• Hack Attempts - Is it normal?

    From cheartsdale@DIGDIST/LINGNET to All on Tue Jul 17 08:17:09 2012
    After several years on backup. I decided to take out my BBS again and turn it on. I left it on overnight and when i woke up in the morning, i noticed on web, terminal and ftp i had numerous hack attempts. Trying to get access. They were using userames like admin and generic passwords. is that normal for everyone to see those actvities showing up?


    ---
    ■ Synchronet ■ Wizards Realm
  • From Chris Trainor@DIGDIST/LINGNET to cheartsdale on Tue Jul 17 13:18:39 2012
    Re: Hack Attempts - Is it normal?
    By: cheartsdale to All on Tue Jul 17 2012 08:17:09

    After several years on backup. I decided to take out my BBS again and turn on. I left it on overnight and when i woke up in the morning, i noticed on web, terminal and ftp i had numerous hack attempts. Trying to get access. They were using userames like admin and generic passwords. is that normal f everyone to see those actvities showing up?

    Prettymuch the norm.... there are piles of automated hackers (bots)
    running around out there... scanning IP addresses all day long looking
    for stuff to pop up and become active. Once an active IP is found they
    port scan it to see what sockets are listening.

    When they see common stuff like 21, 22, 23, etc (ftp,ssh,telnet) running
    they fire off automated login attempts trying common admin user ID's and common passwords.

    IT's friggen annoying. So all the more reason to make sure you use good passwords on stuff. And possibly a firewall that can notice hack
    attempts and block automatically.

    One th ing that will keep a bunch of bots away tho is to simply disable
    ICMP echo responses (block ping). Most bots if they can't ping an IP
    will just give up. Now that doesn't work against someone activly trying
    to hack you specifically... just prevents a bunch of the automated stuff
    from hassling you.

    --Chris

    ------------------------------------------
    | Chris Trainor - FleetHQ BBS
    | telnet://bbs.fleethq.org
    | http://www.facebook.com/FleetHQ
    | +1-401-949-0465 (V.34/HST/CrankyAtTimes) ------------------------------------------

    ---
    ■ Synchronet ■ FleetHQ BBS - Greenville, RI
  • From Poindexter Fortran@DIGDIST/LINGNET to cheartsdale on Tue Jul 17 10:30:16 2012
    Re: Hack Attempts - Is it normal?
    By: cheartsdale to All on Tue Jul 17 2012 08:17 am

    on. I left it on overnight and when i woke up in the morning, i noticed on web, terminal and ftp i had numerous hack attempts. Trying to get access. They were using userames like admin and generic passwords. is that normal f everyone to see those actvities showing up?

    I see them all the time. Makes me wonder what someone could do with a non-priveliged BBS user ID/pass.

    ---
    ■ Synchronet ■ realitycheckBBS -- http://realitycheckBBS.org
  • From echicken@DIGDIST/LINGNET to cheartsdale on Tue Jul 17 18:07:53 2012
    Re: Hack Attempts - Is it normal?
    By: cheartsdale to All on Tue Jul 17 2012 08:17:09

    After several years on backup. I decided to take out my BBS again and turn on. I left it on overnight and when i woke up in the morning, i noticed on web, terminal and ftp i had numerous hack attempts. Trying to get access. They were using userames like admin and generic passwords. is that normal f everyone to see those actvities showing up?

    Yes, very normal. Kind of a fact of life on the internet today (actually has been for some time, in my experience.) It's generally nothing to worry about, but if one particular address is hammering away at you, you should be able to filter it out (see ip.can.)

    See http://wiki.synchro.net/howto:hardening if you're really concerned. Disallow users from relaying mail through your system. Stuff like that will minimize your risk, such as it is.

    echicken
    electronic chicken bbs - bbs.electronicchicken.com - 416-273-7230

    ---
    ■ Synchronet ■ electronic chicken bbs - bbs.electronicchicken.com
  • From Jeff.Clayton@DIGDIST/LINGNET to echicken on Fri Jul 20 12:33:10 2012
    Re: Hack Attempts - Is it normal?
    By: cheartsdale to All on Tue Jul 17 2012 08:17:09

    After several years on backup. I decided to take out my BBS again and turn on. I left it on overnight and when i woke up in the morning, i noticed on web, terminal and ftp i had numerous hack attempts. Trying
    to get access. They were using userames like admin and generic
    passwords. is that normal f everyone to see those actvities showing up?


    echicken
    electronic chicken bbs - bbs.electronicchicken.com - 416-273-7230

    ---
    ■ Synchronet ■ electronic chicken bbs - bbs.electronicchicken.com

    I just implemented a web application firewall and proxy server that looks for these kinds of activities. I have noticed several attempts that were put to rest by the WAF. I use Apache2 with ModSecurity and crs rules.
    Does anybody have any experience with this or good advice in it's use in
    actual practice?


    Thanks



    A life devoid of integrity and fairness is no life at all!
    MGH AKA Jeff Clayton

    ---
    ■ Synchronet ■ DOVE.net:SciNet:ILink: Seven Kilns Of Enshiu BBS
  • From Digital Man@DIGDIST/LINGNET to Nightfox on Mon Jul 23 16:00:50 2012
    Re: Hack Attempts - Is it normal?
    By: Nightfox to Poindexter Fortran on Mon Jul 23 2012 12:31 pm

    I see them all the time. Makes me wonder what someone could do with a non-priveliged BBS user ID/pass.

    I have wondered the same thing. Not many people these days even know what
    a BBS is (and some might not care anyway), and I wonder what they really expect to do if they were to actually gain access to one of our BBSs.

    Mostly, relay SPAM (using SMTP) and store/share files (FTP).

    digital man

    Synchronet "Real Fact" #12:
    Synchronet was the first BBS software to ship with internal QWK networking. Norco, CA WX: 82.2°F, 46.0% humidity, 20 mph WNW wind, 0.00 inches rain/24hrs

    ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ telnet://vert.synchro.net
  • From Mindless Automaton@DIGDIST/LINGNET to Chris Trainor on Tue Jul 24 12:13:40 2012
    On 7/17/2012 1:18 PM, Chris Trainor wrote:> Re: Hack Attempts - Is it normal?


    One th ing that will keep a bunch of bots away tho is to simply disable
    ICMP echo responses (block ping). Most bots if they can't ping an IP
    will just give up. Now that doesn't work against someone activly trying
    to hack you specifically... just prevents a bunch of the automated stuff from hassling you.


    How about something like redirect them back to themselves? :)


    --

    4 Mindless Automaton Artifact Creature - Construct 0/0
    (Artifact Rare)
    Mindless Automaton comes into play with two +1/+1 counters on it. 1,
    Discard a card: Put a +1/+1 counter on Mindless Automaton. Remove two
    +1/+1 counters from Mindless Automaton: Draw a card.
    ---
    ■ Synchronet ■ Eldritch Clockwork BBS - eldritch.darktech.org
  • From Jimmy Mac@DIGDIST/LINGNET to DOVE-Net.DOVE-Net_Sysops on Wed Sep 12 00:00:07 2012
    RE: Hack Attempts - Is it normal?
    BY: "cheartsdale" <cheartsdale@PORTWIZ>

    After several years on backup. I decided to take out my BBS again and
    turn it
    on. I left it on overnight and when i woke up in the morning, i
    noticed on
    web, terminal and ftp i had numerous hack attempts. Trying to get
    access.
    They were using userames like admin and generic passwords. is that
    normal for
    everyone to see those actvities showing up?

    I see the same thing all the time. Just make sure your system is fairly well locked down and you chould be fine. What I actually did on my FTP server was create an account called Administrator with a super easy password and locked it down to a folder which has nothing but read only access to a few text files about the Commodore C64. I think I even changed my FTP banner to show something silly.
    Naturally, the first thing I always do when setting up a server is change the admin account name to something quite random and apply a very (relatively) strong password.



    Origin: Skulls & Crossbones - telnet://skulls.sytes.net

    ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ telnet://vert.synchro.net
  • From Phantomrage@DIGDIST/LINGNET to Jimmy Mac on Wed Sep 12 16:59:33 2012
    I see the same thing all the time. Just make sure your system is fairly
    well locked down and you chould be fine. What I actually did on my FTP server was create an account called Administrator with a super easy
    password and locked it down to a folder which has nothing but read only

    I remove all accounts with admin or administrator and don't even use that login.
    Wrote a script, when the BBS does it's maintenance it scans the log files, and if a IP attempts to login with admin, more then 4 times the IP is placed in
    the ban list.

    Since I don't use the admin user name, no reason anyone should be trying to
    use it.











    PhantomRage Studios BBS!

    ---
    ■ Synchronet ■ PhantomRage Studios: Telnet://phantomrage.org