I'm going to give you the excuse of 'youthful exuberance' here. Port 22 and SSH access are not the same. Do *not* open ANY SSH port to the world!
And that's kind of my point! Why would you give any Trouble, Dick, and Hasbeen, free access to your underlying OS? Close that port, sir!
On unix it's like a five minute job if you've never done it before, including the web search for how to do it. Super easy.
And that's kind of my point! Why would you give any Trouble, Dick, an Hasbeen, free access to your underlying OS? Close that port, sir!
Fine. PROVE ME WRONG. HACK ME.
To anyone out there: Hack my board and put some obvious file in the root of the system (please don't cause damage). Show me that you CAN do it
via SSH and NOT do it over Telnet.
To anyone out there: Hack my board and put some obvious file in the root of the system (please don't cause damage). Show me that you CAN do it
via SSH and NOT do it over Telnet.
First one to succeed gets $100 sent via Facebook Messenger.
Note, you must show your work (so that I can FIX said problem) and you must show that you CANNOT break in over telnet.
If you can prove the opposite ( that you CAN get in over telnet and NOT over SSH) I will send $50.
If you can break in over BOTH, I will send $150.
Furthermore, you exploit a bug in Mystic to gain access, you have to
show all that work, as well. We would want to make sure that g00r00
gets what he needs to plug that hole.
1) Having the well-known ports open (22/23) is more of a risk for portscan/DDOS than obfuscated ports. Not that 2222 and 2323 aren't OBVIOUS alternatives...
2) instead of moving sshd on the internal network, just port forward 22 and 23 to 2222 and 2323 respectively in the firewall. That way when you
Again, I refuse to accept this challenge. At least hackthissite.com offered a reward. Do *not* tempt the dogs of war, for we are already foaming at the mouth!
Or don't, and expect to format your machine in the near future...
..................... If someone finds a zero day for OpenSSH, it's not going to make any difference what port you're listening on because it's already been scanned and found and put into a database.
Remember the dogs of war I recently mentioned? Well, you just took away their leash!
I promise you one thing: it won't be me that attempts to claim that
prize. My hat is white; I don't use my superpower for personal gain.
*HUGE* mistake, newbie! \(@_@)/
I'm gonna change that country file and then do #2.
Um. I *did* offer a reward! Up to $150.
Or don't, and expect to format your machine in the near future...
Ah, the beauty of ZFS snapshots and automated backups.
I'm not running this thing on a pi; I am running on (near) enterprise-grade hardware and software.
Remember the dogs of war I recently mentioned? Well, you just took aw their leash!
I have backups and can easily rebuild. I am offering a bug bounty, but
in order to claim it, they have to reveal how they did it so that the
bug can be fixed.
I promise you one thing: it won't be me that attempts to claim that prize. My hat is white; I don't use my superpower for personal gain.
Actually, what I asked for *was* white-hat hacking. Ethical hacking (white-hat) is done with the goal of increasing security. White hats
won't hack without permission; this permsission has been granted.
If they hack me and cause damage, they won't get the bounty. If they
fail to reveal their methods, no bounty.
Granted, as bug/hack bounties go, it's a pittance. However, if it is as easy as you say, someone will snap it up soon, I will be out $150, the software will get improved, and you'll gave gloating rights for at least the next 3 millennia.
Sounds like a win/win/win to me? $150 for improved security is WELL
worth it.
I won't be nice. I won't leave a friendly note. I will destroy everything. You have been warned, more than once.
Are you giving me permission to break your sh--uh...stuff?Yes, provided that you abide by the rules I set out.
I won't be nice. I won't leave a friendly note. I will destroy
everything. You have been warned, more than once.
1) Having the well-known ports open (22/23) is more of a risk for portscan/DDOS than obfuscated ports. Not that 2222 and 2323 aren't OB alternatives...
It probably limits it a bit, but it's not worth the bother. Tools like Shodan can find SSH across any port, or any of the other mass scanners
can do the same thing. If someone finds a zero day for OpenSSH, it's not going to make any difference what port you're listening on because it's already been scanned and found and put into a database.
I won't be nice. I won't leave a friendly note. I will destroy everyt You have been warned, more than once.
That's not whitehat and it's not ethical. But regardless, I think he should still allow it. Remote exploit and priv escalation only. No
denial of service.
Are you giving me permission to break your sh--uh...stuff?Yes, provided that you abide by the rules I set out.
I won't be nice. I won't leave a friendly note. I will destroy everything. You have been warned, more than once.
This would violate the rules. Let me restate succinctly:
Remember the dogs of war I recently mentioned? Well, you just took away
It probably limits it a bit, but it's not worth the bother. Tools like Shodan can find SSH across any port, or any of the other mass scanners
can do the same thing. If someone finds a zero day for OpenSSH, it's not going to make any difference what port you're listening on because it's already been scanned and found and put into a database.
In most cases I expect there's not a lot critical information on a BBS worth sniffing.. what are you going to get if you hack an account someones mail?
That's what I find funny about the apparent attemps I see from bots trying to brute-force into my BBS. There isn't much of value someone could get from it, but they can go ahead and spend all that time trying if they really want to. :P
I suspect they may be UTF-8 and SyncTerm handles UTF-8, whereas other terminals and readers don't.
Your message with SyncTerm:
https://i.imgur.com/OMszRdU.png
Your message with PuTTY;
https://i.imgur.com/BCZp9dm.png
Is there a setting somewhere I need to adjust, or is it just another symptom of my bizarrely-bastard copy of Syncterm (I can't paste with
mouse or ctrl-ins).
Interesting! I just tried both Syncterm 1.0 & 1.1 on my board and it comes up the same on each. It looks like the BBS itself also needs to support UTF-8, so those of us using Mystic are currently out of luck.
P.S: If anyone is looking for a version of Syncterm where copy/paste works without having to scroll back, this version appears to do the trick: https://sourceforge.net/projects/syncterm/files/syncterm/syncterm-1.0/
Sysop: | CyberNix |
---|---|
Location: | London, UK |
Users: | 22 |
Nodes: | 10 (0 / 10) |
Uptime: | 10:27:36 |
Calls: | 892 |
Files: | 4,436 |
Messages: | 669,233 |