Pages

Thursday 22 September 2016

Telnet attacks and Pixes

I've recently installed my firewall. It's a Pix 515E (soon to be upgraded to a Pix 525), but since it's newly installed, I'm keeping a careful eye on it. In particular, I see the logs scrolling past, of all the attempts to connect  that it wouldn't allow.

What has surprised me, is that these attempts are very simple. I wasn't actually expecting to see anything clever, but what I'm actually seeing, is about 95% attempts to log in with telnet.

Telnet?

That's prehistoric. Does anyone still use it? I don't. Like (I think) everyone else, I use ssh.  But I see attempts to use the telnet port on all my computers from IP addresses all over the world.

What on earth do they think they're doing? Even if my firewall did allow telnet access through, none of my servers are set up to respond to telnet, and even if they were, you're going to need a username and password.

The other interesting thing I see, and again I have no explanation, is that occasionally there's a flood of UDP packets hitting the firewall, all from the same IP address, working through my range of IP addresses.

So, about that Pix 525.

The one I already had, was a failover device. It worked well, but it rebooted every 24 hours (as per design). So it was OK for a temporary measure, but not for the long term, becaue a reboot means no service for at least five minutes. But what was *very* nice about it, was the user interface for setting it up - web based, called ASDM, and very nice. It took much of the setup pain away.

So then I bid on Ebay for a Pix 525 with an "unrestricted" licence - that means it won't suffer from the rebooting problem. It arrived yesterday, and the parcel had an ominous rattle. When I opened the box, I could see why; it had been put through the Heathrow parcel-smashing machine. The plastic front panel was in smithereens, and the mounting brackets were bent. Inside the Pix, there were fragments of plastic from the catastrophe.

I told the seller that I'd be giving it a very thorough test before leaving feedback; the seller suggested that I report the issue to Ebay. I contacted Ebay, and they said that I should do a "refund request". They assured me that the seller wouldn't be the one to suffer, so I did that, including pictures of the smashed-up front, and the cardboard box, which was also somewhat damaged.

To my surprise, I got an immediate refund, which will come out of the carrier's pocket (the carrier at my end was Yodel, but I don't know where the damage happened). I wasn't actually after a refund, although I'm not going to refuse it. As far as I can tell, the Pix is working OK, although without its plastic front, it's a bit ... ugly.

But it's an old version of the software. Sigh. The version of the software is about halfway between the two versions that I know, so I had to adapt somewhat. But the configuration from my existing Pix 525 translated to the new Pix 525 quite well.

3 comments:

  1. I'm sure I used Telnet to get the answer to one of your geocaching puzzles.. - it was a while ago though.

    ReplyDelete
  2. The program that you ran was telnet, but you didn't use it to access the telnet port 23, which is where all these accesses are trying to go.

    ReplyDelete
  3. Telnet?! I'm sure what you have just encountered was the IoT attackers. As we all know, more and more stupid IoT crap is available in the customer electronic markets, with zero security, and builtin admin/admin debug accounts.

    It has been expected for everyone that there will be attacks based on IoT, but the day have really came true, at the end of September. Now the attackers shifted their targets from PCs and servers to those IoT video cameras, etc, and just launched the largest DDoS attack up to 1 Tbps.

    Just picked up a random news for you from the Web Search, read the news.

    150,000 IoT Devices behind the 1Tbps DDoS attack.
    http://securityaffairs.co/wordpress/51726/cyber-crime/ovh-hit-botnet-iot.html

    Even worse, one of the attacks in the industry just decided to retire and published the code of the botnet. We need to save the Internet from the Internet of Things, a.k.a Internet of Hackable Things, Botnet of the Things or Internet of the S**t.

    ReplyDelete