An action taken by a person who is being trolled. The person being trolled uses the exact same trolling technique that the troll is using thus confusing the troll and making him look bad in front of everyone else.

"He was trying to make me look like an idiot, but I pulled the good ol' backtrolling trick on him."

"Dude, poor Toni always gets backtrolled by his friends."

#back #troll #trolling #backtrolling #back-trolling

Web Page Builder

-.. .- ... .... . ... / .- -. -.. / -.. --- - ...


Return to sender, address unknown. No such number, no such zone...

Hmmm...  Someone is trying to brute-force his way through my SSH server. I do have automated 10-year black-listing for every IP with three consequtive login failures, but it's still annoying to see his continous attempts in my logs.

[root@vaktankan ~]# tail -10 /var/log/secure
Mar 29 00:20:19 vaktankan sshd[29176]: refused connect from (
Mar 29 00:20:28 vaktankan sshd[29183]: refused connect from (
Mar 29 00:20:53 vaktankan sshd[29216]: refused connect from (
Mar 29 00:21:15 vaktankan sshd[29228]: refused connect from (
Mar 29 00:21:18 vaktankan sshd[29235]: refused connect from (
Mar 29 00:21:43 vaktankan sshd[29253]: refused connect from (
Mar 29 00:22:07 vaktankan sshd[29276]: refused connect from (
Mar 29 00:22:12 vaktankan sshd[29280]: refused connect from (
Mar 29 00:22:32 vaktankan sshd[29297]: refused connect from (
Mar 29 00:22:57 vaktankan sshd[29320]: refused connect from (

I wonder if the computer that the attacks comes from is properly secured:

[root@vaktankan ~]# nmap -v

Starting Nmap 7.40 ( ) at 2017-03-29 00:23 CEST
Initiating SYN Stealth Scan at 00:23
Scanning [1000 ports]
Discovered open port 1080/tcp on
Discovered open port 6006/tcp on
Well, well.. Two interesting ports seems to be open. What's behind them, one might ask:

[root@vaktankan ~]# curl
curl: (56) Recv failure: Connection reset by peer

No answer on a plain http call on port 6006... But how about 1080?

[root@vaktankan ~]# curl
SSH-2.0-OpenSSH_6.9p1 Ubuntu-2
curl: (56) Recv failure: Connection reset by peer
[root@vaktankan ~]# ssh -p 1080
root@'s password:

Aha! He put his own SSH server on port 1080 instead of port 22. Security by obscurity...clever..

Let's have some fun and redirect all SSH traffic from that IP address to his own SSH server, so that he ends up banging on his own front door:
[root@vaktankan ~]# iptables -t nat -A PREROUTING -s -p tcp --dport 22 -j DNAT --to-destination

Now let's see if the secure-log is more quiet than before:

[root@vaktankan ~]# tail -f /var/log/secure
[root@vaktankan ~]#

Lovely - it is completely silent. But I can imagine how it looks in the attacker's own security logs ;-)

Maybe he eventually succeeds breaking his way into his own house and starts destroying things. That would be cool...