Neil Pomerleau

Neil Pomerleau

Software Engineer, Comedian, Musician

Mitigating a brute-force login attack via telnet backdoor

I have a VPS through Linode that I use to host dozens of websites (including this one). Securing your server against brute-force login attempts is one of the first steps you should take when setting up a new server, and Linode details this fairly well.

However, one day I was surprised to notice that my CPU usage, though steady, was hovering at close to 90%. A peek at the historical usage showed this this had been increasing steadily for over a week now, but went under the radar.

linode-cpu-month

A look at top revealed accounts-daemon (the service that handles user authentication) to be the culprit, and my /var/log/wvmb file (which logs failed logins) was draining my available disk space to nearly nothing.

Okay, easy enough. Let’s cut off SSH access until I have time to figure out why the usual defenses weren’t working. However, the attack continued. How could this be?

Turns out the attack was happening with an old authentication method called telnet. Every article I read about telnet suggested using SSH instead for its superior security when authenticating yourself, but I couldn’t find any resources about securing telnet against malicious login attempts.

I was able to successfully mitigate the attack by turning off telnet authentication completely. In my case, I commented out this line in /etc/inetd.conf:

telnet		stream	tcp	nowait	root	/usr/sbin/tcpd	/usr/sbin/in.telnetd

December 11, 2016 at 4:00 pm

Leave a Comment

About Me

I work as a Senior Software Engineer at LinkedIn and perform on stage and on keyboard for improv comedy shows in the Bay Area.

Learn more