1. Forum
  2. FidoNet
  3. SYNC SYSOPS

  • Avoiding Telnet spam

    From Ltning@1:103/705 to All on Mon Mar 11 18:04:00 2024
    Hola!

    So last night I opened the floodgates to my BBS, but soon after I had to close down the access - my nodes kept being hammered by drive-by network scans hitting port 23. Running on an old 386-class machine, this obviously wasn't healthy..

    Other than moving the inbound port to something else than the Telnet default (23), are there any other clever ways of dealing with this? Some kind of proxy which can perform some initial challenge, for example?

    In short, I'd much rather have one extra step prior to login (textmode captcha?) than move the service to a different port.

    Suggestions welcome!

    Thanks,
    - Ltning

    ---
    þ Synchronet þ bbs.anduin.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Gamgee@1:103/705 to Ltning on Mon Mar 11 16:29:00 2024
    Ltning wrote to All <=-

    So last night I opened the floodgates to my BBS, but soon after I
    had to close down the access - my nodes kept being hammered by
    drive-by network scans hitting port 23. Running on an old
    386-class machine, this obviously wasn't healthy..

    Other than moving the inbound port to something else than the
    Telnet default (23), are there any other clever ways of dealing
    with this? Some kind of proxy which can perform some initial
    challenge, for example?

    In short, I'd much rather have one extra step prior to login
    (textmode captcha?) than move the service to a different port.

    Suggestions welcome!

    Well, there is this:
    https://wiki.synchro.net/howto:block-hackers

    It's somewhat useful. Some folks run a "perimeter firewall" or a
    utility like "fail2ban" to block some of it. Both of those are not
    trivial to set up. If your router allows configuring of "Geo IP
    filters", you can use that to block some of the worst offender's
    countries entirely.

    You do what you can, but in the end.... it really isn't something to
    worry about too much. They're just dumb bots/scripts that aren't really harmful.

    þ Synchronet þ bbs.anduin.net

    This hostname doesn't even resolve, FYI...



    ... All hope abandon, ye who enter messages here.
    --- MultiMail/Linux v0.52
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From deon@1:103/705 to Ltning on Tue Mar 12 22:04:17 2024
    Re: Avoiding Telnet spam
    By: Ltning to All on Mon Mar 11 2024 06:04 pm

    Howdy,

    Other than moving the inbound port to something else than the Telnet default (23), are there any other clever ways of dealing with this? Some kind of proxy which can perform some initial challenge, for example?

    You could put haproxy in front of SBBS (which is what I do - but mainly because I run SBBS in docker).

    SBBS supports the HAPROXY_PROTO, so it'll still get the source IP address - but you'll need to enable it. IIRC details are in the wiki.

    With haproxy in front, you could "slow down" the spammers (multiple connections from the same address, repeated connections from the same address within a time period, etc) - but it wont stop them. (You dont need to stop them, they're harmless really - but SBBS has additional measures it can enforce as well...)

    You could also white list addresses - so you can always get in for example, while the other nodes get hit.


    ...ëîåï

    ---
    þ Synchronet þ AnsiTEX bringing back videotex but with ANSI
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mike Powell@1:103/705 to DEON on Wed Mar 13 08:22:00 2024
    With haproxy in front, you could "slow down" the spammers (multiple connection
    from the same address, repeated connections from the same address within a tim
    period, etc) - but it wont stop them. (You dont need to stop them, they're har
    ess really - but SBBS has additional measures it can enforce as well...)

    I use haproxy in front of a dos bbs I have hooked to telnet. I use an acl (which is built from SBBS's ip-silent.can) to cull out some known trouble
    IPs. Recently, I got to looking at other ways that I could slow down
    traffic. Most of the slow-down and prevent logic, like tarpitting, appears to be geared towards http traffic and does not have a tcp equivalent.

    What haproxy settings are you using to "slow down" telnet and ssh traffic?

    Thanks!


    * SLMR 2.1a * Brevity is the soul of utter incomprehension.
    ---
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From deon@1:103/705 to Mike Powell on Thu Mar 14 08:57:10 2024
    Re: Haproxy (was Avoiding Tel
    By: Mike Powell to DEON on Wed Mar 13 2024 08:22 am

    Hey Mike,

    What haproxy settings are you using to "slow down" telnet and ssh traffic?

    This is how my haproxy is configured (in a frontend definition block):

    # Track the backend state - and reject any attempts if its down
    acl be-telnet-dead nbsrv(be-sbbs-telnet) lt 1
    tcp-request connection reject if be-telnet-dead

    # stick table definition for storing rates
    stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)

    ## Allow clean known IPs to bypass the filter
    tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
    # Only allow 1 connections per IP opened
    tcp-request connection reject if { src_conn_cur ge 1 }
    # Only allow 1 connections per 60s
    tcp-request connection reject if { src_conn_rate ge 1 }
    tcp-request connection track-sc1 src


    ...ëîåï

    ---
    þ Synchronet þ AnsiTEX bringing back videotex but with ANSI
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Ltning@1:103/705 to Gamgee on Tue Mar 12 11:42:00 2024
    RE: Avoiding Telnet spam
    BY: Gamgee to Ltning on Mon Mar 11 2024 16:29:00

    Other than moving the inbound port to something else than the
    Telnet default (23), are there any other clever ways of dealing
    with this? Some kind of proxy which can perform some initial
    challenge, for example?
    Well, there is this:
    https://wiki.synchro.net/howto:block-hackers

    This one isn't helpful to SBBS 2.x, since it all assumes SBBS is doing Telnet itself. I'm thinking about some kind of TCP proxy that can output a simple math challenge or similar, and then pass the input and output to a new connection to the actual BBS..

    This hostname doesn't even resolve, FYI...

    Yeah, I'm not quite ready to post in Advertisements yet - but you can connect to floppy.museum:2323 for now :)




















    ---
    þ Synchronet þ bbs.anduin.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Ltning@1:103/705 to Ltning on Tue Mar 12 12:04:00 2024
    RE: Avoiding Telnet spam
    BY: Ltning to Gamgee on Tue Mar 12 2024 11:42:57

    RE: Avoiding Telnet spam
    BY: Gamgee to Ltning on Mon Mar 11 2024 16:29:00

    Other than moving the inbound port to something else than the
    Telnet default (23), are there any other clever ways of dealing
    with this? Some kind of proxy which can perform some initial challenge, for example?
    Well, there is this:
    https://wiki.synchro.net/howto:block-hackers

    This one isn't helpful to SBBS 2.x, since it all assumes SBBS is doing Telne itself. I'm thinking about some kind of TCP proxy that can output a simple m challenge or similar, and then pass the input and output to a new connection the actual BBS..

    This hostname doesn't even resolve, FYI...

    Yeah, I'm not quite ready to post in Advertisements yet - but you can connec to floppy.museum:2323 for now :)


    ...I really need to get syncedit to work as an external editor, but for some reason I get COM port conflicts...

    - Ltning


    ---
    þ Synchronet þ bbs.anduin.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Ragnarok@1:103/705 to Ltning on Thu Mar 14 01:19:33 2024
    El 11/3/24 a las 15:04, Ltning escribió:
    Hola!

    So last night I opened the floodgates to my BBS, but soon after I had to close
    down the access - my nodes kept being hammered by drive-by network scans hitting port 23. Running on an old 386-class machine, this obviously wasn't healthy..

    Other than moving the inbound port to something else than the Telnet default (23), are there any other clever ways of dealing with this? Some kind of proxy
    which can perform some initial challenge, for example?

    In short, I'd much rather have one extra step prior to login (textmode captcha?) than move the service to a different port.

    Suggestions welcome!

    Thanks,
    - Ltning

    ---
    � Synchronet � bbs.anduin.net

    Alo!
    I recommend fail2ban on linux.
    ---
    ï¿­ Synchronet ï¿­ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mike Powell@1:103/705 to DEON on Thu Mar 14 09:01:00 2024
    What haproxy settings are you using to "slow down" telnet and ssh traffic?

    This is how my haproxy is configured (in a frontend definition block):

    Nice, thanks for sharing! I was looking at the stick-tables. Most
    examples online referenced using it with http requests and I had yet to
    figure out it if would work with tcp-request. Looks like it does for you
    so I will try that out.


    * SLMR 2.1a * I'm easy to please ... as long as I get my way
    ---
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Ltning@1:103/705 to Ragnarok on Fri Mar 15 19:33:00 2024
    RE: Avoiding Telnet spam
    BY: Ragnarok to Ltning on Thu Mar 14 2024 01:19:00

    Alo!
    I recommend fail2ban on linux.

    I found a different solution, which allows me to do this in the "fast" end of the pipe (firewall/proxy), rather than on my old 386 - by which time it already is too late:

    I've built nginx with the openresty stream module: https://github.com/openresty/stream-lua-nginx-module

    Using a stream {} block in nginx, I can use lua code to inject a "greeting" - in my case a tiny math quiz - in plain ASCII before passing the connection to the actual BBS. This doesn't mess with the Telnet protocol at all, and allows the BBS to set up the ANSI colors and all without disturbance.

    And if the math quiz is not answered correctly, I just drop the connection from nginx and the BBS is none the wiser.

    I'll post the code snippet here or wherever it's appropriate, if anyone is interested - once I'm done with the details.

    - Ltning

    ---
    þ Synchronet þ bbs.anduin.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Phigan@1:103/705 to Ltning on Sat Mar 16 02:28:39 2024
    Re: Avoiding Telnet spam
    By: Ltning to Ragnarok on Fri Mar 15 2024 07:33 pm

    I'll post the code snippet here or wherever it's appropriate, if anyone is interested - once I'm done with the details.

    This sounds nice. Definitely post, please.

    ---
    þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Ltning@1:103/705 to Phigan on Sat Mar 16 22:22:00 2024
    RE: Avoiding Telnet spam
    BY: Phigan to Ltning on Sat Mar 16 2024 02:28:00

    Re: Avoiding Telnet spam
    By: Ltning to Ragnarok on Fri Mar 15 2024 07:33 pm

    I'll post the code snippet here or wherever it's appropriate, if anyone i interested - once I'm done with the details.

    This sounds nice. Definitely post, please.

    So I've dropped a couple sample files on my www:
    https://anduin.net/~ltning/bbs/nginx.conf
    https://anduin.net/~ltning/bbs/bbs_math.lua

    The first is the main config for nginx. The second is the LUA code which is used to present the math "captcha" early in the connection.

    Happy to provide more info, but I think I've added a fair amount of comments - it should be enough to get you started.

    Let me know if anyone uses it! :) And if you try to get this going *right now*, the LUASTREAM module which is needed is in review for inclusion in the FreeBSD port as I write this:
    https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277719
    I expect it to be merged in the very near future.
    On various Linux distros, I expect this module is available through whichever package manager you're using.

    Take care,
    - Ltning

    ---
    þ Synchronet þ bbs.anduin.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Phigan@1:103/705 to Ltning on Sun Mar 17 04:42:55 2024
    Re: Avoiding Telnet spam
    By: Ltning to Phigan on Sat Mar 16 2024 10:22 pm

    Happy to provide more info, but I think I've added a fair amount of comments it should be enough to get you started.

    This is absolutely great. Thanks for putting it together. Yes, it's very well commented.

    Do you think there's a way of displaying a different message if the max_conns is reached? Like a "Busy, try again later" kind of thing?

    ---
    þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Ltning@1:103/705 to Phigan on Sun Mar 17 12:40:00 2024
    RE: Avoiding Telnet spam
    BY: Phigan to Ltning on Sun Mar 17 2024 04:42:00

    Do you think there's a way of displaying a different message if the max_conn is reached? Like a "Busy, try again later" kind of thing?

    That's a good question. I don't think there's an "obvious and easy" way, but I've learned not to dismiss any possibility when it comes to nginx.. It's only a couple of days ago I was convinced *this* wasn't doable.

    I think perhaps with the use of a shared_dict - basically a shared-memory "database" - it might be possible to keep track of active connections. So instead of placing a hard limit on connections to the upstream (BBS), we count how many concurrent ones we have and place a "soft limit" on it. The main problem is that I don't know if I'm able to capture the end of a session cleanly in all cases.

    Not promising I'll get around to that in the very near future (I'm still trying to actually get my BBS "formally" launched..), but it's an interesting thought. :)

    - Ltning

    ---
    þ Synchronet þ bbs.anduin.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)