Suspicious Telnet Activity

Will setup a test for telnet abuse, but question: Are you using any external tools or whatnots like server tools or a mod that increases player limit or anything of the sorts?

At the moment I was not using any modifications or tools.

 

I was just testing the features with telnet and web console.

 

Since Server Blend did not have any reverse proxy or tunnels for securing it, I was not planning to have it on long term.

 

Server was set for Public with a different Password for users to join.

Telnet and Web Console had different 16 char fully randomized passwords.

I wonder what do you view as suspicious in those logs?

Logs show nothing but two instant telnet sessions and two long ones; logs do not suggest that anything at all was written into socket during those long sessions. It could be just the log level though. If logs are indeed scarce then without traffic dumps noone would be able to tell what happened, won't they?

 

That said, no idea what is expected in server logs from telnet session. And 4 telnet sessions from same IP at about the same time is odd...

56 minutes ago, Diaboliko said:

I wonder what do you view as suspicious in those logs?

Logs show nothing but two instant telnet sessions and two long ones; logs do not suggest that anything at all was written into socket during those long sessions. It could be just the log level though. If logs are indeed scarce then without traffic dumps noone would be able to tell what happened, won't they?

 

That said, no idea what is expected in server logs from telnet session. And 4 telnet sessions from same IP at about the same time is odd...

This was 6+ months ago. Suspicious is that i had 16+ character random password that was not shared with anyone, nor had I actually connected to it yet.

 

Within 5 days there was an open connection on it. Granted, there was no record of any activity other than holding open the connection. 

 

If brute forced, that seemed oddly quick, plus there were not any login failures in the logs.

 

This occurred three times with different passwords. I disabled after that.

 

It was not from the same ip range 

 

While nothing came of these connections. Given a large number of open tenet sessions. A coordinated attack could be staged against the hosting company.

Well, I kinda feel like nothing can be done on this topic. Best thing devs can do is to check that everything you could possibly want is being logged properly in logs and pay some red team to scan&test for known vulnerabilities. That's a bit too much for non-competitive game servers don't you think?

 

Firewalling/reverse-proxying is probably best option you've got to keep it safe.

11 hours ago, Diaboliko said:

Well, I kinda feel like nothing can be done on this topic. Best thing devs can do is to check that everything you could possibly want is being logged properly in logs and pay some red team to scan&test for known vulnerabilities. That's a bit too much for non-competitive game servers don't you think?

 

Security-vulnerabilities would be must-fix no matter what type of game it is. Attacker might not just want to manipulate the game but take over the server and use it for spam-relay, bitcoin-mining or attacking users trying to connect.  

 

11 hours ago, Diaboliko said:

 

Firewalling/reverse-proxying is probably best option you've got to keep it safe.

 

Telnet is inherently unsafe if someone is able to listen in (granted that isn't easy). I use telnet only locally so that an attacker has to be on my server already to listen in.

 

 

I just checked my logfile and commands get listed in the log. You don't have any commands listed, so the attacker seems not to have reached the telnet input prompt (I assume he would have at least tried one of the normal commands before continuing to hack).

 

It also looks to me like he never got past the login. At least there is no evidence to the contrary but I have no access to the code. Though messages like "An established connection was aborted by the software in your host machine" or "The operation is not allowed on non-connected sockets" very much sound like he simply failed and was thrown out already at the operating system level.

 

Exceptions are a pretty normal way to handle exceptional and less probable paths through the code and not necessarily a sign of a vulnerability.

 

Edited August 16, 2022 by meganoth (see edit history)

> "An established connection was aborted by the software in your host machine" or "The operation is not allowed on non-connected sockets"

The latter one could be just an attempt to send FIN or reset TCP packet through a closed connection or sthing, not necessarily a request data.

23 hours ago, Diaboliko said:

Well, I kinda feel like nothing can be done on this topic. Best thing devs can do is to check that everything you could possibly want is being logged properly in logs and pay some red team to scan&test for known vulnerabilities. That's a bit too much for non-competitive game servers don't you think?

 

Firewalling/reverse-proxying is probably best option you've got to keep it safe.

Agreed, other than implementing TLS or SSL...

 

That falls more under host/IT for reverse proxy or VPN tunnel