Dealing with Intruders? 656
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
Re:Create a honeypot (Score:2, Interesting)
(I've been told to say, "you're a facsist" so I did)
Corporate Gnome (Score:2, Interesting)
Best chance for a response is to keep it polite and request a notification of what action (if any) they will take. Don't fill your letter or email full of legalese and vauge threats and I'm sure most of the people in charge of a particular abuse department will take you seriously enough. Whether or not they have the clout to take action on your behalf is another matter entirely however.
Another thing to do is to just keep yourself patched, firewalled, and a close eye on your network. If the attempts are rising, someone thinks your network/servers is/are an easy target. Prove them wrong and perhaps you won't need to write that letter after all.
Good luck.
Re:Your firewall.... (Score:4, Interesting)
Better advice would be to only allow login connections (eg sshd) from known IP addresses.
Other measures depends on what services you are trying to secure, but make sure you've run through the http://www.cisecurity.com/ [cisecurity.com] lvl 1 benchmarks on an Internet connected machine (at the very least run the scoring tool).
My basic template to ISPs (Score:5, Interesting)
Just my (short) experience. A suggestion. (Score:2, Interesting)
Firewall? (Score:3, Interesting)
My advise is to firewall them.
Personally I also try giving them a taste of their own medicine. You'd be surprised how many Windows machines are still vulnerable to the old 'smbdie'. I set up a cron job to 'smbdie' all hackers / spammers etc every 5 minutes. But of course this is horrible advise because ( and I'm sure everyone will respond and tell you that it's very naughty to fight fire with fire, and you will most likely go blind or some bullshit. )
So yeah. Firewall them. And if you've got time, email their ISP and tell them that you've firewalled them and if you have any complaints from customers about them not being able to access your sever, that you will advise them that their ISP is harbouring hackers and that they should switch ISPs.
Re:Create a honeypot (Score:5, Interesting)
Think about it - it's a slap in the face to the would-be hacker.. It's like you're leading him on, then saying "Ner Ner!" when he breaks into the pot.
If your hacker is serious, he's gonna be really pissed about this.
Secure your network & keep it secure - no need to stir 'em up.
Somewhat offtopic, but how do people deal with DOS (Score:5, Interesting)
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.
Re:Corporate Gnome (Score:5, Interesting)
No shit..
I've received some really nasty Emails over the years from winners who just installed some firewall on their home machine, and wonder why we're sending packets to him from our port 80 to some high port on his machine. They're all demanding that we stop or they'll sue, blah, blah, blah.
I write a real friendly note back saying "sir, you were visiting a porn site at http://example.com. from which you detected the data coming back to you exactly as you requested. yada, yada, yada"
Once in a while our provider will get a new person in their abuse department, and forward those over. I kindly remind them to go back to their supervisor and ask them exactly what this traffic would mean. Then I write them a friendly letter explaining the basics of the Internet.
They are generally good about sending us only real problems, which are usually about sublet IP blocks. I either pass it on to their sales rep, or call them myself. Most customers I've delt with are very friendly about it.
We did have a federal agent show up in our office one day, about a hacking attempt from one of our networks (a sublet line). I called the sales rep, got the customer on the line, and they were already aware of it. It was an old unpatched machine, that they had taken offline a few days prior because they had already found it was broken into. They were still examining it, and offered to hold onto the drive for the investivator. I really like good customers.
Re:Create a honeypot (Score:3, Interesting)
If they can't get anywhere, they will move on somewhere else...
Re:Yes, there are several good ways. (Score:4, Interesting)
Damn, you must have a lot of time on your hands..
We actively block viruses at the mail server, and our logs show over 20k came towards us yesterday. Want to parse my logs and report the infected machines?
And yes, we don't send the automagic "We received a virus" notices. Those are just plain annoying considering most headers are faked.
Re:Ignoring it == raising criminals (Score:5, Interesting)
Set up tripwire to detect incomming conenctions to 139, 1433 and other ports that people shouldn't be attempting to reach.
Any attempts to open got a IPTABLES rule added against their IP
Every couple of weeks I'd clear it down and let it build up again
There would be better ways to do this, but it was mainly for basic home security and I wasn't worried about blocking whole companies (because of NAT/Proxy) because of one dick in the place. YMMV.
Re:Snort + Guardian (Score:3, Interesting)
Classic for us was one user who had multiple domains with us got blocked every time she went to view one of her pages. Turns out the snort rule was so generic it was just looking for
In the general sense, most likely you won't get a whole lot of cooperation from the ISP (gone are the days of the minions at Erol's). Stay patched, use common sense, and ignore it.
Ignoring it == making the problem worse (Score:4, Interesting)
How? When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.
The attacks dropped off rapidly after a few weeks. And since shed kept notes about who she talked with, when and about what, there was very little runaround. When she started that, it took about 45 minutes per day, but by the end it was down to around 15 on average.
Re:Abuse@ (Score:5, Interesting)
Google's Cache of above page. (Score:4, Interesting)
Re:Two things (Score:2, Interesting)
I agree! (Score:5, Interesting)
We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.
And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.
Upstream blocking (Score:2, Interesting)
Patent Pending!
Re:Very Easy (Score:3, Interesting)
So, you convince his ISP to issue a "You're no longer welcome here because you agreed to an AUP that forbids what you were trying to do" to him.
Unfortunately, ISPs are bogged down with requests like these, so probably not much will/can be done realistically.
Re:This is more fun! (Score:4, Interesting)
Re:This is more fun! (Score:4, Interesting)
Re:Two things (Score:3, Interesting)
Your "there's a whole lotta IPs in the world" comment is seriously asinine as well. As I mentioned, it is trivial to spoof portscans, and while there may be a whole lotta IPs in the world, once you have accidentally firewalled off the ones belogning to your DNS or your mail server, you are going to have some serious networking issues. Running out of "kernel memory" (whatever that might be) is the last of his worries.
Automated security response is a tricky business, and if you do not carefully consider all implication, you are goign to be worse off than you were, not better.
Don't take my word for it. Set up your PC this way and see how long it takes before someone uses it against you.
Re:I agree! (Score:4, Interesting)
Re:Two things (Score:3, Interesting)
Re:Very Easy (Score:3, Interesting)
Exactally. What I've tended to do is when I see an obvious script kiddie hitting my server over and over (with the same damn script like it'll work the second/third/tenth time) is hack 'em back. I realize this only works if you catch them in the act, else you may hit someone else, but my general preference is to print the following to their printer:
"Hey Cockbite: If you're going to try and hack someone, pick an admin who won't hack back"
All in all it's harmless, but hopefully gives them the hint that they're being stupid. Also I've been known to drop in a bug that lets me know their current IP address so I can print the above message randomly for a month or so. Let them explain to mom and dad WTF is going on! Way better results than ruining their life with the cops.
-nB
Set up a sting. (Score:2, Interesting)
Re:Very Easy (Score:3, Interesting)
I know that I occasionally forget who I'm connecting into and try to login as root out of habit but then realize where I'm at. Using your example, it would be like walking towards a car in the parking lot that looks like yours and trying the handle...but just as you do realizing that it's not your car.
Re:Easy (Score:3, Interesting)
One Saturday afternoon, I went to the office to do something on the computer (PDP 11/70). I was doing some disk work on the computer and didn't want anyone logged on accessing the disk while I did it.
Before starting, I did a "systat" (system status command) and saw someone had dialed in from outside and was logged onto a games account.
So I kicked him off, but he just dialed back in again. Every time I kicked him off, he was back in a minute.
So I modified the login utility so that if you dialed in, it would tell you to call the number in the computer room and then drop the line.
After a few minutes, he called! It sounded like a high school kid.
I told him what I was doing and suggested he wait a while before calling back.
After I finished what I was doing, I started wrote a little utility to take a snapshot of the system every six seconds and save the differences. I had a simple version working that evening and made some nice modifications to it the next couple of days.
From then on, if he had ever logged back in, we could have detected just about anything he might do. But he never did log back onto the computer again.
I never did know who the kid was, but my best guess was that it was the son of someone at the office.
Re:Two things (Score:4, Interesting)
Example: A competitor that just happens to rank higher than you automatically drops packets from any IP that trys an invalid login.
You go through your logs and generate a list of all google's bots and then launch an "attack" against your competitor spoofing those IPs. You just stopped google from indexing their site. Move on to Yahoo and any other search engine you feel like.
Granted somebody is going to be watching the logs and start to wonder why google hasn't visited in a while, but you get the point.
I want a honeypot-on-a-disc (Score:3, Interesting)
Example: You aren't running a telnet server on your box, so normally a connection attempt to port 23 would be dropped. Here you set your honeypot controls to engage a script that you have made (or that came pre-packaged with the software) showing them a fake login prompt that looks like whatever software you wish them to think you are using. Script appropriate responses to possible actions the hacker might try, based on what software they think you have. Let them appear to login with 'admin/admin' or whatever, and show them fake file directories and whatnot. Certain often-targetted files could be spoofed so the cracker can actually 'read' them and not be tipped off. Basically have the software fuck with them for awhile before revealing that "it's all been logged you luser, the Matrix has you, disconnect before things get worse"
You could make a windows box look like anything else to mess with them, if your arsenal of scripts is deep enough. The program could come with a whole whack of pre-defined scripts, and users could create and upload new scripts to a website for others to install in their systems. And when someone installs and runs the program for the first time, they are *forced* to choose a computer name, OS, and other details, so that every out-of-the-box install of this thing doesn't look like every other one out there, making it less easy to detect.
You'd have to make the main code smart enough to not bother if the intrustion appears to be a worm, otherwise such a machine would likely get pretty bogged down. I don't know how to do any of this, I would just like to have the software.
Please? Somebody?
Re:Very Easy (Score:3, Interesting)
No, he is not. I agree that he should be informed that it's not cool, but he doesn't need to have boot up his arse or to be called guilty of anything. Frankly, kids are curious. I've tried doorhandles before, it had nothing to do with me being up to no good. I was just curious if people really locked their cars.
Re:Very Easy (Score:5, Interesting)
No. Trying a door handle does not imply mal-intent. It's the response when a door handle actually works that matters. I'll give you an anecdote. I was arriving at a semi-nice restaurant in a somewhat out of the way area of an otherwise nice town. Parking was scarce, so I had to park on a tiny unlit side-street. Walking toward the restaurant from my car, I saw another car on the street with its dome light on. It was obvious from a reasonable distance that there was no one in the car, but there was a pocketbook left on the front seat. Being a good sumeritan, I said "that won't do -- the pocketbook will get stolen, and the dome light will drain the battery". So I tried the door handle. To my surprise, it opened. I quickly turned to dome light off, closed the door again, and walked away. Turns out this was a sting. There had been a bunch of thefts from cars in the area recently, and this being a good town, the cops had enough time to set up a honeypot to try to catch the perp. They were quite chagrined to find someone go for the bait for an entirely altruistic reason -- to prevent a stranger from becoming the dual victim of a theft and a dead battery. Maybe I took a risk by trying that door handle and attempting to do some good. But how would you know if you deign to put a boot up my arse the instant I touch the doorhandle?
Perhaps the analogy doesn't port over all that well to scans of TCP ports, but it wasn't I who began that analogy; I'm just answering it.