06 Oct 16 10:10, you wrote to Janis Kracht:
JK>> I switched back to net2bbs on my ezycom box, and for the most part it
JK>> Last night when even iptables failed for the telnet port (some
JK>> weirdness there because it works on the http port), I switched to a
JK>> different telnet port.. I've probably got maybe a week before the
JK>> 'sniffers' find it .
SH> I took a beating last night. ;) They are able to bring the whole
SH> thing down to a halt after they hammer it about a million times in a
SH> minute. hahaha
i'm just not seeing that kind of traffic over here...
SH> I'm just glad we use binkp to transfer mail... If people were still
SH> using mailer over telnet we'd all be in a pickle. ;)
them beating on my FrontDoor mailer is exactly how i started tracking them back
in june or july... that was when i wrote my first IDS/IPS rules to try
catching and blocking them... i was seeing their character strings in FD's DFRS
(Data From Ring Signal aka CallerID) logging on the WFC screen... it was early
august when i posted to the "emerging threats" mailing list with the rule
inquiring about possible better and more efficient ways to go... they published
my rules after testing them in their honeypots... one was adjusted and the
others accepted as is... since then, i've gone a bit of another way but still
retain the base detection technique...
the only ones i haven't been able to fire an alert on are those that do not
emit any character strings when they connect... i'm not sure they are the same
but they may be... i need to spend a ""bit"" more time analysing the telnet
data they are sending but i don't think there's anything going on there...
binary protocol analysis can be rather tedious, if you know what i mean ;)
)\/(ark
Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... Sneaker Net - walk floppies between 2 computers.
---
* Origin: (1:3634/12.73)
|
