Hey ya'll

Anyone here running an enigma setup where they're forwarding Enigma to privliged ports like 22, 23, etc?

I've never super investigated how enigma handles ssh calls but I'm curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent bot spam on these ports.

Thanks


--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.15.4)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On Wednesday, April 7th tonic muttered...

Anyone here running an enigma setup where they're forwarding Enigma to privliged ports like 22, 23, etc?
I've never super investigated how enigma handles ssh calls but I'm curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent bot spam on these ports.

If you look though the archives, someone was looking to hook up fail2ban with enigma logs a bit back.


--
|08 ■ |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
|08 ■ |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
|08 ■ |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.15.4)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On 04/07/2021 8:36 pm tonic said...

I've never super investigated how enigma handles ssh calls but I'm curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent bot spam on these ports.

I know I wrote a tiny Python script that essentially tails the Enigma logs, when someone attempts to login with invalid/not allowed usernames (root and such) that I essentially act like Fail2Ban. (I used the IP table and stored for myself their IP and the current time, so I could remove them from the IP table after so many hours)

But my case was a bit different I think. (And I know a bit of Python do have done that)

I would figure both SSHGuard and Fail2Ban could work, or at least do something, in my case I was explicitly targeting when Enigma dumps to it's logs invalid usernames.

Take Care,
Beanzilla



--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.16.0)
* Origin: BZ&BZ BBS (21:4/110)

On 07 Apr 2021, tonic said the following...

Anyone here running an enigma setup where they're forwarding Enigma to privliged ports like 22, 23, etc?

just drop anyone that fails the ANSi detection lol

and don't run your bbs on a VPS

--- Mystic BBS v1.12 A47 2021/04/01 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)

Beanzilla wrote to tonic <=-

I would figure both SSHGuard and Fail2Ban could work, or at least do something, in my case I was explicitly targeting when Enigma dumps to
it's logs invalid usernames.

Unfortunately, fail2ban doesn't parse json logs. Doesn't look like
are going to be adding that anytime/if ever. You're stuck using
regex to parse the logs. Ugh! https://xkcd.com/1171/

ENiGMA logs are json, so it looks like your code is a good option.

You even use the fancy inotify.

Take care,
bugz

... You've been leading a dog's life. Stay off the furniture.

--- MultiMail/Linux v0.52


--- Talisman v0.17-dev (Linux/x86_64)
* Origin: HappyLand v2.0 - telnet://happylandbbs.com:11892/ (21:1/182)

El 8/4/21 a las 01:36, tonic escribió:

Hey ya'll

Anyone here running an enigma setup where they're forwarding Enigma to privliged ports like 22, 23, etc?

I've never super investigated how enigma handles ssh calls but I'm curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent bot spam on these ports.

Thanks

i use fail2ban on Synchornet (and all my another servers) with good results
--- SBBSecho 3.14-Linux
* Origin: Dock Sud BBS - bbs.docksud.com.ar - Argentina (21:2/151)

El 10/4/21 a las 17:18, Ragnarok escribió:

El 8/4/21 a las 01:36, tonic escribió:

Hey ya'll

Anyone here running an enigma setup where they're forwarding Enigma to
privliged ports like  22, 23, etc?

I've never super investigated how enigma handles ssh calls but I'm
curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent
bot spam on these ports.

Thanks

i use fail2ban on Synchornet (and all my another servers) with good results

You can see as example my sbbs* files under ftp://bbs.docksud.com.ar/
--- SBBSecho 3.14-Linux
* Origin: Dock Sud BBS - bbs.docksud.com.ar - Argentina (21:2/151)

On Saturday, April 10th bugz said...

Unfortunately, fail2ban doesn't parse json logs. Doesn't look like are going to be adding that anytime/if ever. You're stuck using regex to parse the logs. Ugh! https://xkcd.com/1171/

You can always use jq or such in your pipeline as well, or even 'bunyan' (the tool to accompany Bunyan style/JSON logs)


--
|08 ■ |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
|08 ■ |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
|08 ■ |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
--- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.15.4)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

NuSkooler wrote to bugz <=-

On Saturday, April 10th bugz said...

Unfortunately, fail2ban doesn't parse json logs. Doesn't look like are going to be adding that anytime/if ever. You're stuck using regex to parse the logs. Ugh! https://xkcd.com/1171/

You can always use jq or such in your pipeline as well, or even
'bunyan' (the tool to accompany Bunyan style/JSON logs)

Not with fail2ban. It only allows regex, and only reads from a file.
And I think it doesn't like UTC times as well. (Unless the server TZ is
also in UTC.) For being so popular, it has some major things it doesn't
do.

But bunyan -L is quite a nice way to read the logs.

And python. It can digest json. :D

Take care,
bugz

... You can tune a piano but you can't tuna fish.

--- MultiMail/Linux v0.52


--- Talisman v0.18-dev (Linux/x86_64)
* Origin: HappyLand v2.0 - telnet://happylandbbs.com:11892/ (21:1/182)