unauthorized Telnet connection

[KhashayaR]

Hello Everyone

I wonder if anyone can help me with this, my eggdrop logs indication someone or a robot keep sending telnet request please see below, is there any way I can avoid this? what they are trying to achieve by doing this? any article you can read and get more knowledge about this?

appreciate your help and suggestions

[13:05:07] Telnet connection: 212.92.115.207/61995
[13:05:07] Telnet connection: 212.92.115.207/61997
[13:05:07] Telnet connection: 212.92.115.207/61998
[13:05:07] Timeout/EOF ident connection
[13:05:07] Last message repeated 2 time(s).
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61997
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61995
[13:05:07] Lost telnet connection to telnet@212.92.115.207/61998
[13:07:13] Telnet connection: tsn77-247-182-242.dyn.nltelcom.net/54266
[13:07:13] Timeout/EOF ident connection
[13:07:13] Lost telnet connection to telnet@tsn77-247-182-242.dyn.nltelcom.net/54266
[13:16:45] Last message repeated 1 time(s).
[13:16:45] Telnet connection: 212.92.105.217/62365
[13:16:45] Telnet connection: 212.92.105.217/62368
[13:16:45] Timeout/EOF ident connection
[13:16:45] Last message repeated 1 time(s).
[13:16:45] Lost telnet connection to telnet@212.92.105.217/62365
[13:16:45] Lost telnet connection to telnet@212.92.105.217/62368
[13:17:41] Telnet connection: 212.92.124.151/54055
[13:17:41] Timeout/EOF ident connection
[13:17:41] Lost telnet connection to telnet@212.92.124.151/54055
[13:17:50] Telnet connection: worker-18.sfj.corp.censys.io/13702
[13:17:50] Timeout/EOF ident connection
[13:18:54] Telnet connection: 92.53.76.214/60000
[13:19:00] Timeout/EOF ident connection
[13:19:06] Lost telnet connection to telnet@92.53.76.214/60000
[13:19:07] Telnet connection: 212.92.124.151/58225
[13:19:07] Timeout/EOF ident connection

[willyw]

Hello Everyone

I wonder if anyone can help me with this, my eggdrop logs indication someone or a robot keep sending telnet request please see below, is there any way I can avoid this? what they are trying to achieve by doing this? any article you can read and get more knowledge about this?

appreciate your help and suggestions

I can tell you that you are not alone .... occasionally I see it in some of my bots, too.

What I do (for simplicity) : use .+ignore , and put that address on ignore for about a week. I have found that when the ignore automatically expires then, that they have quit trying.

At first I tried by putting the offending address on ignore for shorter periods. Like six hours. Then even up to twenty four hours. Those didn't work. A week works.

It will be interesting to see what other responses you get here.

[KhashayaR]

Willyw, Thanks for your quick respond, I have done that, and it seems like they are now giving up, I used to add them to iptables via SSH
Exp:
sudo iptables -A INPUT -s 116.10.191. 121 -j DROP
To block 116.10.191.* addresses:
$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP
To block 116.10.*.* addresses:
$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP
To block 116.*.*.* addresses:
$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP
However, it’s a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?

[willyw]

Willyw, ... I used to add them to iptables via SSH
...

That's probably even better.
Whatever works best / easiest for you.

However, it’s a very difficult to keep tracking each ip address since I believe its they are all proxies, do you think such an action can harm the eggdrop?

Tracking? It's all in the bot's log, isn't it?

As for harm to the bot - not that I know of.

Who knows what they are trying to do ... ? I suppose there could be a lot of different nefarious things....

[caesar]

I would at first change the telnet port to something else, something not common.

Instead of multiple iptables rules that in time will make the firewall run slower (I've read about this and can't be bothered to lookup the article) I would use ipset. For example:

Code: Select all

ipset create eggdrop hash:net
iptables -I INPUT -m set --match-set eggdrop src -j DROP

and each offending IP add to the list with:

Code: Select all

ipset add eggdrop <ip>

Looked up some of the IP's that try to connect to your bot and they are listed for port scanning, brute-force access and so on on a few abuse websites like AbuseIPDB, Blocklist.de for example.

I made a Perl script to maintain a list updated once 24 hours from Blocklist.de for example for SSH:

Code: Select all

#!/usr/bin/perl

use strict;
use warnings;

my $setup = {
        file => 'blacklist.txt',
        filter => 'blacklist',
        url => 'https://lists.blocklist.de/lists/ssh.txt',
};

system(`wget -qO- $setup->{url} > $setup->{file}`);

my $file = $setup->{file};
open my $data, $file or die "Could not open $file: $!";

system(`ipset flush $setup->{filter}`);

my $count = 0;
my $total = 0;
while (my $ip = <$data>)  {
        if ($ip =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
                `ipset add $setup->{filter} $ip`;
                $count = $count + 1;
        }
        $total = $total + 1;
}

close $data;

print "Filtered: $count/$total\n";

the ipset table and iptables rules for this are:

Code: Select all

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP

and just run that perl script every 24 hours via crontab to keep it updated.

Result:

Code: Select all

Filtered: 9012/9012

[KhashayaR]

Caesar, Thank you, I guess all I need to do is figure out how to run the code you copied here , I’m not sure if I have to copy it on /script? Or there is other way?

[caesar]

The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.

[KhashayaR]

The code I posted above is not for eggdrop, but something you would run on the server that is hosting the eggdrop, that is obviously if you have root access.

Thanks Caesar, yes i do have root access.

[caesar]

Then put the code into a file called for instance badips.pl, then chmod a+x badips.pl and run it with ./badips.pl

On, you need to execute the:

Code: Select all

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP 

only once to create the rules then can use ./badips.pl on a daily basis.

[KhashayaR]

Caesar Thanks you very much

[KhashayaR]

did i do something worng ?

Can't exec "ipset": No such file or directory at ./badips.pl line 23, <$data> li ne 9261.

[caesar]

You don't have it installed then. What Linux version do you have? On Debian (and all that come from it like Ubuntu and so on) all you have to do is:

Code: Select all

apt install ipset

You didn't run only once the first two commands that are mandatory:

Code: Select all

ipset create blacklist hash:net
iptables -I INPUT -m set --match-set blacklist src -j DROP 

before running the badips.pl script.

[KhashayaR]

Thank you very much it work

[caesar]

The amount of attempts should be narrowed down a notch. Do you have a router before the server that you run the eggdrop from?

[KhashayaR]

Hi Caesar, i hope all well, im still facing the same issue even after running the script, any idea what should i do. i can forward you the log , till now its been hramless however this will cuz the eggdrop to disconnect from irc server