How Should One Respond to a Network Break In? 96
Jety asks: "I am the sole IT support for a medium sized residential real estate office. It has a network of one main server, 10 office workstations, and another 40 or so agent's personal computers. I discovered via logs that recently someone made about 50 remote login attempts to the server, guessing at passwords, but it would appear that they were not able to gain access. They did, however, leave an IP address in the logs. It turns out to be an Exchange server for another business in the same city.
What is an appropriate response to this sort of failed break-in attempt? How seriously should one react? How should it be presented to management, and should you encourage them to over or under react? Should the other business, whose server was used to launch the attack, be informed? Should you try to surveil them first to learn about who is doing their tech work? With what tone should they be approached and/or accused? What would a suitable response from that company entail?"
First and foremost, cover your ass. (Score:4, Insightful)
Document everything in writing, discuss the situation with your superiors, and seriously consider initiating some form of legal action. If you are the first to get litigious, you stand a better chance of having the situation resolved in your favor. Unfortunate, but true.
Re:First and foremost, cover your ass. (Score:1)
Re:First and foremost, cover your ass. (Score:1)
Re:First and foremost, cover your ass. (Score:3, Insightful)
If you really want to, try to find out who admins the other server, and make contact. Are they competitors, that would change a lot of things. BUT, this sort of thing happens several times a day to the servers I admin. Generally, there is nothing to be done about it, trying to notify the offending source is usually ignored. More tha
Re:First and foremost, cover your ass. (Score:1, Interesting)
Then tell their ISP, and tell the ISP you filed a police report. Their ISP will deal with it. If it becomes a problem for the ISP, it will be a serious problem with the company.
If you want to be an ass, you could tip the BSA that they're running a pirated copy of Exchange. Anonymously would be best.
Re:First and foremost, cover your ass. (Score:1, Funny)
1. Scream. Hold head between hands and moan.
2. Check passport, one-way tickets to South American country of choice. Express relief that the emergency escape kit is still operational.
3. Remember advising boss to recind deparmental policy of secure sticky-note-on-the-monitor storage for passwords. Recall boss' gales of laughter in response. Take hefty s
Call 911 (Score:4, Funny)
Re:Call 911 (Score:2, Funny)
Re:Call 911 (Score:1)
Re:Call 911 (Score:2)
Re:Call 911 (Score:2)
The title sequence on each episode has the announcer saying "Pure Ownage" (my emphasis, but the announcer DOES stress the O pretty strongly).
Besides, "pwn" is a misspelling of "own". Being a misspelling, the pronunciation should be that of the original word.
Re:Call 911 (Score:2)
That's what I'm saying! Man, everytime a friend of mine says that he "pawned" someone or that "pawnage" occured, I wanna cut out his tongue with a rusty shoehorn!
Re:Call 911 (Score:2)
In the chess school of thought, the pawn is the weakest piece (some would say the strongest, but that's a point for another post). So, if you "pawn" someone, you make them weak, or they were already weak and you kill them. Pawn becomes pwn in the 1337speak movement to shorten stuff.
In the pawn shop school of thought, the competitor that you just "pwned" you've deemed so worthless that you pawn him off. Again, pawn becomes pwn to short
Re:Call 911 (Score:1)
No, he's just not very well read.
In the chess school of thought, the pawn is the weakest piece (some would say the strongest, but that's a point for another post). So, if you "pawn" someone, you make them weak, or they were already weak and you kill them.
Back in Chess Club, the ultimate humiliation was being checkmated by a pawn. I loved doing that to people.
Re:Call 911 (Score:2)
I'm not that good at chess, though...
It probably isn't even them (Score:5, Informative)
After all, who uses an exchange server as their terminal to log in to other computers? If it was one of the desktops, then it would make sense that they were attacking.
It's called NAT (Score:4, Insightful)
Re:It probably isn't even them (Score:4, Interesting)
We did not call the police, instead we found out the format it was sending information in and what it was reporting. So we took the program and installed it on disconnected machine to play with it. It scanned a hard drive for Jpeg, PDF and PSD files and than sent them in a zipped file to the address every night at 3 am. So we had a meeting to decide on what we should send them. We decided to send someone they did not know to photograph inside their gallery when they were not looking. After we had most of their new installation photoed and scanned, FYI this is before digital cameras were cheap.
After that we found out where they lived and took pictures of them leaving their houses in the morning for some who lived nearby, their licence plates and inside of their cars, where they worked some with pictures of them working and sent it to them a few days later. About a week after that we took pictures of someone taking pictures of us from across the street in a car we did not recognize and blew up the image to find the culprit who we told the competing gallery about which promptly took his whole installation including 2 computers synchronizing motion to music (just a program downloaded off the net) and left all of it in the back of the building in central Phoenix in broad daylight. Virtually nothing survived, lol. Some people were pissed we took photos of them and their art but I believe it it legal to do so in public. Correct me if I'm wrong.
Re:It probably isn't even them (Score:1)
Re:It probably isn't even them (Score:2)
A bunch of failed login attempts isn't necessarily a hostile activity, which is all it sounds like in the article. Of course the poster probably knows more information that he's giving out...
Remember: Never attribute to malice that which can be adequately explained by stupidity.
Simple (Score:5, Insightful)
If that fails, you call them up and ask for their tech-lead.
You already have your logfiles, and reasonably secured server.
What you can gain here is a partnership - or at least an exchange of favors every now and then - between your company and the remote one.
That said, if the other company isn't responsive, you firewall them to hell and get on with your daily work.
You'll want to give management a brief notice about what's happening before you do this, obviously.
After you've talked to abuse@, you tell management what happened.
Now is the time to see over your authentication schemes. Are your users logging in over SSH? With passwords instead of keys? (Hint: keys are nicer).
After this is said and done, you paypal me $90 for doing your job.
Cheers!
Re:Simple (Score:2, Funny)
Re:Simple (Score:1)
the company can keep the $150 that i would normally charge for fixing your errors.
strike
Re:Simple (Score:2)
Cool. So what's your address...?
Just inform them (Score:4, Insightful)
Don't overreact (Score:4, Informative)
Re:Don't overreact (Score:2)
Likewise. I think I see on average about 400 failed login attempts across 3 machines, every day.
Most look something like this:
Jul 26 08:10:27 oxygen sshd[30231]: Illegal user gabriel from
Jul 26 08:10:32 oxygen sshd[30233]: Illegal user gabriela from
Jul 26 08:10:39 oxygen sshd[30235]: Illegal user
Re:Don't overreact (Score:5, Informative)
Speaking of which, I was just chatting with a buddy who has a Brute Force rule setup in IP tables. Too many connections from a single IP within a set amount of time creates a temporary ban of that IP.
Here's what he wrote to an IRC channel we were on (this is untested but should be close):
Re:Don't overreact (Score:2)
Re:Don't overreact (Score:1)
Autobanned? (Score:3, Insightful)
b) The ban would only last 3 minutes.
c) A 3 minute blockout is much better than an owned server
Re:Don't overreact (Score:3, Insightful)
Be careful with implementing auto blcoks on connections since systems like that can sometimes be abused to cause a denial of service.
Re:Don't overreact (Score:1)
Re:Don't overreact (Score:2)
For OpenSSH [openssh.com], the ssh2d_config(5) man page:
A decelerating response might be customized using plug-ins if AuthKbdInt.Plugin were configured.
Re:Failed logins, multiple SSH? (Score:2)
Re:Don't overreact (Score:2)
Jul 26 13:12:49 starless sshd[7168]: refused connect from host150-93.pool8017.interbusiness.it (80.17.93.150)
Jul 26 13:38:16 starless sshd[7306]: war
Re:Don't overreact (Score:2, Informative)
It doesn't have to be the exchange server (Score:4, Insightful)
Personally... (Score:5, Funny)
Diplomacy (Score:2, Informative)
I think before you jump to any conclusions about it being malicious on
Re:Set a trap (Score:2, Interesting)
Call/email them (Score:2)
Comment removed (Score:5, Informative)
Re:Call/email them (Score:1)
Re: (Score:2)
router (Score:1)
Friendly, but seriously (Score:1)
2) Alert the owners/management of the company. Impress upon them how serious this is, and how it won't be tolerated. Most likely it's just one employee with a wild hair up his... and not a representation of their company's intent.
3) Give them a time frame to address it/correct their problem
4) If it happens again let them know you're considering legal action.
There's no excuse for this behavior. Would you tolerate someone skulking around your building looking for open doors and windo
Big Friendly Letters (Score:3, Funny)
Re:Big Friendly Letters (Score:2)
Depends (Score:5, Insightful)
Essentially everyone who attempts to hit my ftp server with anonymous is trying to break in - the address is only known to a few people who have accounts and I can see from the logs that the other attempts are just scripted tries.
Similarly, I'm see several attempts every day to log into my machines via ssh (where an attempt may involve from a dozen to hundreds of tries to log in). Don't even get started on what I see in the http or smtp logs.
I work at a small company, too, and I could pull everyone off their jobs and still not have enough manpower to investigate each attempted breakin, locate and contact the appropriate parties, etc.
As mentioned elsewhere, most of these machines are compromised so you are really spending your time to provide unpaid antivirus support for the other party's machine. You have to pick your battles.
Depending on my workload and the probability of a positive result I'll contact someone as a courtesy. Generally my criteria is that I am able to make telephone contact with a person responsible for the machine relatively quickly.
Re:Depends (Score:3, Interesting)
One of the last things I did was disable FTP, and then on some whim I checked the ftp logs...
Someone (no doubt a bot) had connected to my ftp server with anonymous, created a directory, changed into the directory to make sure it really existed, then deleted the directory and logged out.
No doubt my IP address was now on some list of open ftp servers.
I was very tempte
Re:Depends (Score:2)
I did not say that logging into any ftp server as anonymous proves that you are intentionally attemping to break in. I said that basically anyone trying to log into mine can be placed into that category. Note the explanation in the rest of the sentance: "...I can see from the logs that the other attempts are just scripted tries." (Those three dots are called "ellipses" and they indicate that inf
break in? (Score:2)
Re:break in? (Score:1)
Re:break in? (Score:2)
Although this is UK law, I'm sure the US has similar legislation, though I don't know what the US laws are called.
Merely writing the script without even running it is enough to break these laws
An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.
[29th June 1990]
BE IT ENACTED by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spi
Slashdot'em (Score:1)
Of course, this assumes people try to RTFA.
Notify, document and block if necessary (Score:2)
If it keeps happening, I then usually block that address or range of addresses with my firewall. (I can do this since only a small number of users access the server, and I'll hear about it if they're having trouble accessing things.)
Not that unusual? (Score:1)
That said, there's no guarantee that it really is a malicious act on behalf of that other business - could be someone came through them to get to you "for a laugh", or the office junior or someone's 12-year-old messing about.
Oh - and document everything, and make sure that if asked how you knew exactly when something happened (such as when something happened) you have
No mercy. Destroy the interloper. (Score:1)
Let the readers decide (Score:3, Funny)
Some might consider that overkill though.
Re:Let the readers decide (Score:2)
From a grizzled old security dude.. (Score:2, Informative)
First thing, check your important file checksums, run tripwire, or whatever. If you don't have a tripwire-like system set up, or a backup set you can compare against, you've got another problem, but let's assume somehow, you are sure your files were not compromised.
Once you're sure no damage was done, relax, the system did what it
Follow Up Info from Original Poster (Score:1)
Re:Follow Up Info from Original Poster (Score:2)
How Should One Respond to a Network Break In? (Score:2)
survey (Score:1)
Thank you and good night.
is too! (Score:2)
It is a backformation, but it's in my 1980 Websters too, so it's been around for a while. If you wanted to argue that there shouldn't be such a word, I might be more sympathetic. It is rather ugly. But it is, I think, a word by any reasonable person's definition.
cheers
ok then (Score:1)
Both Sides Now (Score:2)
You need the logs from the other company. those will prove if it came from through there, or from there.
Trying to handle that yourself with your counterpart in the other company could leave you open to several charges if you tried to go it along or with their admin's help. You'll need positive containment of evidence and chain of security.
If too much time has passed, alert the authorities and ke
Back to basics: (Score:2)
Or, alternatively, place those functions onto a different server. Internet functions like WWW, FTP and so on are generally better served from a linux server, and those servers tend to have lower
Block their IP address (Score:1)
Re:I've been through this. (Score:2)
Don't allow accounts with names like "sam" - make it "sam_sosa" or at least "ssosa" so that dictionary attacks won't find it easily.
Don't allow remote root login. Require user login, then su.
Breakins (Score:2)
What A Manager Would Expect (Score:3, Insightful)
If this happened in my organization, I would expect three things from my network people:
1) Follow and stay within established policy; I would expect you to do what is needed to protect the security of the network short of attacking the presumed culprit. If it came to that, bring the network down. Attacking the apparent culprit puts my business at legal risk and you do not get to make that call.
2) Notify me (management) as soon as possible. Give me all the facts and answer my questions. Lay out my technical options objectively. Explain to me why our network was vulnerable and how we can remedy that. Don't try to spin me so I under or over react. It is my network and you work for me; I won't take kindly to attempts to manipulate me.
3) Then, follow my instructions.
Re:What A Manager Would Expect (Score:1)
Re:What A Manager Would Expect (Score:2)
In any case, i don't think this is a matter of trust. As an employee, you'd have an obligation to tell me you'd discovered an attack on our network. (An anonymous note would not provide any anonoymity. As soon as I read it, I'd walk over and ask my network techs what they knew about it. If they all claimed ignorance, then
Re:What A Manager Would Expect (Score:1)
As an employee, you'd have an obligation to tell me
Re:What A Manager Would Expect (Score:2)
In any case, you seem to have a view of the world that I'd characterize as akin to paranoia. Since you carry your own misery with you, I doubt a new job would change anything.
Re:What A Manager Would Expect (Score:1)
A bit "protectionist" maybe. But, you call it what you like. Me? Man, I'm in paradise...literally and figuratively
Or as it goes at our table:
Para 'riba
Para 'bajo
Para centro
Para dentro