Dealing with Intruders? 656
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
Easy (Score:5, Insightful)
Unless they use a lot of bandwidth, that is the right decission to make.
Your firewall.... (Score:2, Insightful)
Create a honeypot (Score:5, Insightful)
Wow! A spike in hack attempts? (Score:3, Insightful)
Abuse (Score:5, Insightful)
Very Easy (Score:5, Insightful)
ignore it. forget it. script kiddiz...
Maybe set up a honeypot for a bit (Score:5, Insightful)
Mal-2
Why not seem like a cease and desist gnome? (Score:3, Insightful)
They're out to do you harm. If one of them gets through and does some damage, you could lose your job.
abuse@.... (Score:2, Insightful)
As several posters have already stated you should complain to the abuse address for their ISP. Ideally, you should include logs of the attempt.
You should also be aware that that the machines which are attempting to connect to your network are probably zombies. There are a number of trojans and security holes which can be exploited to allow a remote user to take over a poorly secured system. The owners probably don't even realise that their machines have been compromised.
I'm not sure there's much an ISP can do other than try to find out which customer had been assigned that IP address at the time and write to them. Banning someone for having poor security on their machine is probably a bit harsh, even in these post-9/11 times.
Keith.
Re:Your firewall.... (Score:5, Insightful)
If they are just sending of SYN-requests, then who cares? They'll get a few RST-responses. Having your firewall bogged down by rules just to ignore some dialup user that'll probably have switched IPs the next day will just decrease others chances of contacting you.
Secure your network. Have a nice firewall with okay rules, but there should be no need to add individual IPs to your ruleset all the time -- that just increases complexity and maintainability.
I had someone trying to brute force ssh.. (Score:5, Insightful)
Basically I just gave a quick digest of the log clearly showing their IP and the attack in progress, and a note to the effect that I believed their machine had been compromised (in as plain English as I could muster) - and got the desired result.
I like the fact that there's some script kiddie out there cursing that one of his "boxen" is no longer..
Re:Your firewall.... (Score:5, Insightful)
Re:Your firewall.... (Score:3, Insightful)
Re:I tried to log in as root.. (Score:2, Insightful)
I think someone needs to read up a bit more on why both these things are bad ideas - and why doing them both at once is just internet suicide...
Re:Very Easy (Score:5, Insightful)
Yup, just make sure your box is secure.
Intrusion attempts happen unfortunately, with all the viruses, worms, etc. Just make sure your box won't get caught.
Re:Your firewall.... (Score:3, Insightful)
Re:Your firewall.... (Score:5, Insightful)
It depends on what kind of 'attack' we're talking about, of course. If it's just an automated attack which scans large ranges of IP-addresses for common vulnerabilities which you've patched against, there really isn't any need to add them to your firewall ruleset, unless they're pretty invasive.
By invasive I mean that they grope and poke, and grope and poke. If it's just a couple of packets - why care at all? You can always fire off an email to the hosting provider, but adding them to your firewall is just
Take the recent increase in SSH scans for the 'test' and 'guest' accounts without password, or whatever it was one came into agreement that it was.. if you've got a patched SSH daemon, why care? Let them scan - and get rejected. Why bog down the firewall with hundreds, if not thousands, of extra matching rules?
If it's likely that you've got vulnerabile machines on that port, block it entirely - or just allow it from specific IPs. Playing whack-a-mole against scanners are just a waste of time.
Patch the system, have a good general firewall ruleset that covers what needs to be covered - and let the scanners that isn't actually continously filling your log files just scan on.
I've had to block _one_ abusive scanner during the last year. It was someone scanning for open http-proxies from Israel. They were hitting my machines several times per seconds, filling my apache logs with relay-attempts to mailservers. Which was quite frankly annoying.
Those scans were from four IP's within the same subnet, and their ISP didn't care. I got the ISP null routed due to their customers filling my logs (and my company doesn't do business in Israel at the moment, so it wasn't a loss anyways).
A few packets now and then on the other hand.. playing whack-a-mole with such is just a waste of time.
Re:I tried to log in as root.. (Score:5, Insightful)
Unwise.
and sometimes I'd try to log in without thinking just after starting a telnet session.
Over telnet? Log in as root over telnet? AAAARRRGGGHHH!
Re:Easy (Score:5, Insightful)
These things are far too common to get worked up about, and they still consume an infinitesmal fraction of my link capacity. I long ago stopped caring about unsuccessful intrusion attempts. I only care about the successful ones, and to help prevent those I apply all the usual safeguards.
Re:Very Easy (Score:5, Insightful)
Complaining may have a boomerang effect (Score:5, Insightful)
Back in January 1999 when everybody used telnet for remote logins, several computers in our department were root-compromised and had a rootkit installed (password sniffer, backdoors, and patched versions of ps, ls, and such to prevent being detected). We noticed some strange activities but had no clue what was going on, thinking that other people were trying to intrude us, while actually the cracker used our computers to intrude other people. It felt a bit like being in a thriller, where we step by step discovered what was going on, culminating in a session where we witnessed live how the cracker was logged in on one computer, from which he tried logging in on a second computer where we already had changed all passwords. We contacted the internet provider (he was behind an IP-masquerading firewall) and an university where he apparently illegally had plugged in a computer on the network and of course the cracker had been reading a number of emails before we finally locked down our systems.
Since then, our computers got enormous attention from crackers, while suspicious messages appeared much more seldomly in other people's log files. This cracker was severely pissed off. We were compromised several times after that. Once, the presence of a rootkit revealed itself through the fact that an ls option wasn't working anymore. We repaired the situation and removed telnet/ftp from the computer (they had suspicious log file mesages), not knowing that it was the outdated sshd that caused the trouble. After the weekend, the owner of the computer came to me complaining that he couldn't log in. It turned out that the intruder wiped his whole home directory, which had no recent back-up! I can not believe that a cracker does something like that for any other reason than pure revenge.
These incidents have taught me the value of staying up-to-date. What I wanted to tell here is: don't let the cracker know that it was you who caused them trouble or you might get repercussions. Oh, and note that I am not a professional system administrator; I was a PhD student who happened to know a bit more about Linux than most others.
Re:Very Easy (Score:5, Insightful)
Nothing encourages a script kiddy more than the feeling of invulnerability which you get from someone admitting that he knows what you're doing but can't do anything about it because you've not broken a law.
Ignore them or build general measures (Score:2, Insightful)
I ran one of the first ISPs in the UK with live IP and since we went live about 10 years ago we have endured on average maybe one attack per minute or higher all that time.
So 10 years ago I wrote my own firewall with some traffic shaping and logging; it died recently I replaced it with a Cisco or two with more or less the same rules.
Now, even when no longer an ISP I still have to turn away 35,000+ SPAMs per day from my network which now hosts just two people, so I wrote my own reverse SMTP proxy to deal with the problem. (The source is available in SourceForge BTW.)
People continually attempt to steal the entire content of one of my free Web sites, and used to bring it and my connection to the Net to their knees, so I wrote a simple transparent servlet filter to detect and lock out f**kits who exhibited pathological behaviour.
All of these tools are mainly automatic with a few general rules and a very few specific data entries to keep out especially egregious people.
Don't play "whack-a-mole", and don't waste too much time trying to contact the idiot's ISP; even if they care, which sometimes they do, it'll end up being expensive and slow to stop.
Rgds
Damon
Ignoring it == raising criminals (Score:1, Insightful)
Even if you don't manage to rob a bank, but you get caught, you go to jail. Why would syber laws have to be different? Don't touch my server! Don't scan my ports!
Re:And the problem is... (Score:2, Insightful)
Re:What intruders? - Good point! (Score:4, Insightful)
Good advice. Just ignore that script kiddies are trying stuff. Until one of them gets a 0-day exploit, roots one of your critical machines, and wipes out all your data.
Re:Very Easy (Score:2, Insightful)
Also, bare in mind that some of these attempts may be made by real crackers that want to use your box as a remote box to launch attacks.
Who knows, maybe in the future all servers and clients will be rigged with honey pots!!
Re:Ignoring it == raising criminals (Score:5, Insightful)
I fail to see how scanning ports is akin to robbery. Actually a port scan by itself is a completely legitimate activity as it simply is querying what services are available.
Personally I am the view point that if you have a port open with a service that is easily accessible without a password, or the default password, (like NFS, say) then anybody using it is not in the wrong, as how are they to tell that the service is not intended for the public especially since it is on the PUBLIC internet.
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
I mean some of you guys sound like the ignorant dude that setup an RSS feed and then got pissed when a service used it as intended. The difference with him is that he learned the error of his ways.
I also fail to see how someone using the word "syber" can run any server safely.
Re:Well... (Score:2, Insightful)
The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish.
And what's the problem? That is COMPLETELY LEGAL. If you create problems for that other guy, maybe if his connection gets cut off from his ISP because of your complaint, YOU are responsible for the damage (false accusation). Seems you are one of those types going crazy about some other computer sending from port 80 to a high port on your computer.....
Re:Very Easy (Score:2, Insightful)
Re:Ignoring it == raising criminals (Score:5, Insightful)
Incidentally, this is similar to what happened to me yesterday. After hearing the noise coming from the other end of the apartment, I went to check it out and found a stranger in my bathroom. She followed some woman's directions and came to my bathroom, thinking it's a public bathroom, simply because I didn't lock my front door. I was polite, but I showed her the way out. I certainly couldn't just ignore her and let her be, could I?
Re:Ignoring it == raising criminals (Score:5, Insightful)
True, port scanning in and of itself is not comparable to robbery. Rather, it is like casing the joint: trying the doors to see if they're locked; testing the windows (ahem) for a good seal; checking all the security cameras to see where they're pointed, or if they're turned on at all.
A business owner who saw someone doing that type of thing at their bricks and mortar presence might be a little suspicious. Sure, the 'port scanner' isn't doing anything illegal at the moment, but there are few applications for the information gathered that are legitimate. Most businesses (on- and offline) don't have much use or sympathy for freelance 'security consultants' providing convenient and unsolicited 'security audits' for them.
The individuals attempting to login as root are admittedly being decidedly unsubtle, and are probably relatively harmless due to their lack of skill. On the other hand, if there was a mentally deficient individual wandering the neighbourhood trying to pull open front doors on random homes...wouldn't you want someone to at least keep an eye on him, even if you did keep your own door locked?
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
What conclusions, pray, should be drawn from multiple attempts to gain root access to someone else's boxen? The original poster also specifically asked for an appropriate message to send that didn't sound like a corporate cease & desist--he just wants a 'kid, stop rattling my doorknob' message, to make the point that the 'investigator' has crossed from your 'public' internet on to a decidedly 'private' server.
Re:I tried to log in as root.. (Score:3, Insightful)
]] starting a telnet session.
] Over telnet? Log in as root over telnet? AAAARRRGGGHHH!
So how did you remotely administer Unix boxes prior to ssh?
c.
Re:Very Easy (Score:5, Insightful)
Re:Two things (Score:3, Insightful)
And if it's IP based, there's a whole lotta IP addresses in the world... methinks he'll run out of kernel memory long before he's finished blocking them all.
Re:Very Easy (Score:5, Insightful)
Sorry, he needs a boot up the arse.
He doesn't need to be sent to jail, he DOES need to be reminded that we'd rather he stopped being a fuckwit.
Re:Ignoring it == raising criminals (Score:1, Insightful)
Re:Ignoring it == raising criminals (Score:2, Insightful)
If you have a radio controlled garage door opener
and someone drives by your house, transmits all
the possible codes sequentially, opens your garage
door and starts looking through your stuff
would you say 'because I didn't buy a sufficiently
advanced garage door opener or engineer my own
I invited the public into my garage'. Of course
you wouldn't. Their intent is obviously to
commit a crime.
Comment removed (Score:4, Insightful)
Re:Very Easy (Score:5, Insightful)
ISPs don't really roll this information back very often, because it just takes them too long, and there's too many.
It'd be nice if more ISPs were more responsible with this, though. Something like vlan'd users get port scanned/vuln. scanned upon connection, and once passed, they're allowed onto the big bad net. Of course then everyone on /. would complain of privacy concerns...
Re:Very Easy (Score:4, Insightful)
Agreed. But what he doesn't need is a legal "boot up the arse" that will haunt him for the rest of his life. The trick is giving him the former without the latter.
port scan != casing the joint (Score:5, Insightful)
That would be indicitave of someone trying to find a way in.
Re:Very Easy (Score:5, Insightful)
Re:Very Easy (Score:2, Insightful)
The thing is, all these voters seem to think that a policeman giving their kid a clip round the ear is a bad thing. Hence kids stand and mouth off at policemen because they have no respect for someone without the power to actually do anything.
Re:Very Easy (Score:5, Insightful)
To run with the analogy, if a cop sees a kid going down a row of cars testing door handles, he won't just run out and arrest him. The cop will wait until the kid comes across an unlocked door, rummages through the car, and takes something. Then the cop will arrest him. The cop waits because until the kid takes something, it's not a clear cut case. Sure, the kid is doing wrong, but the cop doesn't have enough ammo to really get him. Some people might take a "no harm, no foul" attitude.
If I was 12 and got caught doing something dumb like trying to log in as root like that, I'd just counter with the defense that I got the IP address wrong. "Oh, that waas your server? My buddies must have been playing a joke on me...he said that was his machine." I'd most likely get off, and walk away with a feeling that I was untouchable on the net. Wait until you actually have something to scare them with, then nail 'em.
Re:port scan != casing the joint (Score:5, Insightful)
If you find a machine with port 139 (or whatever the netbios port on it) open, and they've got their C drive shared, don't touch--it wasn't meant for you.
If you find a machine with port 80 open, then you're not doing any harm to pull http://xxx.xxx.xxx.xxx/index.html and see what lives there.
Common sense and common courtesy are really all it takes: if it looks like someone meant to make something accessible, then use it. If someone takes any steps to secure something (even if they're ineffective) or wouldn't be offering it if they knew what they were doing (like the shared C drive), stay away.
Re:Firewall? (Score:1, Insightful)
Are the rules of the road completely different if you're driving a Honda or a Ford? Are people daily finding ways to remotely take over your car and ram it into things?
People should not have to know every goddamn thing about their cars before they drive them - you do not need to be a mechanic to drive a car.
Hell, when I go to the mechanic, my eyes glaze over when he starts rambling on about what exactly went wrong. I don't give a fuck what went wrong, and I wouldn't know a carburator from a flux capacitor, how about fixing it and, if there's something I can do to avoid the problem in the future, lemme know.
Same goes for computing.
Yeah, it'd be great if people would lock down their boxes but the problem is not that people won't take responsibility, but that they are not educated about what to do to fix a problem.
I'm not a moron, but I tell you I have difficulty parsing what the fuck the latest 50 Windows Updates mean. How the hell is grandma supposed to know what the fuck that stuff means? Windows updates are bad enough, but *nix ones are even worse.
What needs to happen is that there needs to be a very basically written message: "Click here to keep people from taking over your computer" rather than the jargon laden crap that is there now.
Simply put, the people who are so up in arms about how people leave their machines vulnerable should solve the problem at the core of it, rather than castigating people for being "stupid" users. Fix the problem rather than bitching at people about it, and then we have something.
Re:Two things (Score:3, Insightful)
But in effect what you say could happen, but it wouldn't be a portscan, but rather a malicious DOS attempt.
- Ois
Re:Two things (Score:3, Insightful)
1) Bad dude does SYN scan.
2) Bad dude gets firewalled off.
3) Bad dude performs another scan with a spoofed IP (conveniently provided as an option by the popular nmap)
4) Good dude is in trouble
Just say no to automatic firewalling.
The real value of a honeypot (Score:3, Insightful)
The real value is in observing what kinds of attacks are being uses, especially to see if any NEW type of attacks are being used that your real systems may not have been secured against.
Can you all be more passive-aggressive, please? (Score:4, Insightful)
But for those intrusion attempts that appear to have a human being on the other end, a virtual smack upside the head would do the world some good. If it's some script kiddie, then let them know their feeble attempts do not go unnoticed, and are by no means appreciated, and chances are they'll find something more constructive to do before they get themselves into real trouble. If it's someone more hardcore, well, I guess it won't matter either way.
Re:Very Easy (Score:4, Insightful)
Do you have any idea the cost involved in setting up the system you have described in equipment, admin time, programmer time, etc...?
Who's responsible for fixing the vulnerabilities once found? Who's responsible if the vuln check actually harms the users computer or data? How do you prove it?
The ISPs are not some large benevolent entity. They're init to make a profit. Sorry, yes, they like money. Numerous phone calls to techsupport deal with questions that start, It used to work when I had AOL. Yeah we all know AOL sucks, but apparently they make money. Cusomters don't want to hear, this isn't AOL, this is a real internet provider, they want to surf their p0rn, and chatrooms. If fixing a customer will loose the customer..they're not going to do it. It's bad business sense.
Guess who gets the cost of fixing these customers, you do as the consumer.
Now balance it. The ISP deals with a handful of customers (out of their total subscriber base), or increases costs to all... You try to explain to grandma why her internet bill increased by 10%.
Well not to sound too stupid But (Score:2, Insightful)
My routers block all unused ports and use nat. i dont controll the web server so im not sure what goes on there. but i always believed that proper firewall and router configs can stop these kind of things before they start, please correct me if im wrong.
Report it and be Nice (Score:5, Insightful)
There are alot of people out there who have no idea that their computer is infected with a root-kit and many would be greatfull to be told so.
Re:Very Easy (Score:5, Insightful)
I grew up in conservative Oklahoma. As a teenage kid, I was walking across a large parking lot with my friend and his girlfriend to a movie theater. My friend had long hair, so that probably tipped us off as obvious hoodlums, justifying some person calling the police to report "suspicious activity" of some kids messing with cars.
Maybe if we had been doing anything more than walking it would have been a good lesson. As it was, it just taught me the world definitely has scared, intolerant jackasses.
Before advocating low tolerance and hair-trigger fingers, consider the sociecty you're creating for everyone, not just the criminals and would-be criminals.
Re:Very Easy (Score:3, Insightful)
What's wrong with the cop stopping the kid, asking his name and address and generally letting him know that his actions are monitored and he's on the verge of crossing the line.
If no-one ever tells you where the line is, how do you know when you've crossed it?
Re:Very Easy (Score:1, Insightful)
"To protect..." is about the victims, not the offender. If the police is confident that they can intervene before harm is done, then it's ok to wait.
The police watches because the kid full well knows that what he's doing is wrong. What the kid maybe doesn't realize is that he's being watched. Warning him at that point just makes the kid more cautious, but not wiser. The feeling of not getting away only remains if the cop can back up the wigging with something that the kid knows he can't talk himself out of. THEN, depending on the circumstances, the cop should make the punishment no more than the proverbial slap on the wrist, while making it clear that the next time won't be a walk in the park.
I would really hate to live in a society in which we rely on the cops to tell kids where the line is. Don't parents teach their kids anything anymore?
Re:Very Easy (Score:2, Insightful)
Generally, the way it works is like this:
If a defendant, acting with the intent otherwise necessary for the commission of a crime, take a substantial step toward completion of that crime, you're guilty of attempt.
A substantial step is an action strongly corroborative of your intent to commit the crime.
The kicker is that the substantial step need not be illegal.
Thus, if a kid walks down a row of cars testing door handles, the prosecutor can make a good case for the intent to illegally enter one of those cars because he's trying all the doors (and therefore has a no legitimate interest in being inside any of them).
--AC
Re:Ignoring it == raising criminals (Score:2, Insightful)
In the majority of cases this is not true.
People who use computers as an appliance, the
majority of Windows users, do not *choose* to
open ports. They don't know the port is open,
what a port is, how to close it, nor are they
presented with the option to NOT run the services
that open the ports at install time.
> there's nothing wrong with my entering your house if you've put a sign in your front yard saying "Open House".
All of the ports marked 'Open House' are already
quite well known. There's no need to scan for the
port for the web server. Anyone port scanning
is NOT looking for an open house sign in my yard,
they're snooping in my back yard looking for a
unsecured entrance to break in.
adjusted analogy - public vs. private (Score:3, Insightful)
In the physical-analogy sense, it would be more akin to closing your restaurant without putting up the "closed" sign. When people walk by and try to open the door, you got no business being offended - they're attempting to take advantage of the public service you appear to be offering.
And if you were really dumb and forgot to lock the door too, you've got no business being upset when they walk in and start wondering where the waiter is.
Re:Very Easy (Score:4, Insightful)
Doesn't seem too hard, but maybe my grandma is smarter than yours.
This kind of security is well worth it. ISPs that take a few basic precautions sit back and laugh as their competitors get ravaged by the worm of the week, while zombied windows boxes spam everyone and get the whole ISP blackholed, etc.
You pay one person to keep up on the script-kiddy tools and you block the ports they tend to use, or program your router to drop certain scanning packets, making it look like the computers you host are immune to the bug. Trivial stuff really.
If you want to get fancy you can try some sort of warning system that gives you an overview of what your users are doing. If you see that 1/3 of your users are loading a webpage at the same company you might be witnessing a DDoS attack, if one address is scanning your IP range you might want to start dropping their packets.
A little bit of forethought makes everything run much smoother, once you start taking precautions you'll find that despite the cost of the employee time you'll save money overall. Not in a way that short-sighted management (the type who don't understand backups and standby servers) will understand though, so you need to be at a clued company or be good at making proposals.
Re:I tried to log in as root.. (Score:3, Insightful)
Tell me this is a troll. Please.
c.