• Has anyone received one of these?

    From Bradley D. Thornton to All on Thu Sep 5 03:05:40 2019
    It was kind of a shocker. I've had customers who were bad actors before and had to whack their services and accounts, but I've never gotten something that pretty much insists that I close an open port on one of my machines.

    Anyway, I thought I would toss this out to the list and see what your thoughts and suggestions are, as I have no intentions right now of closing down the telnet port. Maybe later, when I configure the ssh port for access, if that's going to provide an optimum experience for visitors, but I'm reluctant to choose a port other than 23 at this time (but maybe I'll have to).

    Anyway, comments, suggestions?

    <snip>

    Dear Mr Bradley D. Thornton,



    We have received a security alert from the German Federal Office for Information Security (BSI).

    Please see the original report included below for details.



    Please investigate and solve the reported issue.

    It is not required that you reply to either us or the BSI.

    If the issue has been fixed successfully, you should not receive any further notifications.



    Additional information is provided with the HOWTOs referenced in the report.

    In case of further questions, please contact certbund@bsi.bund.de and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <reports@reports.cert-bund.de> as this is just the sender address for the reports and messages sent to this address will not be read.



    Kind regards



    Abuse Team



    Hetzner Online GmbH

    Industriestr. 25

    91710 Gunzenhausen / Germany

    Tel: +49 9831 5050

    Fax: +49 9831 5053

    www.hetzner.com



    Register Court: Registergericht Ansbach, HRB 6089

    CEO: Martin Hetzner, Stephan Konvickova, Günther Müller



    For the purposes of this communication, we may save some

    of your personal data. For information on our data privacy

    policy, please see: www.hetzner.com/datenschutzhinweis



    On 04 Sep 08:50, reports@reports.cert-bund.de wrote:

    Dear Sir or Madam,



    Telnet is an outdated network protocol for text-oriented command-line

    access to remote hosts. With Telnet, all communication including

    username and password is transmitted unencrypted in clear text and

    is therefore susceptible to eavesdropping.



    Many IoT devices (routers, network cameras, etc.) are running

    Telnet servers by default. If the devices are openly accessible

    from the Internet and standard login credentials have not been

    changed, an attacker can easily gain full control of the devices.

    Malware like Mirai automatically exploits insecure Telnet servers

    openly accessible from the Internet using to compromise devices

    and connect them to a botnet.



    CERT-Bund recommends using (Open)SSH with key-based authentication

    for secure access to remote hosts.



    Affected systems on your network:



    Format: ASN | IP | Timestamp (UTC) | Port | Banner

    24940 | 95.216.171.182 | 2019-09-03 10:05:13 | 23 | (U[8;25;80t[1;25r[1;1H[2J[1;1H[?1000h|Mystic BBS v1.12 A43 for Linux Node 2|Copyright (C) 1997-2019 By James Coyle||Detecting terminal emulation: [6n



    We would like to ask you to check this issue and take appropriate

    steps to secure affected systems or notify your customers accordingly.


    </snip>

    Looking forward to hearing what everyone has to say :)

    Kindest regards,

    Bradley

    .
  • From Todd Yatzook@1:142/799 to Bradley D. Thornton on Thu Sep 5 10:55:56 2019
    On 05 Sep 2019, Bradley D. Thornton said the following...

    It was kind of a shocker. I've had customers who were bad actors before and had to whack their services and accounts, but I've never gotten something that pretty much insists that I close an open port on one of
    my machines.

    I'd suggest that they review what a BBS is, and point them to various sites
    of BBS-related material on the internet, showing that while telnet is *techincally* a way for people to acquire passwords and such, it's a medium that also relies on closed systems and "security through obscurity".

    In all the years that telnet has been available for BBSes, I have yet to hear about anyone's system being compromised in any fashion. The only way I could see it happening is if someone were to get the account of a sysop, drop to
    DOS (if it's even available on that particular BBS), and *maybe* install some malware. Which wouldn't even make sense. People looking to exploit systems
    are trying to do it on a wide scale, and the effort needed to just gain
    access to one computer running a BBS wouldn't be worth it.

    Just sounds like you got caught up in a sweep that checks for open port vulnerabilites, with an automated response. I'd still follow up on a
    response, though.

    --- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
    * Origin: http://www.throwbackbbs.com -\- meriden, ct -\- (1:142/799)
  • From Bradley D. Thornton to Todd Yatzook on Thu Sep 5 13:18:22 2019
    Re: Re: Has anyone received one of these?
    By: Todd Yatzook to Bradley D. Thornton on Thu Sep 05 2019 10:55 am


    It was kind of a shocker. I've had customers who were bad actors before and had to whack their services and accounts, but I've never gotten
    something that pretty much insists that I close an open port on one of my machines.

    I'd suggest that they review what a BBS is, and point them to various sites of BBS-related material on the internet, showing that while telnet is *techincally* a way for people to acquire passwords and such, it's a medium that
    also relies on closed systems and "security through obscurity".


    That's kind of what I was thinking. I mean, it would be unreasonable to actually demand that someone close this port just because of an assumption that it's running Telnet, because it may not be, and further, it's actually in /etc/services, assigned by IANA as a valid, allocated port for legitimate services.

    access to one computer running a BBS wouldn't be worth it.


    Yes, a BBS is some seriously low hanging fruit that has a net worth of zero for the aggregation of a botnet lol.

    Just sounds like you got caught up in a sweep that checks for open port vulnerabilites, with an automated response. I'd still follow up on a
    response, though.

    I read it over about three times, looking for an actual threat, and didn't see one, so perhaps an explantion, as you suggest, will make their emails stop. On the other hand, If push comes to shove, I'll need to consider moving to another port - which makes little sense to me, considering that it isn't the port on any given system that is vulnerable, but rather, the particular service itself.
  • From Bradley D. Thornton to Todd Yatzook on Tue Sep 10 21:26:53 2019
    Re: Re: Has anyone received one of these?
    By: Todd Yatzook to Bradley D. Thornton on Thu Sep 05 2019 10:55 am

    On 05 Sep 2019, Bradley D. Thornton said the following...

    It was kind of a shocker. I've had customers who were bad actors before and had to whack their services and accounts, but I've never gotten
    something that pretty much insists that I close an open port on one of my machines.

    I'd suggest that they review what a BBS is, and point them to various sites of BBS-related material on the internet, showing that while telnet is
    *techincally* a way for people to acquire passwords and such, it's a medium that
    also relies on closed systems and "security through obscurity".

    Just sounds like you got caught up in a sweep that checks for open port vulnerabilites, with an automated response. I'd still follow up on a
    response, though.

    Okay here's an update on that :)

    I opened a ticket with my upstream, they came back and gave me a real (as opposed to a noreply) email address and said to contact the agency (no pun intended) directly. Here's the exchange with them (tl;dr is that everything worked out):


    <snip>

    Dear Bradley D. Thornton,

    thanks a lot for your detailed feedback!

    We have now whitelisted 95.216.171.182 for telnet reports.


    Kind regards
    Team CERT-Bund

    --
    Bundesamt für Sicherheit in der Informationstechnik (BSI)
    Federal Office for Information Security
    Referat OC 23 - CERT-Bund
    Section OC 23 - CERT-Bund
    Godesberger Allee 185-189
    53175 Bonn, Germany
    Tel: +49 (0)228 99 9582 5110
    Fax: +49 (0)228 99 9582 7025
    Web:
    https://www.bsi.bund.de/CERT-Bund/
    https://www.bsi.bund.de/EN/CERT-Bund/
    PGP & S/MIME: https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/CERT-Bund/Kontakt/kontakt_node.html
    https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/Contact/contact_node.html

    Am 09.09.2019 13:10 schrieb Bradley D. Thornton:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Hello,

    I received the attached letter via email three days ago from your abuse department, via my provider, Hetzner.de

    I do indeed run a service via telnet, over IPv4 as well as IPv6. It is
    a BBS
    system and telnet on port 23 is standard for BBSes, and also, port 23
    is assigned as such by IANA, for telnet purposes specifically, and as
    a legitimate service for forward facing Internet services.

    I do appreciate the concerns of the German Federal Office for
    Information Security (BSI), am quite aware of the potential for abuse
    in OTHER circumstances, but the BBS does not permit shell access to
    the system in anyway and further, the daemon drops privs to a regular
    user following start up and operates in a chrooted dosemu environment
    itself.

    This is perfectly normal, legitimate, and an accepted (and safe)
    practice, and there are no documented cases of system compromise that
    I or any other BBS SysOPs that I have discussed this with are aware of historically, for services configured in the way explained above.

    I would, however, like to thank you for bringing this to my attention,
    it reinforces my confidence in your commitment to proactive management
    in safeguarding the assets service providers such as myself, and
    please feel free to add this particular port number for my IP address (95.216.171.182:23) to your white list.

    Thank you in advance, for your assistance in this matter, and do feel
    free to contact me directly if you have any further questions.

    Kindest regards,
    - --
    Bradley D. Thornton
    Manager Network Services
    http://NorthTech.US
    TEL: +1.310.421.8268
    -----BEGIN PGP SIGNATURE-----
    Comment: Find this cert at hkps://keys.openpgp.org
    Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

    iQEzBAEBCAAdFiEENWT7St9Eg6sLyiLAuIw5wQytyEkFAl12Mp8ACgkQuIw5wQyt yEk4+Af8DTRMQUpTOzTye7/eWjfSpgoM1hWUP3JP8PQrnOTLV5N/o3an+K4nVJwx GtD1VFUGToe+on2fo5Q6aNr49ppEFHJseMQWcHoMFP2pdoAKaGEB3Lqgd71J88f7 3fL6Pkba+DCQNXUOBp5EDIKdTezCfgC+mYqsr0IFa8eWIN4ZrUYIYpeaC6uNUX7L W0lCrBO4zjzgo0VUT128LaDQEacUZXoDqk63h5m0DP5fDy2N+9Lecat1Hc72CBFz ZneEJcLLIPtR/cgkRYu4THXFXoCHAmGDXxOv/EFdQgSkP0naaLfAi/huI/eHt4yH Nrw3/w7XPQTyg8fCrS3DczzcROLp3A==
    =HzwE
    -----END PGP SIGNATURE-----


    </snip>

    Well I just thought that I'd share that with everyone :)

    Kindest regards,

    Bradley

    .
  • From Paul Hayton@3:770/100 to Bradley D. Thornton on Wed Sep 11 17:20:08 2019
    On 10 Sep 2019 at 09:26p, Bradley D. Thornton pondered and said...

    I opened a ticket with my upstream, they came back and gave me a real (as opposed to a noreply) email address and said to contact the agency (no
    pun intended) directly. Here's the exchange with them (tl;dr is that everything worked out):

    Dear Bradley D. Thornton,

    thanks a lot for your detailed feedback!

    We have now whitelisted 95.216.171.182 for telnet reports.


    Kind regards
    Team CERT-Bund

    Good result sir :)

    --- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)