• BBS Listing Outbound Telnet

    From Apam@21:1/182 to All on Mon Oct 19 22:44:41 2020
    RE: BBS Listing Outbound Telnet
    BY: All

    Hi

    I've been working on a BBS listing door program, and adding outbound telnet functionality. I've got it working except for BBS ansi detection (ANSI works fine, it's just mystic doesn't detect it).

    My telnet part of the door just copys whatever it receives on the telnet socket to the socket handle of the client and vice versa.. so all the telnet IAC handling should be done in the client's terminal yeah?

    Anyway, I then realized I was opening up a the possibility for anyone to add any lan address in the bbs list and telnet to it... I'm no security expert, but I don't really want anyone tunneling through my BBS onto my LAN.

    I suppose I could add checks for lan IPs in the listings... but seems like more effort than it's worth. Just thought I'd mention it though for anyone using gy-blam on a LAN (I dunno if it checks IPs or not..)

    Andrew


    --- WWIV 5.5.0.development
    * Origin: The Barbed Hook - telnet://barbedhook.ddns.net:2323/ (21:1/182)
  • From Rushfan@21:2/115 to Apam on Mon Oct 19 13:24:41 2020
    BY: Apam(21:1/182)


    I suppose I could add checks for lan IPs in the listings... but seems
    like
    more effort than it's worth. Just thought I'd mention it though for
    anyone
    using gy-blam on a LAN (I dunno if it checks IPs or not..)

    Doesn't seem that much code. Here's a simple function to do reasonably well.

    https://stackoverflow.com/questions/14293095

    -rushfan


    --- WWIV 5.6.0.3285
    * Origin: Mystic Rhythms BBS (21:2/115)
  • From Warpslide@21:3/110 to Apam on Mon Oct 19 10:49:14 2020
    On 19 Oct 2020, Apam said the following...

    Anyway, I then realized I was opening up a the possibility for anyone to add any lan address in the bbs list and telnet to it... I'm no security expert, but I don't really want anyone tunneling through my BBS onto my LAN.

    That's a good point. Never thought about using that as a means of moving laterally into the network.

    ...or maybe using your BBS as jumping point to other areas of the internet, like how the Carna Botnet used weak passwords to log in & exploit ~420,000 telnet hosts:

    https://seclists.org/fulldisclosure/2013/Mar/166


    Jay

    ... I put all my spare cash into an origami business. It folded.

    --- Mystic BBS v1.12 A47 2020/10/13 (Raspberry Pi/32)
    * Origin: Northern Realms (21:3/110)
  • From Apam@21:1/182 to Rushfan on Tue Oct 20 21:11:53 2020
    RE: Re: BBS Listing Outbound Telnet
    BY: Rushfan(21:2/115)


    Doesn't seem that much code. Here's a simple function to do reasonably
    well.

    Thanks, I incorporated that into the door, and also am blocking loopback addresses.

    Andrew

    --- WWIV 5.5.0.development
    * Origin: The Barbed Hook - telnet://barbedhook.ddns.net:2323/ (21:1/182)