It was kind of a shocker. I've had customers who were bad actors before and had
to whack their services and accounts, but I've never gotten something that pretty much insists that I close an open port on one of my machines.

Anyway, I thought I would toss this out to the list and see what your thoughts and suggestions are, as I have no intentions right now of closing down the telnet port. Maybe later, when I configure the ssh port for access, if that's going to provide an optimum experience for visitors, but I'm reluctant to choose a port other than 23 at this time (but maybe I'll have to).

Anyway, comments, suggestions?

<snip>

Dear Mr Bradley D. Thornton,



We have received a security alert from the German Federal Office for Information Security (BSI).

Please see the original report included below for details.



Please investigate and solve the reported issue.

It is not required that you reply to either us or the BSI.

If the issue has been fixed successfully, you should not receive any further notifications.



Additional information is provided with the HOWTOs referenced in the report.

In case of further questions, please contact certbund@bsi.bund.de and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <reports@reports.cert-bund.de> as this is just the sender address for the reports and messages sent to this address will not be read.



Kind regards



Abuse Team



Hetzner Online GmbH

Industriestr. 25

91710 Gunzenhausen / Germany

Tel: +49 9831 5050

Fax: +49 9831 5053

www.hetzner.com



Register Court: Registergericht Ansbach, HRB 6089

CEO: Martin Hetzner, Stephan Konvickova, Günther Müller



For the purposes of this communication, we may save some

of your personal data. For information on our data privacy

policy, please see: www.hetzner.com/datenschutzhinweis



On 04 Sep 08:50, reports@reports.cert-bund.de wrote:

Dear Sir or Madam,

Telnet is an outdated network protocol for text-oriented command-line

access to remote hosts. With Telnet, all communication including

username and password is transmitted unencrypted in clear text and

is therefore susceptible to eavesdropping.

Many IoT devices (routers, network cameras, etc.) are running

Telnet servers by default. If the devices are openly accessible

from the Internet and standard login credentials have not been

changed, an attacker can easily gain full control of the devices.

Malware like Mirai automatically exploits insecure Telnet servers

openly accessible from the Internet using to compromise devices

and connect them to a botnet.

CERT-Bund recommends using (Open)SSH with key-based authentication

for secure access to remote hosts.

Affected systems on your network:

Format: ASN | IP | Timestamp (UTC) | Port | Banner

24940 | 95.216.171.182 | 2019-09-03 10:05:13 | 23 |

(U[8;25;80t[1;25r[1;1H[2J[1;1H[?1000h|Mystic BBS v1.12 A43 for Linux Node 2|Copyright (C) 1997-2019 By James Coyle||Detecting terminal emulation: [6n

We would like to ask you to check this issue and take appropriate

steps to secure affected systems or notify your customers accordingly.

</snip>

Looking forward to hearing what everyone has to say :)

Kindest regards,

Bradley

.
--- SBBSecho 3.09-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 05 Sep 2019, Bradley D. Thornton said the following...

It was kind of a shocker. I've had customers who were bad actors before and had to whack their services and accounts, but I've never gotten something that pretty much insists that I close an open port on one of
my machines.

I'd suggest that they review what a BBS is, and point them to various sites
of BBS-related material on the internet, showing that while telnet is *techincally* a way for people to acquire passwords and such, it's a medium that also relies on closed systems and "security through obscurity".

In all the years that telnet has been available for BBSes, I have yet to hear about anyone's system being compromised in any fashion. The only way I could see it happening is if someone were to get the account of a sysop, drop to
DOS (if it's even available on that particular BBS), and *maybe* install some malware. Which wouldn't even make sense. People looking to exploit systems
are trying to do it on a wide scale, and the effort needed to just gain
access to one computer running a BBS wouldn't be worth it.

Just sounds like you got caught up in a sweep that checks for open port vulnerabilites, with an automated response. I'd still follow up on a
response, though.

--- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
* Origin: http://www.throwbackbbs.com -\- meriden, ct -\- (1:142/799)

Re: Re: Has anyone received one of these?
By: Todd Yatzook to Bradley D. Thornton on Thu Sep 05 2019 10:55 am

It was kind of a shocker. I've had customers who were bad actors before

and had to whack their services and accounts, but I've never gotten

something that pretty much insists that I close an open port on one of my machines.

I'd suggest that they review what a BBS is, and point them to various sites of BBS-related material on the internet, showing that while telnet is

*techincally* a way for people to acquire passwords and such, it's a medium that

also relies on closed systems and "security through obscurity".

That's kind of what I was thinking. I mean, it would be unreasonable to actually demand that someone close this port just because of an assumption that
it's running Telnet, because it may not be, and further, it's actually in /etc/services, assigned by IANA as a valid, allocated port for legitimate services.

access to one computer running a BBS wouldn't be worth it.

Yes, a BBS is some seriously low hanging fruit that has a net worth of zero for
the aggregation of a botnet lol.

Just sounds like you got caught up in a sweep that checks for open port

vulnerabilites, with an automated response. I'd still follow up on a

response, though.

I read it over about three times, looking for an actual threat, and didn't see one, so perhaps an explantion, as you suggest, will make their emails stop. On the other hand, If push comes to shove, I'll need to consider moving to another
port - which makes little sense to me, considering that it isn't the port on any given system that is vulnerable, but rather, the particular service itself. --- SBBSecho 3.09-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: Has anyone received one of these?
By: Todd Yatzook to Bradley D. Thornton on Thu Sep 05 2019 10:55 am

On 05 Sep 2019, Bradley D. Thornton said the following...

It was kind of a shocker. I've had customers who were bad actors before

and had to whack their services and accounts, but I've never gotten

something that pretty much insists that I close an open port on one of

my machines.

I'd suggest that they review what a BBS is, and point them to various sites

of BBS-related material on the internet, showing that while telnet is

*techincally* a way for people to acquire passwords and such, it's a medium

that

also relies on closed systems and "security through obscurity".

Just sounds like you got caught up in a sweep that checks for open port

vulnerabilites, with an automated response. I'd still follow up on a

response, though.

Okay here's an update on that :)

I opened a ticket with my upstream, they came back and gave me a real (as opposed to a noreply) email address and said to contact the agency (no pun intended) directly. Here's the exchange with them (tl;dr is that everything worked out):


<snip>

Dear Bradley D. Thornton,

thanks a lot for your detailed feedback!

We have now whitelisted 95.216.171.182 for telnet reports.


Kind regards
Team CERT-Bund

--
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Federal Office for Information Security
Referat OC 23 - CERT-Bund
Section OC 23 - CERT-Bund
Godesberger Allee 185-189
53175 Bonn, Germany
Tel: +49 (0)228 99 9582 5110
Fax: +49 (0)228 99 9582 7025
Web:
https://www.bsi.bund.de/CERT-Bund/
https://www.bsi.bund.de/EN/CERT-Bund/
PGP & S/MIME: https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/CERT-Bund/Kontakt/kontakt_node.html
https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/Contact/contact_node.html

Am 09.09.2019 13:10 schrieb Bradley D. Thornton:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

I received the attached letter via email three days ago from your abuse department, via my provider, Hetzner.de

I do indeed run a service via telnet, over IPv4 as well as IPv6. It is
a BBS
system and telnet on port 23 is standard for BBSes, and also, port 23
is assigned as such by IANA, for telnet purposes specifically, and as
a legitimate service for forward facing Internet services.

I do appreciate the concerns of the German Federal Office for
Information Security (BSI), am quite aware of the potential for abuse
in OTHER circumstances, but the BBS does not permit shell access to
the system in anyway and further, the daemon drops privs to a regular
user following start up and operates in a chrooted dosemu environment
itself.

This is perfectly normal, legitimate, and an accepted (and safe)
practice, and there are no documented cases of system compromise that
I or any other BBS SysOPs that I have discussed this with are aware of historically, for services configured in the way explained above.

I would, however, like to thank you for bringing this to my attention,
it reinforces my confidence in your commitment to proactive management
in safeguarding the assets service providers such as myself, and
please feel free to add this particular port number for my IP address (95.216.171.182:23) to your white list.

Thank you in advance, for your assistance in this matter, and do feel
free to contact me directly if you have any further questions.

Kindest regards,
- --
Bradley D. Thornton
Manager Network Services
http://NorthTech.US
TEL: +1.310.421.8268
-----BEGIN PGP SIGNATURE-----
Comment: Find this cert at hkps://keys.openpgp.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQEzBAEBCAAdFiEENWT7St9Eg6sLyiLAuIw5wQytyEkFAl12Mp8ACgkQuIw5wQyt yEk4+Af8DTRMQUpTOzTye7/eWjfSpgoM1hWUP3JP8PQrnOTLV5N/o3an+K4nVJwx GtD1VFUGToe+on2fo5Q6aNr49ppEFHJseMQWcHoMFP2pdoAKaGEB3Lqgd71J88f7 3fL6Pkba+DCQNXUOBp5EDIKdTezCfgC+mYqsr0IFa8eWIN4ZrUYIYpeaC6uNUX7L W0lCrBO4zjzgo0VUT128LaDQEacUZXoDqk63h5m0DP5fDy2N+9Lecat1Hc72CBFz ZneEJcLLIPtR/cgkRYu4THXFXoCHAmGDXxOv/EFdQgSkP0naaLfAi/huI/eHt4yH Nrw3/w7XPQTyg8fCrS3DczzcROLp3A==
=HzwE
-----END PGP SIGNATURE-----

</snip>

Well I just thought that I'd share that with everyone :)

Kindest regards,

Bradley

.
--- SBBSecho 3.09-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 10 Sep 2019 at 09:26p, Bradley D. Thornton pondered and said...

I opened a ticket with my upstream, they came back and gave me a real (as opposed to a noreply) email address and said to contact the agency (no
pun intended) directly. Here's the exchange with them (tl;dr is that everything worked out):

Dear Bradley D. Thornton,

thanks a lot for your detailed feedback!

We have now whitelisted 95.216.171.182 for telnet reports.

Kind regards
Team CERT-Bund

Good result sir :)

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)