Dear Sir or Madam,
Telnet is an outdated network protocol for text-oriented command-line
access to remote hosts. With Telnet, all communication including
username and password is transmitted unencrypted in clear text and
is therefore susceptible to eavesdropping.
Many IoT devices (routers, network cameras, etc.) are running
Telnet servers by default. If the devices are openly accessible
from the Internet and standard login credentials have not been
changed, an attacker can easily gain full control of the devices.
Malware like Mirai automatically exploits insecure Telnet servers
openly accessible from the Internet using to compromise devices
and connect them to a botnet.
CERT-Bund recommends using (Open)SSH with key-based authentication
for secure access to remote hosts.
Affected systems on your network:
Format: ASN | IP | Timestamp (UTC) | Port | Banner(U[8;25;80t[1;25r[1;1H[2J[1;1H[?1000h|Mystic BBS v1.12 A43 for Linux Node 2|Copyright (C) 1997-2019 By James Coyle||Detecting terminal emulation: [6n
24940 | 18.104.22.168 | 2019-09-03 10:05:13 | 23 |
We would like to ask you to check this issue and take appropriate
steps to secure affected systems or notify your customers accordingly.
It was kind of a shocker. I've had customers who were bad actors before and had to whack their services and accounts, but I've never gotten something that pretty much insists that I close an open port on one of
and had to whack their services and accounts, but I've never gottenIt was kind of a shocker. I've had customers who were bad actors before
*techincally* a way for people to acquire passwords and such, it's a medium thatsomething that pretty much insists that I close an open port on one of my machines.
I'd suggest that they review what a BBS is, and point them to various sites of BBS-related material on the internet, showing that while telnet is
also relies on closed systems and "security through obscurity".
access to one computer running a BBS wouldn't be worth it.
Just sounds like you got caught up in a sweep that checks for open portvulnerabilites, with an automated response. I'd still follow up on a
On 05 Sep 2019, Bradley D. Thornton said the following...and had to whack their services and accounts, but I've never gotten
It was kind of a shocker. I've had customers who were bad actors before
my machines.something that pretty much insists that I close an open port on one of
I'd suggest that they review what a BBS is, and point them to various sitesof BBS-related material on the internet, showing that while telnet is
*techincally* a way for people to acquire passwords and such, it's a mediumthat
also relies on closed systems and "security through obscurity".vulnerabilites, with an automated response. I'd still follow up on a
Just sounds like you got caught up in a sweep that checks for open port
-----BEGIN PGP SIGNED MESSAGE-----
I received the attached letter via email three days ago from your abuse department, via my provider, Hetzner.de
I do indeed run a service via telnet, over IPv4 as well as IPv6. It is
system and telnet on port 23 is standard for BBSes, and also, port 23
is assigned as such by IANA, for telnet purposes specifically, and as
a legitimate service for forward facing Internet services.
I do appreciate the concerns of the German Federal Office for
Information Security (BSI), am quite aware of the potential for abuse
in OTHER circumstances, but the BBS does not permit shell access to
the system in anyway and further, the daemon drops privs to a regular
user following start up and operates in a chrooted dosemu environment
This is perfectly normal, legitimate, and an accepted (and safe)
practice, and there are no documented cases of system compromise that
I or any other BBS SysOPs that I have discussed this with are aware of historically, for services configured in the way explained above.
I would, however, like to thank you for bringing this to my attention,
it reinforces my confidence in your commitment to proactive management
in safeguarding the assets service providers such as myself, and
please feel free to add this particular port number for my IP address (22.214.171.124:23) to your white list.
Thank you in advance, for your assistance in this matter, and do feel
free to contact me directly if you have any further questions.
Bradley D. Thornton
Manager Network Services
-----BEGIN PGP SIGNATURE-----
Comment: Find this cert at hkps://keys.openpgp.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQEzBAEBCAAdFiEENWT7St9Eg6sLyiLAuIw5wQytyEkFAl12Mp8ACgkQuIw5wQyt yEk4+Af8DTRMQUpTOzTye7/eWjfSpgoM1hWUP3JP8PQrnOTLV5N/o3an+K4nVJwx GtD1VFUGToe+on2fo5Q6aNr49ppEFHJseMQWcHoMFP2pdoAKaGEB3Lqgd71J88f7 3fL6Pkba+DCQNXUOBp5EDIKdTezCfgC+mYqsr0IFa8eWIN4ZrUYIYpeaC6uNUX7L W0lCrBO4zjzgo0VUT128LaDQEacUZXoDqk63h5m0DP5fDy2N+9Lecat1Hc72CBFz ZneEJcLLIPtR/cgkRYu4THXFXoCHAmGDXxOv/EFdQgSkP0naaLfAi/huI/eHt4yH Nrw3/w7XPQTyg8fCrS3DczzcROLp3A==
-----END PGP SIGNATURE-----
I opened a ticket with my upstream, they came back and gave me a real (as opposed to a noreply) email address and said to contact the agency (no
pun intended) directly. Here's the exchange with them (tl;dr is that everything worked out):
Dear Bradley D. Thornton,
thanks a lot for your detailed feedback!
We have now whitelisted 126.96.36.199 for telnet reports.
|Nodes:||4 (0 / 4)|