the pawn go back in the same box.
User avatar
KhashayaR
Voice
Posts: 22
Joined: Thu Jul 19, 2007 9:34 pm
Location: World
Contact:

Post by KhashayaR »

Caesar Thanks you very much :D
===
IRC Network: DALnet
Nick: KhashayaR
===
User avatar
KhashayaR
Voice
Posts: 22
Joined: Thu Jul 19, 2007 9:34 pm
Location: World
Contact:

Can't exec "ipset": No such file or directory at .

Post by KhashayaR »

did i do something worng ?

Can't exec "ipset": No such file or directory at ./badips.pl line 23, <$data> li ne 9261.
===
IRC Network: DALnet
Nick: KhashayaR
===
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

You don't have it installed then. What Linux version do you have? On Debian (and all that come from it like Ubuntu and so on) all you have to do is:

Code: Select all

apt install ipset
You didn't run only once the first two commands that are mandatory:

Code: Select all

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP 
before running the badips.pl script.
Once the game is over, the king and the pawn go back in the same box.
User avatar
KhashayaR
Voice
Posts: 22
Joined: Thu Jul 19, 2007 9:34 pm
Location: World
Contact:

Post by KhashayaR »

Thank you very much :) it work :D
===
IRC Network: DALnet
Nick: KhashayaR
===
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

The amount of attempts should be narrowed down a notch. Do you have a router before the server that you run the eggdrop from?
Once the game is over, the king and the pawn go back in the same box.
User avatar
KhashayaR
Voice
Posts: 22
Joined: Thu Jul 19, 2007 9:34 pm
Location: World
Contact:

Post by KhashayaR »

Hi Caesar, i hope all well, im still facing the same issue even after running the script, :? any idea what should i do. i can forward you the log , till now its been hramless however this will cuz the eggdrop to disconnect from irc server
===
IRC Network: DALnet
Nick: KhashayaR
===
Post Reply