'Something' has opened TCP Port 2323 (telnet) overnight while I was sleeping

Any ideas from anyone what may have occurred here?

I use a device called ‘Fingbox’ to monitor changes on my network. This morning I received an alert that TCP Port 2323 (a telnet port) had been opened (manually) at around 1am while I was sleeping. I can’t see any configuration on port forwarding or firewall in the Omnia where this has been enabled, but using SheildsUp, it verifies that the port is open.

(The other three open ports are IP security cameras)



Found this is in the Firewall Status page

You seem to have data collection enable. Don’t worry this is just simple telnet honeypot.

2 Likes

Ahhhhh, Thanks cynerd! I was hoping that was the case! :slight_smile:

Can you tell me how to query the honeypot logs?

2 Likes

You can found that here: https://project.turris.cz/en/user/login
You had to create account there when you were setting data collection up.

1 Like

Thanks for the help and info!

how to enable/disable data collection?
which plugin is it?

I dont use the turris default confs. I’m just interested in :slight_smile:

Thxs,
Lars

Btw:
my turris runs stable for 61d without any failure
@4.4.59-627f0117679bc72ef5e58881035f567a-4
(15.05 r47055)

What does that means?

Only supported way is trough foris as you have to create account so you can access aggregated data. And there is a tab for that in foris.

I’m using openwrt for a longer time and simply swapped my configs to turris.
I prepared a rescue image with my packages & configs and copied it.
Since then forris is deactivated.

ah okai, thxs. So, im going to take a closer look at the foris backend.

Is there an easy way to do a consitent DD image of the mmcblk0p1 device?
Maybe before booting?
Should I start a new Thread?

Thxs,
Lars

Well I see possibility to do that but turris os is simply more that just different configuration of openwrt. I think that you are on the path of constant struggle.

No there is not. We have something called rescue image that is in secondary storage (nor). But that is hardwired for factory a and reflash so I don’t think that you can just drop to shell in rescue (you might foud a way but there is no official one). So other option is to break uboot and boot different rootfs. But I think that most simplier is just to do snapshot, mount it and tar content.

Hi again Cynerd. Any idea why, even though I have data collection enabled, that there is no data at all reported in the SSH Honeypot Logged Sessions?

Thanks for your help.

Are you behind a NAT? If so then there is little to no chance that anyone will try to breach your honeypot (although that doesn’t mean that you should disable it nor that it’s safe to open ssh to nat network it just means that there is very low chance of any attack happening).

Is your choice of the date in filter correct?
I see … you want to browse honeypot records from 2016-06-01 to 2017-06-01

1 Like

Tried every possible date, but there’s not a single report. :sweat:

Could you try the actually date (for example 2017-11-22) and the interval setting to a week?
What will happen?

:cry:

Don’t have a NAT enabled beyond what the default configuration is on the Turris. I looked through all the config settings and I can’t actually identify how you would selectively enable/disable NAT in the Turris… I feel a bit silly that I can’t seem to find this setting on the router…

Router automatically does natting because that is the most expected way. To disable it you just have to configure firewall to no do masquerade on traffic from wan. But that is not what you want.

No what I meant is: is you router behind nat? Not if your router does nat. If your isp doesn’t gives you public ip then you are behind nat for sure. Other option is that although you have configured data collection that no data were sent to us. Or of course there is possibility that there are no attacks at you. Who knows. You can try ti attack your self from somewhere outside just to see if your connection is well configured.

In reality if it’s problem (bug or something) with software then just please wait for Turris OS 3.9 as that release will contain latest version of new implementation called HAAS. Just note on this, with haas collected data are sent to haas service and won’t be visible in project.turris.cz.

1 Like

Dont worry, Turris is stable now for 73days (without reboot).
It wasn’t just a simply config swap, it’s my job to administrate unix systems :slight_smile:

Ah I completely forgot schnapps, that way works perfectly for me.

Thank you for your time,
Lars