Dealing with Intruders? 656
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
Easy (Score:5, Insightful)
Unless they use a lot of bandwidth, that is the right decission to make.
Very Easy (Score:5, Insightful)
ignore it. forget it. script kiddiz...
Re:Very Easy (Score:5, Insightful)
Yup, just make sure your box is secure.
Intrusion attempts happen unfortunately, with all the viruses, worms, etc. Just make sure your box won't get caught.
Can you all be more passive-aggressive, please? (Score:4, Insightful)
But for those intrusion attempts that appear to have a human being on the other end, a virtual smack upside the head would do the world some good. If it's some script kiddie, then let them know their feeble attempts do not go unnoticed, and are by no means appreciated, and chances are they'll find something more constructive to do before they get themselves into real trouble. If it's someone more hardcore, well, I guess it won't matter either way.
Re:Very Easy (Score:5, Insightful)
Re:Very Easy (Score:5, Insightful)
Nothing encourages a script kiddy more than the feeling of invulnerability which you get from someone admitting that he knows what you're doing but can't do anything about it because you've not broken a law.
Re:Very Easy (Score:5, Insightful)
Sorry, he needs a boot up the arse.
He doesn't need to be sent to jail, he DOES need to be reminded that we'd rather he stopped being a fuckwit.
Re:Very Easy (Score:4, Insightful)
Agreed. But what he doesn't need is a legal "boot up the arse" that will haunt him for the rest of his life. The trick is giving him the former without the latter.
Re:Very Easy (Score:5, Insightful)
Re:Very Easy (Score:5, Insightful)
To run with the analogy, if a cop sees a kid going down a row of cars testing door handles, he won't just run out and arrest him. The cop will wait until the kid comes across an unlocked door, rummages through the car, and takes something. Then the cop will arrest him. The cop waits because until the kid takes something, it's not a clear cut case. Sure, the kid is doing wrong, but the cop doesn't have enough ammo to really get him. Some people might take a "no harm, no foul" attitude.
If I was 12 and got caught doing something dumb like trying to log in as root like that, I'd just counter with the defense that I got the IP address wrong. "Oh, that waas your server? My buddies must have been playing a joke on me...he said that was his machine." I'd most likely get off, and walk away with a feeling that I was untouchable on the net. Wait until you actually have something to scare them with, then nail 'em.
Re:Very Easy (Score:5, Insightful)
I grew up in conservative Oklahoma. As a teenage kid, I was walking across a large parking lot with my friend and his girlfriend to a movie theater. My friend had long hair, so that probably tipped us off as obvious hoodlums, justifying some person calling the police to report "suspicious activity" of some kids messing with cars.
Maybe if we had been doing anything more than walking it would have been a good lesson. As it was, it just taught me the world definitely has scared, intolerant jackasses.
Before advocating low tolerance and hair-trigger fingers, consider the sociecty you're creating for everyone, not just the criminals and would-be criminals.
Re:Very Easy (Score:5, Interesting)
No. Trying a door handle does not imply mal-intent. It's the response when a door handle actually works that matters. I'll give you an anecdote. I was arriving at a semi-nice restaurant in a somewhat out of the way area of an otherwise nice town. Parking was scarce, so I had to park on a tiny unlit side-street. Walking toward the restaurant from my car, I saw another car on the street with its dome light on. It was obvious from a reasonable distance that there was no one in the car, but there was a pocketbook left on the front seat. Being a good sumeritan, I said "that won't do -- the pocketbook will get stolen, and the dome light will drain the battery". So I tried the door handle. To my surprise, it opened. I quickly turned to dome light off, closed the door again, and walked away. Turns out this was a sting. There had been a bunch of thefts from cars in the area recently, and this being a good town, the cops had enough time to set up a honeypot to try to catch the perp. They were quite chagrined to find someone go for the bait for an entirely altruistic reason -- to prevent a stranger from becoming the dual victim of a theft and a dead battery. Maybe I took a risk by trying that door handle and attempting to do some good. But how would you know if you deign to put a boot up my arse the instant I touch the doorhandle?
Perhaps the analogy doesn't port over all that well to scans of TCP ports, but it wasn't I who began that analogy; I'm just answering it.
Re:Very Easy (Score:5, Informative)
Re:Very Easy (Score:5, Insightful)
Re:Very Easy (Score:5, Insightful)
ISPs don't really roll this information back very often, because it just takes them too long, and there's too many.
It'd be nice if more ISPs were more responsible with this, though. Something like vlan'd users get port scanned/vuln. scanned upon connection, and once passed, they're allowed onto the big bad net. Of course then everyone on /. would complain of privacy concerns...
Re:Very Easy (Score:4, Insightful)
Do you have any idea the cost involved in setting up the system you have described in equipment, admin time, programmer time, etc...?
Who's responsible for fixing the vulnerabilities once found? Who's responsible if the vuln check actually harms the users computer or data? How do you prove it?
The ISPs are not some large benevolent entity. They're init to make a profit. Sorry, yes, they like money. Numerous phone calls to techsupport deal with questions that start, It used to work when I had AOL. Yeah we all know AOL sucks, but apparently they make money. Cusomters don't want to hear, this isn't AOL, this is a real internet provider, they want to surf their p0rn, and chatrooms. If fixing a customer will loose the customer..they're not going to do it. It's bad business sense.
Guess who gets the cost of fixing these customers, you do as the consumer.
Now balance it. The ISP deals with a handful of customers (out of their total subscriber base), or increases costs to all... You try to explain to grandma why her internet bill increased by 10%.
Re:Very Easy (Score:4, Insightful)
Doesn't seem too hard, but maybe my grandma is smarter than yours.
This kind of security is well worth it. ISPs that take a few basic precautions sit back and laugh as their competitors get ravaged by the worm of the week, while zombied windows boxes spam everyone and get the whole ISP blackholed, etc.
You pay one person to keep up on the script-kiddy tools and you block the ports they tend to use, or program your router to drop certain scanning packets, making it look like the computers you host are immune to the bug. Trivial stuff really.
If you want to get fancy you can try some sort of warning system that gives you an overview of what your users are doing. If you see that 1/3 of your users are loading a webpage at the same company you might be witnessing a DDoS attack, if one address is scanning your IP range you might want to start dropping their packets.
A little bit of forethought makes everything run much smoother, once you start taking precautions you'll find that despite the cost of the employee time you'll save money overall. Not in a way that short-sighted management (the type who don't understand backups and standby servers) will understand though, so you need to be at a clued company or be good at making proposals.
I agree! (Score:5, Interesting)
We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.
And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.
Comment removed (Score:4, Insightful)
Re:I agree! (Score:4, Interesting)
Re:Easy (Score:5, Insightful)
These things are far too common to get worked up about, and they still consume an infinitesmal fraction of my link capacity. I long ago stopped caring about unsuccessful intrusion attempts. I only care about the successful ones, and to help prevent those I apply all the usual safeguards.
This is more fun! (Score:5, Informative)
Google's Cache of above page. (Score:4, Interesting)
Re:This is more fun! (Score:5, Informative)
The problem with these two (most common) scenarios that the person who owns the computer isn't the real perpetrator, and the ability to track the perp down requires much more work than a simple whois lookup of the offending IP.
Most attacks you see are going to be automated and launched on a wide scale. There are thousands and thousands of compromised Windows machines out on the net that are being used by people such as spammers and crackers for their dirty work.
Lock your box down.
Don't allow root to log in on SSH.
Lock SSH and other sensitive services down to specific IP address blocks if you can. If you can't, investigate port knocking [portknocking.org] if you can do that. If you can't even go that far, investigate implementing a lockout policy for failed login attempts.
Unless you see a single host being the source of a large pile of offensive behavior, chances are these are machines in a zombie hoarde. If it is limited to a single IP or a few IP's in a single C class, contact the ISP's abuse department *politely* (remember these are folks like you in jobs like yours, if you go in with guns blazing, they're less likely to help) and provide as much information as you can regarding the nature of the attack. Then firewall off the offending IPs.
I used to aggressively track intrusion attempts and spam. I had a little PHP/MySQL tool I wrote where I could log these things, dumping in offending logs (or spam source), and it'd extract the culprit IP address, and once a day go through, looking up abuse addresses on whois and mailing a digest of the day's activities for that ISP to them.
Ultimately I probably got about a 1% response rate from the ISP's (excluding auto-responses). After ~6 months of this, and about 40,000 records in my database, I started some statistical analysis. It turns out that there were no significant outliers for abusive activity from any given ISP (considering the size of that ISP's net blocks). Basically every intrusion attempt was some kind of zombie. There were probably a few by-hand attempts, but these are typically so low profile that there's no easy way to distinguish them from the hoardes.
Some time later I was the recipient of a DDoS attack. Someone's zombie hoarde decided to repeatedly visit a page on my website that turns out to be a bit resource intensive to generate (my code is open source, so whoever devised this probably knew that). Every day, ~25,000 IP's each requested the same page every 4 minutes (+/- a few seconds I suppose for network latency). 375,000 hits an hour = 9,000,000 bogus hits a day. Day to day this number fluctuated, and the ISP's involved in the attack kept changing. It was obvious to me that whoever was driving the attack wasn't exposing the entire zombie hoarde to me at any given point because of how the ISP's involved kept shifting around. I figured he probably had a script set up to launch X number of zombies every day, and they probably had commands to execute for ~24 hours. The number was always pretty close to 25,000, never over, but usually more than 24,500.
Ultimately the attack lasted about a month. I figured out a simple way to distinguish the zombie computers from legitimate users based on an error in the request headers, and I could just exit() at the top of my site for those who exhibited this error. I also logged the attempts I blocked, and was left with over 900,000 distinct IP addresses once the attack finally stopped.
My point in all of that is that there *are* zombie hoardes out there, and it's the zombie hoardes that are most likely to compromise you. There's little you can do about it because getting a single IP from a hoarde firewalled off or cleaned up won't slow down your real attacker who was going to use a different zombie the next day anyhow.
Re:This is more fun! (Score:4, Informative)
Re:This is more fun! (Score:4, Interesting)
Re:This is more fun! (Score:4, Interesting)
Re:Ignoring it == raising criminals (Score:5, Interesting)
Set up tripwire to detect incomming conenctions to 139, 1433 and other ports that people shouldn't be attempting to reach.
Any attempts to open got a IPTABLES rule added against their IP
Every couple of weeks I'd clear it down and let it build up again
There would be better ways to do this, but it was mainly for basic home security and I wasn't worried about blocking whole companies (because of NAT/Proxy) because of one dick in the place. YMMV.
Two things (Score:5, Informative)
Re:Two things (Score:3, Insightful)
And if it's IP based, there's a whole lotta IP addresses in the world... methinks he'll run out of kernel memory long before he's finished blocking them all.
Re:Two things (Score:4, Interesting)
Example: A competitor that just happens to rank higher than you automatically drops packets from any IP that trys an invalid login.
You go through your logs and generate a list of all google's bots and then launch an "attack" against your competitor spoofing those IPs. You just stopped google from indexing their site. Move on to Yahoo and any other search engine you feel like.
Granted somebody is going to be watching the logs and start to wonder why google hasn't visited in a while, but you get the point.
Re:Ignoring it == raising criminals (Score:5, Insightful)
I fail to see how scanning ports is akin to robbery. Actually a port scan by itself is a completely legitimate activity as it simply is querying what services are available.
Personally I am the view point that if you have a port open with a service that is easily accessible without a password, or the default password, (like NFS, say) then anybody using it is not in the wrong, as how are they to tell that the service is not intended for the public especially since it is on the PUBLIC internet.
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
I mean some of you guys sound like the ignorant dude that setup an RSS feed and then got pissed when a service used it as intended. The difference with him is that he learned the error of his ways.
I also fail to see how someone using the word "syber" can run any server safely.
Re:Ignoring it == raising criminals (Score:5, Insightful)
Incidentally, this is similar to what happened to me yesterday. After hearing the noise coming from the other end of the apartment, I went to check it out and found a stranger in my bathroom. She followed some woman's directions and came to my bathroom, thinking it's a public bathroom, simply because I didn't lock my front door. I was polite, but I showed her the way out. I certainly couldn't just ignore her and let her be, could I?
Re:Ignoring it == raising criminals (Score:5, Funny)
Re:Ignoring it == raising criminals (Score:5, Insightful)
True, port scanning in and of itself is not comparable to robbery. Rather, it is like casing the joint: trying the doors to see if they're locked; testing the windows (ahem) for a good seal; checking all the security cameras to see where they're pointed, or if they're turned on at all.
A business owner who saw someone doing that type of thing at their bricks and mortar presence might be a little suspicious. Sure, the 'port scanner' isn't doing anything illegal at the moment, but there are few applications for the information gathered that are legitimate. Most businesses (on- and offline) don't have much use or sympathy for freelance 'security consultants' providing convenient and unsolicited 'security audits' for them.
The individuals attempting to login as root are admittedly being decidedly unsubtle, and are probably relatively harmless due to their lack of skill. On the other hand, if there was a mentally deficient individual wandering the neighbourhood trying to pull open front doors on random homes...wouldn't you want someone to at least keep an eye on him, even if you did keep your own door locked?
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
What conclusions, pray, should be drawn from multiple attempts to gain root access to someone else's boxen? The original poster also specifically asked for an appropriate message to send that didn't sound like a corporate cease & desist--he just wants a 'kid, stop rattling my doorknob' message, to make the point that the 'investigator' has crossed from your 'public' internet on to a decidedly 'private' server.
port scan != casing the joint (Score:5, Insightful)
That would be indicitave of someone trying to find a way in.
Re:port scan != casing the joint (Score:5, Insightful)
If you find a machine with port 139 (or whatever the netbios port on it) open, and they've got their C drive shared, don't touch--it wasn't meant for you.
If you find a machine with port 80 open, then you're not doing any harm to pull http://xxx.xxx.xxx.xxx/index.html and see what lives there.
Common sense and common courtesy are really all it takes: if it looks like someone meant to make something accessible, then use it. If someone takes any steps to secure something (even if they're ineffective) or wouldn't be offering it if they knew what they were doing (like the shared C drive), stay away.
Ignoring it == making the problem worse (Score:4, Interesting)
How? When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.
The attacks dropped off rapidly after a few weeks. And since shed kept notes about who she talked with, when and about what, there was very little runaround. When she started that, it took about 45 minutes per day, but by the end it was down to around 15 on average.
Re:Ignoring it == making the problem worse (Score:5, Funny)
DMCA (Score:5, Funny)
Re:DMCA (Score:4, Funny)
Skript kiddiez (Score:4, Funny)
Abuse@ (Score:5, Informative)
http://www.arin.net
or lookup the RADB abuse contact
http://www.dnsstuff.org
don't forget logfiles & date/time (Score:3, Informative)
You'd be better off configuring your security better though.
Re:Abuse@ (Score:5, Interesting)
Re:Abuse@ (Score:4, Funny)
Northern Ireland, Gibraltar, Hong Kong (not any more), Palestine (not any more), Australia (not any more), Canada (not any more), India (not any more), Malaysia (not any more), Yemen (not any more), Rhodesia (not any more), US (not any more)
Damn. We're getting smaller. When did that happen?
Create a honeypot (Score:5, Insightful)
Re:Create a honeypot (Score:5, Interesting)
Think about it - it's a slap in the face to the would-be hacker.. It's like you're leading him on, then saying "Ner Ner!" when he breaks into the pot.
If your hacker is serious, he's gonna be really pissed about this.
Secure your network & keep it secure - no need to stir 'em up.
Re:Create a honeypot (Score:3, Interesting)
If they can't get anywhere, they will move on somewhere else...
Wow! A spike in hack attempts? (Score:3, Insightful)
I tried to log in as root.. (Score:5, Funny)
Re:I tried to log in as root.. (Score:5, Insightful)
Unwise.
and sometimes I'd try to log in without thinking just after starting a telnet session.
Over telnet? Log in as root over telnet? AAAARRRGGGHHH!
Re:I tried to log in as root.. (Score:3, Insightful)
]] starting a telnet session.
] Over telnet? Log in as root over telnet? AAAARRRGGGHHH!
So how did you remotely administer Unix boxes prior to ssh?
c.
Re:I tried to log in as root.. (Score:5, Funny)
Arabic isn't a race. Arabs, technically, are caucasians. They're just curly haired, tanned white people. Not entirely unlike Italians.
LK
Abuse (Score:5, Insightful)
Maybe set up a honeypot for a bit (Score:5, Insightful)
Mal-2
My Advice (Score:3, Informative)
Snort + Guardian (Score:4, Informative)
Re:Snort + Guardian (Score:3, Interesting)
Classic for us was one user who had multiple domains with us got blocked every time she went to view one of her pages. Turns out the snort rule was so generic it was just looking for
In the general se
Not a cease-n-desist gnome... (Score:5, Funny)
Well... (Score:5, Informative)
So far, all of these "cease and desist" letters has resulted in action on the ISPs part, and in 50% of the cases, their admins write me back and give me feedback on the problem.
Ofcourse, I don't do this for every attempt (all depending on my mood
The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish. I actaully managed to get hold of the owner of the computer system that was scanning me and phoned him. Quite a hilarious experience. Needless to say, the portscanning stopped
Re:Well... (Score:4, Informative)
Many times the ISP has responded and usually their customer has a zombie box.
Always include a log if possible so they know the time and the IP-address. Remember to tell them what timezone the timestamps are from.
WHOIS links
http://ws.arin.net/cgi-bin/whois.pl
http:
http://www.apn
In my experience (Score:4, Informative)
I had confidence in my setup, and no server I had control over was, to my knowledge, ever compromised.
We never had any sensitive data outside the firewall, anyway.
On two occasions it got serious (if an easily beaten DOS attack can be called serious) and even then it was only for 20 minutes or so. Our ISP (being a large telecom) was champing at the bit to go after people we had even a small scrap of evidence against, so on those two occasions we simply handed what information we'd gleaned to them, and they let out the dogs.
At some stage, you've got to stop worrying and learn how to love the internet!
Yes, there are several good ways. (Score:5, Informative)
I tend to report viruses. I grep my logs daily for viruses from various norwegian ISPs, to the mailserver I admin for my company. During the last five months I've sent daily virus reports to the largest ISP in norway, and they tend to reply within one business day - having notified their customer about the infection. If the customer gets several 'heads up' messages from the ISP without removing the virus, they get their port 25 access filtered until they've confirmed that they've removed the virus.
I tend to send emails such as this.
"
Hi there.
I've got several viruses from your customers today, and would appreciate it if you could notify your customers about the virus infections they probably have.
Here are the relevant snippets from my logs:
Virus: Netsky.B
Received: from at
Virus: Bagle.C
Received: from at
All timestamps on the server are NTP-sync'ed against
Thanks for your time
"
Recently I've also included a more personalized
"Oh, and I have to commend your ISPs efficiency, as since march - you've managed to reduce the number of virus sending users to us from about per day, to this
You could probably just adapt what I'm writing to something saying that a customer of theirs probably has been cracked, and that they are currently scanning for
If it's the actual cracker that's stupid enough to use his own computer, he'll get scared enough if they contact him telling him that his computers has been abused by others to scan people -- and will probably quit doing it.
Re:Yes, there are several good ways. (Score:4, Interesting)
Damn, you must have a lot of time on your hands..
We actively block viruses at the mail server, and our logs show over 20k came towards us yesterday. Want to parse my logs and report the infected machines?
And yes, we don't send the automagic "We received a virus" notices. Those are just plain annoying considering most headers are faked.
Re:Yes, there are several good ways. (Score:3, Informative)
Nah. We only get around 50 viruses per day, and I've made a list of the responsive ISPs. I tend to email the responsive ISP's one email per day, containing nothing but the relevant headers.
The ISPs just receives an email with the name of the virus, and the Received: from header(s) they need to track down the person with that virus.
Most is automatically generated by my scripts. I just paste it into my mail client and send it off with a few nice words on
More good advice ... (Score:3, Informative)
This is really good advice, but you can do more. :-)
Most ISPs really appreciate the complete header of the mail, and sometimes even the body in case of spam. First of all it adds to the authenticity, and second they'll be able to forward your complaint to the responsible ISPs if you had too much beer while reading a spoofed header (more so for spam than virus mails). Some ISPs are quite helpful in this regard.
To aid in identifying the correct abuse addresses I can recommend the hinfo utility as a compleme
Do what Mr Burns does... (Score:5, Funny)
at some level you have to ignore it.... (Score:5, Informative)
Ignore it? (Score:5, Informative)
Why not seem like a cease and desist gnome? (Score:3, Insightful)
They're out to do you harm. If one of them gets through and does some damage, you could lose your job.
I swear I won't do it again! (Score:3, Funny)
I had someone trying to brute force ssh.. (Score:5, Insightful)
Basically I just gave a quick digest of the log clearly showing their IP and the attack in progress, and a note to the effect that I believed their machine had been compromised (in as plain English as I could muster) - and got the desired result.
I like the fact that there's some script kiddie out there cursing that one of his "boxen" is no longer..
Call their parents (Score:5, Funny)
Maybe related to this? (Score:3, Informative)
threads on the full disclosure mailing list archives [netsys.com] and dslreports forums [dslreports.com] about that
wonder if this is what the topic poster was encountering?
My basic template to ISPs (Score:5, Interesting)
Firewall? (Score:3, Interesting)
My advise is to firewall them.
Personally I also try giving them a taste of their own medicine. You'd be surprised how many Windows machines are still vulnerable to the old 'smbdie'. I set up a cron job to 'smbdie' all hackers / spammers etc every 5 minutes. But of course this is horrible advise because ( and I'm sure everyone will respond and tell you that it's very naughty to fight fire with fire, and you will most likely go blind or some bullshit. )
So yeah. Firewall them. And if you've got time, email their ISP and tell them that you've firewalled them and if you have any complaints from customers about them not being able to access your sever, that you will advise them that their ISP is harbouring hackers and that they should switch ISPs.
Re:Firewall? (Score:5, Informative)
I don't subscribe to it. I look at it like this:
To drive a car, you need a licence. You have to follow rules. You drive on the correct side of the road. You don't drink and drive. You obey the speed limit. And why do we have to follow the fules? It's because there are other people who also want to use the road, and therefore all drivers have a responsibility to ensure that the safety of others is protected.
Sounds like common sense, right? Well the same should apply to placing computers on the internet. If you want to have viruses and backdoors and worms etc running on your home PC, then fine. Whatever. But if you put your home PC on the internet and take absolutely no fucking responsibility for what you are doing then you are waiving all rights you have over the the safety of your computer. If your computer now pisses me off, I'll 'smbdie' it off the internet. If you're fine with all the rest of the shit that's infecting your PC, then you don't really have any right to complain about me rebooting it once every 5 minutes. And yes I'm doing everyone a service. Firstly, the computer is on the internet for less time than it otherwise would have been, so there's less chance of others being infected. Also, the idiot who owns the computer will be far more likely to do a complete re-install, or at least get a god-damned virus checker and get Windows up-to-date.
Do you know how many people come bitching and complaining to me about their PC being rooted, and when I boot it up find that they're running Windows 2000 SP1 and NO virus protection at all? It's not good enough. And the only ways to get them to take responsibility for their computer are:
a) Legislate. No-one wants legislation covering their computer. It will screw things up for the responsible among us and have no effect on the rest.
b) Make it so unconfortable to run an unprotected computer that they get the hint and protect it.
Having said all this, I know most people will still disagree with me. That's fine. Be angels. Just keep your damned computer secure and you've got nothing to worry about.
Hack them back! (Score:5, Funny)
At the very least it's more fun than writting an e-mail!
normal for this time of year (Score:5, Funny)
As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.
Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:
packetstorm security [packetstormsecurity.org]
Security Focus [securityfocus.com]
Somewhat offtopic, but how do people deal with DOS (Score:5, Interesting)
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.
Re:Somewhat offtopic, but how do people deal with (Score:5, Informative)
Re:Somewhat offtopic, but how do people deal with (Score:3, Funny)
Ack! Now even slashdot is promoting offshoring!!! Ugh...
Re:Somewhat offtopic, but how do people deal with (Score:3, Funny)
Complaining may have a boomerang effect (Score:5, Insightful)
Back in January 1999 when everybody used telnet for remote logins, several computers in our department were root-compromised and had a rootkit installed (password sniffer, backdoors, and patched versions of ps, ls, and such to prevent being detected). We noticed some strange activities but had no clue what was going on, thinking that other people were trying to intrude us, while actually the cracker used our computers to intrude other people. It felt a bit like being in a thriller, where we step by step discovered what was going on, culminating in a session where we witnessed live how the cracker was logged in on one computer, from which he tried logging in on a second computer where we already had changed all passwords. We contacted the internet provider (he was behind an IP-masquerading firewall) and an university where he apparently illegally had plugged in a computer on the network and of course the cracker had been reading a number of emails before we finally locked down our systems.
Since then, our computers got enormous attention from crackers, while suspicious messages appeared much more seldomly in other people's log files. This cracker was severely pissed off. We were compromised several times after that. Once, the presence of a rootkit revealed itself through the fact that an ls option wasn't working anymore. We repaired the situation and removed telnet/ftp from the computer (they had suspicious log file mesages), not knowing that it was the outdated sshd that caused the trouble. After the weekend, the owner of the computer came to me complaining that he couldn't log in. It turned out that the intruder wiped his whole home directory, which had no recent back-up! I can not believe that a cracker does something like that for any other reason than pure revenge.
These incidents have taught me the value of staying up-to-date. What I wanted to tell here is: don't let the cracker know that it was you who caused them trouble or you might get repercussions. Oh, and note that I am not a professional system administrator; I was a PhD student who happened to know a bit more about Linux than most others.
Tactical nuke (Score:3, Funny)
Remote logins? Are you insane? (Score:5, Informative)
So you've got a machine sitting on the internet, home to a million and one active worms, and are surprised that it gets scanned constantly?
Don't bother with the abuse reports -- more than likely it's just worm activity from computers whose clueless owners don't realize have been infected. A more recent one attempts SSH logins, which may be what you're seeing.
It it was a _real_ crack attempt then you:
1: Wouldn't know about it.
2: Would be unable to pin it down. It would be bounced through several victim networks, so your ability to see where it's "coming from" is really just the last victim machine in the chain.
Third possibility is script kiddies, in which case you would know about it and where they were coming from, but they would have no chance of success unless you are unwilling to keep up on patches and follow basic security practices like decent passwords.
Best would be to close off remote-login ports altogether. If you need remote login then block for all but the address range you'd be coming from. If you need remote access from random locations, then at least consider using a heavily locked down system (e.g.: OpenBSD) or work _really hard_ to get your systems firewall/logging/etc. set up well.
One OpenBSD/pf feature you might be interested in (also available from other systems) is the ability to tie Snort into the pf ruleset so that remote scanners, once detected, are ignored.
Easy, really (Score:5, Funny)
The online cartoons - once again - show us how the world works. Here you can find the difference between Hollywoods form of dealing with intruders, and The Real Worlds:
Bigger Than Cheese [biggercheese.com]Document Everything (Score:5, Informative)
1) Make notes about what you've found
2) Report the the abuse as per the WHOIS info for the offenders
3) Block their IPs at your border
If you're using a firewall, great. If not--get one.
If you haven't read Frisch's "Essential System Admnistration" read it:
http://www.oreilly.com/catalog/esa3/index.html
If you haven't read Stephen Northcutt's "Network Intrusion Detection" you should probably give it a good read as well:
http://www.amazon.com/exec/obidos/tg/detail/-/073
There are some good articles all over the web regarding Linux security. A few google searches will help uncover them.
Patch. It's not just for Windows.
Limit services with ACLs and host restriction.
Harden your system by partitioning read/write slices away from static mountpoints where your binaries are by mounting the read only ones as read only.
chattr +i on your binaries--makes it tougher for skript kiddies.
Talk to other admins--every day is a school day.
AND
Face the fact that you're not as smart as the crackers so you just have to create layers of security that keep you from being an easy target.
Post IPs! (Score:4, Informative)
Aug 12 05:08:28 pokey sshd[7534]: Illegal user test from
Aug 12 05:08:31 pokey sshd[7534]: Failed password for illegal user test from
Aug 12 10:51:33 pokey sshd[7615]: Illegal user test from
Aug 12 10:51:35 pokey sshd[7615]: Failed password for illegal user test from
Aug 12 10:51:39 pokey sshd[7617]: Illegal user guest from
Aug 12 10:51:41 pokey sshd[7617]: Failed password for illegal user guest from
Aug 12 10:51:48 pokey sshd[7619]: Illegal user admin from
Aug 12 10:51:50 pokey sshd[7619]: Failed password for illegal user admin from
Aug 12 10:51:54 pokey sshd[7621]: Illegal user admin from
Aug 12 10:51:57 pokey sshd[7621]: Failed password for illegal user admin from
Aug 12 10:52:01 pokey sshd[7623]: Illegal user user from
Aug 12 10:52:03 pokey sshd[7623]: Failed password for illegal user user from
Aug 12 10:52:10 pokey sshd[7625]: Failed password for root from
Aug 12 10:52:16 pokey sshd[7627]: Failed password for root from
Aug 12 10:52:23 pokey sshd[7629]: Failed password for root from
Aug 12 10:52:27 pokey sshd[7631]: Illegal user test from
Aug 12 10:52:29 pokey sshd[7631]: Failed password for illegal user test from
Aug 12 11:01:41 pokey sshd[7659]: Illegal user test from
Aug 12 11:01:44 pokey sshd[7659]: Failed password for illegal user test from
Aug 12 11:01:48 pokey sshd[7661]: Illegal user guest from
Aug 12 11:01:50 pokey sshd[7661]: Failed password for illegal user guest from
Aug 12 11:01:54 pokey sshd[7663]: Illegal user admin from
Aug 12 11:01:57 pokey sshd[7663]: Failed password for illegal user admin from
Aug 12 11:02:01 pokey sshd[7665]: Illegal user admin from
Aug 12 11:02:03 pokey sshd[7665]: Failed password for illegal user admin from
Aug 12 11:02:07 pokey sshd[7667]: Illegal user user from
Aug 12 11:02:10 pokey sshd[7667]: Failed password for illegal user user from
Aug 12 11:02:16 pokey sshd[7669]: Failed password for root from
Aug 12 11:02:22 pokey sshd[7671]: Failed password for root from
Aug 12 11:02:29 pokey sshd[7673]: Failed password for root from
Aug 12 11:02:33 pokey sshd[7675]: Illegal user test from
Aug 12 11:02:35 pokey sshd[7675]: Failed password for illegal user test from
Aug 12 12:23:19 pokey sshd[7703]: Illegal user test from
Aug 12 12:23:22 pokey sshd[7703]: Failed password for illegal user test from
Aug 12 12:23:26 pokey sshd[7705]: Illegal user guest from
Companies don't care. (Score:5, Informative)
So, being a good guy, I never respond in kind (I could, but 1) it's wrong, 2) it affects more than just the target and 3) I don't feel like going to pound-me-in-the-ass prison), I just log every single packet I can, and when the attack is over find the worst offenders (typically the packets are not spoofed) and use Spamcop and whois to find the responsible parties for each one, and send them all an email.
Many (most?) emails elicit an automatic response.
Perhaps 10% get a personalized response, but usually this response says that I should contact the ISP of the offender (when in fact that's exactly what I'm doing.) Perhaps half of the responses I do get say they'll do something about it, which is good -- usually these are compromised drone/zombie machines, and need cleaning anyways.
Quite often, the attacker is stupid enough to ping my machine from his home machine (so he can see how it's going), not thinking I'll notice that. When this happens, I can also email his home ISP, the people who really know who he is, and the people who can really hit him where it hurts. Except that they ignore my email too, and if they do email me back, they just tell me that the attack did not come from their ISP so they can't do anything, or there's no proof that the pinging is related to the attack.
Phone calls are much more effective than emails, but you really need to make them during the attack for them to take them seriously. And often the attacks happen outside of business hours, so there's nobody to call. And they're very time consuming.
Though I did succeed in nailing at least one guy. He was in Romania, and he messaged me a few weeks after the attack basically pleading with me that it wasn't him, but his brother using his computer. Apparantly the police (in Romania) were questioning him, and one of the things they showed him was my email. The police had never contacted me -- I'm guessing that my email was just one of many pieces of evidence they had against the guy. I felt a bit bad for him, but not that bad. Not that I had any control over what was happening to him at that point -- it was out of my hands the moment I sent my email.
So, if it happens again, I'll do the same thing. I know it's not likely that anything substantial will come from my emails, but there's still a chance. Every time it happens, I know I nail at least some of his compromised machines, and have a chance at getting him. I'll win eventually -- either that, or he'll hit puberty, in which case we both win.
Report it and be Nice (Score:5, Insightful)
There are alot of people out there who have no idea that their computer is infected with a root-kit and many would be greatfull to be told so.
Re:Your firewall.... (Score:5, Insightful)
If they are just sending of SYN-requests, then who cares? They'll get a few RST-responses. Having your firewall bogged down by rules just to ignore some dialup user that'll probably have switched IPs the next day will just decrease others chances of contacting you.
Secure your network. Have a nice firewall with okay rules, but there should be no need to add individual IPs to your ruleset all the time -- that just increases complexity and maintainability.
Re:Your firewall.... (Score:3, Insightful)
Re:Your firewall.... (Score:5, Insightful)
It depends on what kind of 'attack' we're talking about, of course. If it's just an automated attack which scans large ranges of IP-addresses for common vulnerabilities which you've patched against, there really isn't any need to add them to your firewall ruleset, unless they're pretty invasive.
By invasive I mean that they grope and poke, and grope and poke. If it's just a couple of packets - why care at all? You can always fire off an email to the hosting provider, but adding them to your firewall is just
Take the recent increase in SSH scans for the 'test' and 'guest' accounts without password, or whatever it was one came into agreement that it was.. if you've got a patched SSH daemon, why care? Let them scan - and get rejected. Why bog down the firewall with hundreds, if not thousands, of extra matching rules?
If it's likely that you've got vulnerabile machines on that port, block it entirely - or just allow it from specific IPs. Playing whack-a-mole against scanners are just a waste of time.
Patch the system, have a good general firewall ruleset that covers what needs to be covered - and let the scanners that isn't actually continously filling your log files just scan on.
I've had to block _one_ abusive scanner during the last year. It was someone scanning for open http-proxies from Israel. They were hitting my machines several times per seconds, filling my apache logs with relay-attempts to mailservers. Which was quite frankly annoying.
Those scans were from four IP's within the same subnet, and their ISP didn't care. I got the ISP null routed due to their customers filling my logs (and my company doesn't do business in Israel at the moment, so it wasn't a loss anyways).
A few packets now and then on the other hand.. playing whack-a-mole with such is just a waste of time.
Re:Your firewall.... (Score:4, Interesting)
Better advice would be to only allow login connections (eg sshd) from known IP addresses.
Other measures depends on what services you are trying to secure, but make sure you've run through the http://www.cisecurity.com/ [cisecurity.com] lvl 1 benchmarks on an Internet connected machine (at the very least run the scoring tool).
Re:Your firewall.... (Score:5, Insightful)
Re:Your firewall.... (Score:3, Insightful)
Re:Corporate Gnome (Score:5, Interesting)
No shit..
I've received some really nasty Emails over the years from winners who just installed some firewall on their home machine, and wonder why we're sending packets to him from our port 80 to some high port on his machine. They're all demanding that we stop or they'll sue, blah, blah, blah.
I write a real friendly note back saying "sir, you were visiting a porn site at http://example.com. from which you detected the data coming back to you exactly as you requested. yada, yada, yada"
Once in a while our provider will get a new person in their abuse department, and forward those over. I kindly remind them to go back to their supervisor and ask them exactly what this traffic would mean. Then I write them a friendly letter explaining the basics of the Internet.
They are generally good about sending us only real problems, which are usually about sublet IP blocks. I either pass it on to their sales rep, or call them myself. Most customers I've delt with are very friendly about it.
We did have a federal agent show up in our office one day, about a hacking attempt from one of our networks (a sublet line). I called the sales rep, got the customer on the line, and they were already aware of it. It was an old unpatched machine, that they had taken offline a few days prior because they had already found it was broken into. They were still examining it, and offered to hold onto the drive for the investivator. I really like good customers.
Re:What intruders? - Good point! (Score:4, Insightful)
Good advice. Just ignore that script kiddies are trying stuff. Until one of them gets a 0-day exploit, roots one of your critical machines, and wipes out all your data.