1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • Synchronet with fail2ban

    From DrNick@VERT/NOTFOUND to All on Friday, February 14, 2014 00:05:04
    Greetings,
    I finally managed to install Synchronet onto a Raspberry Pi and everything seems to work fine, except for a few issues that should be
    within my capability to fix/work around.
    Looking at the logs I sometimes see "Unknown User 'Root'",
    "Unknown User 'Sh'" and "Unknown User '/bin/busybox;echo =E \14'" next
    to certain IP addresses, which seem to be different every day. I realise
    that these are machines attempting to break into the server's telnet port
    and they are hardly likely to get anywhere because of the way Synchronet
    works and I shouldn't worry about it too much. But is there a way for Synchronet to work with Fail2ban to block these addresses anyway?

    Dr Nick

    ---
    þ Synchronet þ 404 Not Found BBS Running on a Raspberry PI
  • From mark lewis@VERT to DrNick on Friday, February 14, 2014 15:01:45
    On Fri, 14 Feb 2014, DrNick wrote to All:

    Looking at the logs I sometimes see "Unknown User 'Root'",
    "Unknown User 'Sh'" and "Unknown User '/bin/busybox;echo =E \14'"
    next to certain IP addresses, which seem to be different every day.
    I realise that these are machines attempting to break into the
    server's telnet port and they are hardly likely to get anywhere
    because of the way Synchronet works and I shouldn't worry about it
    too much. But is there a way for Synchronet to work with Fail2ban to
    block these addresses anyway?

    block them at your perimeter firewall and keep the traffic off the network completely... understand, too, that those are likely proxy or dynamic addresses... if they are dynamic, then you will be blocking individuals who didn't do this when the addresses change...

    as for synchronet working with fail2ban, shouldn't that be the other eway around? doesn't fail2ban scan the logs to do its work? if this is how i remember it being, that means that either fail2ban could be altered to read synchronet's log format OR possibly synchronet might be able to output a log format more like a *nix /var/log/messages log... maybe as an addon?

    )\/(ark

    One of the great tragedies of life is the murder of a beautiful theory by a gang of brutal facts. --Benjamin Franklin

    --- FMail/Win32 1.60
    * Origin: (1:3634/12.71)
    þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net
  • From First Officer@VERT/HOLODECK to mark lewis on Friday, February 14, 2014 18:47:34
    Re: Synchronet with fail2ban
    By: mark lewis to DrNick on Fri Feb 14 2014 03:01 pm

    Looking at the logs I sometimes see "Unknown User 'Root'", "Unknown User 'Sh'" and "Unknown User '/bin/busybox;echo =E \14'"
    next to certain IP addresses, which seem to be different every day.
    I realise that these are machines attempting to break into the
    server's telnet port and they are hardly likely to get anywhere
    because of the way Synchronet works and I shouldn't worry about it
    too much. But is there a way for Synchronet to work with Fail2ban to block these addresses anyway?

    block them at your perimeter firewall and keep the traffic off the network completely... understand, too, that those are likely proxy or dynamic addresses... if they are dynamic, then you will be blocking individuals who didn't do this when the addresses change...

    I am having the same thing here. Been going on a couple of weeks, Using many different addresses, so it probably would be a big hassle to try and block in firewall. Obviously what they are doing isn't working, but it is a pain to the effect they connect about 20 times a day. Could be worse ;)


    Have a good One!
    Mike



    ---
    þ Synchronet þ The Holodeck BBS
  • From mark lewis@VERT to First Officer on Saturday, February 15, 2014 08:58:36
    On Fri, 14 Feb 2014, First Officer wrote to mark lewis:

    Looking at the logs I sometimes see "Unknown User
    'Root'", "Unknown User 'Sh'" and "Unknown User
    '/bin/busybox;echo =E \14'" next to certain IP addresses, which
    seem to be different every day. I realise that these are
    machines attempting to break into the server's telnet port and
    they are hardly likely to get anywhere because of the way
    Synchronet works and I shouldn't worry about it too much. But is
    there a way for Synchronet to work with Fail2ban to block these addresses anyway?

    block them at your perimeter firewall and keep the traffic off the
    network completely... understand, too, that those are likely proxy
    or dynamic addresses... if they are dynamic, then you will be
    blocking individuals who didn't do this when the addresses change...

    I am having the same thing here. Been going on a couple of weeks,
    Using many different addresses, so it probably would be a big
    hassle to try and block in firewall. Obviously what they are doing
    isn't working, but it is a pain to the effect they connect about
    20 times a day.

    i'd simply write a rule for my IDS/IPS and let it sniff the traffic so it will raise an alert when it sees this unwanted stuff... what happens after that is another question but in my case, since my IDS/IPS runs on my perimeter firewall
    (real hardware, dedicated machine, not some blackbox firwall thing purchased at
    Best Buy) which has a reactive module that monitors the IDS/IPS alert file, it all happens automatically and those performing unwanted acts are blocked immediately for a random amount of time...

    eg: a recent node applicant got blocked because they port scanned my system... they had to email me to ask why their mailer could not connect any more ;)

    Could be worse ;)

    yup, it could be ;)

    )\/(ark

    One of the great tragedies of life is the murder of a beautiful theory by a gang of brutal facts. --Benjamin Franklin

    --- FMail/Win32 1.60
    * Origin: (1:3634/12.71)
    þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net
  • From Access Denied@VERT/PHARCYDE to mark lewis on Saturday, February 15, 2014 09:44:20
    Hello mark,

    On 14 Feb 14 15:01, mark lewis wrote to DrNick:

    as for synchronet working with fail2ban, shouldn't that be the other
    eway around? doesn't fail2ban scan the logs to do its work? if this is
    how i remember it being, that means that either fail2ban could be
    altered to read synchronet's log format OR possibly synchronet might
    be able to output a log format more like a *nix /var/log/messages
    log... maybe as an addon?

    Synchronet already logs to /var/log/messages, so this may be easier than one thinks right off the get-go.

    Regards,
    Nick

    --- GoldED+/LNX 1.1.5-b20130910
    * Origin: Dark Sorrow | darksorrow.us (723:1/701)
    þ Synchronet þ thePharcyde_ telnet://bbs.pharcyde.org (Wisconsin)
  • From mark lewis@VERT to Access Denied on Sunday, February 16, 2014 10:44:42
    On Sat, 15 Feb 2014, Access Denied wrote to mark lewis:

    On 14 Feb 14 15:01, mark lewis wrote to DrNick:

    as for synchronet working with fail2ban, shouldn't that be the
    other eway around? doesn't fail2ban scan the logs to do its work?
    if this is how i remember it being, that means that either
    fail2ban could be altered to read synchronet's log format OR
    possibly synchronet might be able to output a log format more like
    a *nix /var/log/messages log... maybe as an addon?

    Synchronet already logs to /var/log/messages, so this may be
    easier than one thinks right off the get-go.

    by george! you're right! i had forgotten that one of the monitoring tasks we use is tailing the messages file and piping that output through grep to single out the synchronet entries...

    if fail2ban doesn't recognize the synchronet entries, the easiest thing to do might be to 'clone' fail2ban and modify the clone so that it does recognize the
    synchronet entries and issue the blocking commands as needed... it has been a long time since i messed with fail2ban, though... not to mention that i don't see entries like those spoken of so i'm at a bit of a loss as to what actually may need to be done... i'm just offering suggestions and pointing out possibilities ;)

    )\/(ark

    One of the great tragedies of life is the murder of a beautiful theory by a gang of brutal facts. --Benjamin Franklin

    --- FMail/Win32 1.60
    * Origin: (1:3634/12.71)
    þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net
  • From DrNick@VERT/NOTFOUND to mark lewis on Saturday, February 15, 2014 18:24:38
    Re: Synchronet with fail2ban
    By: mark lewis to DrNick on Fri Feb 14 2014 15:01:45


    Thanks for the info Mark. I will have a go at that.

    ---
    þ Synchronet þ 404 Not Found BBS Running on a Raspberry PI
  • From mark lewis@VERT to Ragnarok on Wednesday, March 05, 2014 12:44:26
    On Wed, 05 Mar 2014, Ragnarok wrote to mark lewis:

    you can send the log to syslog and create sbbs.log in /var/log,
    then create new filter in fail2ban and add it to jail.conf

    hopefully the OP will read this... i wasn't the one asking about it ;)

    )\/(ark

    One of the great tragedies of life is the murder of a beautiful theory by a gang of brutal facts. --Benjamin Franklin

    --- FMail/Win32 1.60
    * Origin: (1:3634/12.71)
    þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net