513 is a standard rlogin port. While neither twxproxy nor swath do this by default, some telnet programs like zoc and putty will change the port if you select "rlogin" as the method by accident.

My point isn't that these guys did a typo, I'm sure that's not the case here. What I'm saying is... just because someone hits your admin port don't assume it's a hack attempt, it could just be an accident. It's important to determine the intent of things.

I understand where you are coming from. But, I am not willing to put forth the effort or take the time to find out their intent.  Its not as if I were making money or they are a paying customer. I deal with security issues everyday, its the social engineering part of finding out the user's intent that makes the whole thing too dangerous to deal with.

Cerne

Well, of course if you don't you're opening yourself up to some nastiness by posting IPs here. If someone just randomly connects and you jump at the "omfghax0r!" paranoia you're going to be blaming a lot of innocent people.

You don't need to talk to them to demonstrate intent. If they go in to tedit and screw with stuff, that's pretty solid. If they go thru a process of trying to enter potential usernames and passwords, that's pretty solid too. If they go thru your ports hitting from 1 to 65535 then that's pretty solid as well. But if they just randomly connect to your rlogin port and then disconnect... that's not exactly a hack attempt.

Ail made a very good point tho, with a NAT router you only need to NOT port forward your admin ports to eliminate the problem all together.

If you really wanted to get fun you could setup an SSH server on a non-standard port, block the admin port access from the outside but allow the SSH port, then if you needed remote admin capability you'd route thru the SSH to the admin port from within the network. Something like that could even out a lot of potential admin area flaws that might exist. Am I the only one that wonders if there's a potential overflow in there somewhere?

This is getting a little off the subject I posted about. My point was that I could care less what someone's intent is if they try to access my admin port. I just ban their IP and the problem is solved. The perp can go play elsewhere. Since there is no way to prove intent, either good or bad, it is a total waste of time and energy to bother with it.

Cerne

dude hehe. 'running active player info' is hitting # at the main twgs menu. i hit that unconciously whenever i log into a twgs manually, admin or otherwise. zen doesn't say that he was checking the player info in tedit.

edit: ok maybe he says 'enter the editor' but i think zen should clarify.

By active player info I'm under the assumption that he is looking at their passwords, sectors, etc. All the things found in the user editor.

Uh yea you can prove intent, I just gave you atleast 3 ways to do so. Just touching a port doesn't make you a "perp" ... I do it all the time. It's hardly criminal, and your admin port is on a standard port number so any number of things could try to access it. Intentionally or otherwise, it's a standard rlogin port.

If you want to ban them fine, but going onto a forum and posting their IP as part of an unofficial blacklist and labeling them a criminal equals libel plain and simple. Hobby or no, it's just dumb to open yourself up to stuff like that... and the admins here could very end up on the chopping block as well. Dumb++;

That's why there needs to be rules about what gets posted, and what kind of evidence is needed beforehand. Accusations should be supported, and people have a right to face their accusor.

Will IP logging be part of a future upgrade?