• RE: preventing brute force attempts on privleged ports

    From NuSkooler@21:1/121 to bugz on Monday, April 12, 2021 21:00:10

    On Saturday, April 10th bugz said...
    Unfortunately, fail2ban doesn't parse json logs. Doesn't look like are going to be adding that anytime/if ever. You're stuck using regex to parse the logs. Ugh! https://xkcd.com/1171/

    You can always use jq or such in your pipeline as well, or even 'bunyan' (the tool to accompany Bunyan style/JSON logs)


    --
    |08 ■ |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
    |08 ■ |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
    |08 ■ |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
    --- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.15.4)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From bugz@21:1/182 to NuSkooler on Wednesday, April 14, 2021 19:57:00
    NuSkooler wrote to bugz <=-

    On Saturday, April 10th bugz said...
    Unfortunately, fail2ban doesn't parse json logs. Doesn't look like are going to be adding that anytime/if ever. You're stuck using regex to parse the logs. Ugh! https://xkcd.com/1171/

    You can always use jq or such in your pipeline as well, or even
    'bunyan' (the tool to accompany Bunyan style/JSON logs)

    Not with fail2ban. It only allows regex, and only reads from a file.
    And I think it doesn't like UTC times as well. (Unless the server TZ is
    also in UTC.) For being so popular, it has some major things it doesn't
    do.

    But bunyan -L is quite a nice way to read the logs.

    And python. It can digest json. :D

    Take care,
    bugz

    ... You can tune a piano but you can't tuna fish.

    --- MultiMail/Linux v0.52


    --- Talisman v0.18-dev (Linux/x86_64)
    * Origin: HappyLand v2.0 - telnet://happylandbbs.com:11892/ (21:1/182)
  • From tonic@21:1/121 to All on Wednesday, April 07, 2021 22:36:52
    Hey ya'll

    Anyone here running an enigma setup where they're forwarding Enigma to privliged ports like 22, 23, etc?

    I've never super investigated how enigma handles ssh calls but I'm curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent bot spam on these ports.

    Thanks


    --- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.15.4)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From NuSkooler@21:1/121 to tonic on Wednesday, April 07, 2021 23:19:31

    On Wednesday, April 7th tonic muttered...
    Anyone here running an enigma setup where they're forwarding Enigma to privliged ports like 22, 23, etc?
    I've never super investigated how enigma handles ssh calls but I'm curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent bot spam on these ports.

    If you look though the archives, someone was looking to hook up fail2ban with enigma logs a bit back.


    --
    |08 ■ |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
    |08 ■ |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
    |08 ■ |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
    --- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.15.4)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From Beanzilla@21:4/110 to tonic on Thursday, April 08, 2021 10:32:09

    On 04/07/2021 8:36 pm tonic said...
    I've never super investigated how enigma handles ssh calls but I'm curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent bot spam on these ports.

    I know I wrote a tiny Python script that essentially tails the Enigma logs, when someone attempts to login with invalid/not allowed usernames (root and such) that I essentially act like Fail2Ban. (I used the IP table and stored for myself their IP and the current time, so I could remove them from the IP table after so many hours)

    But my case was a bit different I think. (And I know a bit of Python do have done that)

    I would figure both SSHGuard and Fail2Ban could work, or at least do something, in my case I was explicitly targeting when Enigma dumps to it's logs invalid usernames.

    Take Care,
    Beanzilla



    --- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.16.0)
    * Origin: BZ&BZ BBS (21:4/110)
  • From fusion@21:1/616 to tonic on Thursday, April 08, 2021 15:20:38
    On 07 Apr 2021, tonic said the following...

    Anyone here running an enigma setup where they're forwarding Enigma to privliged ports like 22, 23, etc?

    just drop anyone that fails the ANSi detection lol

    and don't run your bbs on a VPS

    --- Mystic BBS v1.12 A47 2021/04/01 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)
  • From bugz@21:1/182 to Beanzilla on Friday, April 09, 2021 17:58:00
    Beanzilla wrote to tonic <=-

    I would figure both SSHGuard and Fail2Ban could work, or at least do something, in my case I was explicitly targeting when Enigma dumps to
    it's logs invalid usernames.

    Unfortunately, fail2ban doesn't parse json logs. Doesn't look like
    are going to be adding that anytime/if ever. You're stuck using
    regex to parse the logs. Ugh! https://xkcd.com/1171/

    ENiGMA logs are json, so it looks like your code is a good option.

    You even use the fancy inotify.

    Take care,
    bugz

    ... You've been leading a dog's life. Stay off the furniture.

    --- MultiMail/Linux v0.52


    --- Talisman v0.17-dev (Linux/x86_64)
    * Origin: HappyLand v2.0 - telnet://happylandbbs.com:11892/ (21:1/182)
  • From Ragnarok@21:2/151 to tonic on Saturday, April 10, 2021 17:18:18
    El 8/4/21 a las 01:36, tonic escribió:
    Hey ya'll

    Anyone here running an enigma setup where they're forwarding Enigma to privliged ports like 22, 23, etc?

    I've never super investigated how enigma handles ssh calls but I'm curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent bot spam on these ports.

    Thanks

    i use fail2ban on Synchornet (and all my another servers) with good results
    --- SBBSecho 3.14-Linux
    * Origin: Dock Sud BBS - bbs.docksud.com.ar - Argentina (21:2/151)
  • From Ragnarok@21:2/151 to Ragnarok on Saturday, April 10, 2021 17:19:50
    El 10/4/21 a las 17:18, Ragnarok escribió:
    El 8/4/21 a las 01:36, tonic escribió:
    Hey ya'll

    Anyone here running an enigma setup where they're forwarding Enigma to
    privliged ports like  22, 23, etc?

    I've never super investigated how enigma handles ssh calls but I'm
    curious if anyone is using a tool like SSHGuard or Fail2Ban to prevent
    bot spam on these ports.

    Thanks
    i use fail2ban on Synchornet (and all my another servers) with good results

    You can see as example my sbbs* files under ftp://bbs.docksud.com.ar/
    --- SBBSecho 3.14-Linux
    * Origin: Dock Sud BBS - bbs.docksud.com.ar - Argentina (21:2/151)