On the Definition of a Hostile Network Connection?

Kirk Bauer writes "As the author of AutoRPM, my program used to be shipped with my FTP site as one of the default sites the program contacts. However, over the years, I have received more and more emails accusing my machine of 'attacking' their machine ... through identd and failed FTP active-mode connections. Do other FTP sites receive this much (or more) harassment? ect to an FTP site every night?" First it was port-scanning, now it seems that admins are crying wolf at any unknown client that connects to their network. Now I'm all for a dose of healthy paranoia, but is this going overboard? What should administrators really be watching for if they are concerned with potential hostile activity over the net?

"I have since changed the default configuration to NOT use my own FTP site. However, I still receive around one email every day that my machine has been hacked and has been 'probing' or 'attacking' their machine. Often times, these emails are CC'd to my ISP (or sometimes only sent to my ISP).

Since when did identd lookups become 'attacks'? Most email servers use identd regularly ... how come there are so many firewalls out there that log this as suspicious activity?

Additionally, are there really that many ignorant network administrators who look at a log of one refused identd lookup and one refused active-mode FTP connection every night at 2 a.m. and not realize that something on their end is trying to connect to an FTP site every night?"

No one gives a shit anyway

I have found plenty of evidence of portscans, I have looked up the IP's and emailed people responsible. What a waste of time. I have never received a single response from these people, so now when I find a persistant offender I block the whole network they came from.

Re:Shitty ISPs

They don't hop IPs every two hours, they just renew the lease on the IP they have. Its possible to keep the same IP forever as long as you don't take your MAC address off the system long enough for your IP to reach the top of the pool for a new user.

Re:Likely cause

and a competent HR person to screen out the idiots.

Sort of like counting on a default Red Hat install to screen out the script kiddies.

Re:Yup, there really are that many bad admins...

A trained monkey can install NT and most of the linux based distros out there nowadays

Too true. Also, a trained (or even untrained monkey) can have its brain dead code accepted into the linux kernel. Unlike NT, which uses quality-assured, proffessional code.

Re:What I love...

Have you set your firewall to block the DHCP server?

Wrong question. Things like this don't happen because people carefully aim their shotguns at their own feet, they happen because they don't think through the consequences of their actions and end up shooting themselves in the foot anyways. They said "block the world!" and it did. DHCP, too.

No one should block ANYTHING in a non-emergency situation without getting complete network captures for a week. Or more. And then understanding each and every packet, even if their conclusion on some of the packets is simply "I have no clue where that came from or why!"

But no: here, buy this, install it, and set it to 'Paranoid' mode, and then start spamming the contacts at Fortune 50 companies when you can't figure out why you got a RST/ACK from port 80 on the web server to which you were talking. And yes, I DO have to reply to such people. I try to be nice, I really do, because I know how frightened and overwhelmed they must feel.

Earth to all BlackIce and ZoneAlarm users: Read SANS' Internet Storm Watch for a week or two before you send me ANY more mail. Please?

So, um, do we really care about security?

I've read books, listened to lectures, secured the systems, and lived with the day-to-day realities of maintaining a network (and it's security...that's always in the background, isn't it?). Ya know what? I do care what traffic is going into and out of my network. I do care if a portscan is an effective means of enumerating my network. I do care if an ident scan is hitting my network.

Call me paranoid. Label me a "clueless admin". Fine. The only result I see from such a high-and-mighty attitude is further apathy on the parts of administrators.

Any person who suggests operating and maintaining a network is full of her or himself. And strangely enough, that's the prevailing attitude I find in many of the supposedly more open-minded communities. Frankly, we don't know the answer all the time. And it pisses me off to no avail when I post to a UG mailing list only to be lambasted for not being enlightened.

You can forgive me somewhat I guess. I don't call ISPs and send angry letters when I noticed a rogue ping come through. I don't harass users or administrators because of some late night script kiddie activity. But I do care. Running a network is an investment of time and effort. And to suggest that you be anything BUT paranoid with regards to its security is reprehensible. Given the relative ease at which some kid can exploit a flaw in a system, it makes sense that we care about our security. Balancing that caring is the key.

One quick annecdote before I shut my mouth. I set up a LAN at my father's house. He runs a strictly Windows 2000 shop, and is appalled at the idea of a software firewall that would run anything but Windows. So, I set up a cable router for him. When he tries (and fails) to connect to his office's NT server, he immediately jumps down my throat, because "every time something is secure, it won't work." Granted, after a short reconfiguration, it worked. But if he's pissed off at me because I don't want some moron logging onto his laptop, then send me straight to hell. I've seen the logs on that machine. After noting the massive amount of data which has been manipulated on his network, I think it's reasonable to suggest that some security is needed. And perhaps, JUST PERHAPS, if my dad had been one of those raving lunatics who called an ISP whenever a random UDP packet hit port 139, his network wouldn't have been breached. Setting up security in depth is important; just as important is caring enough to check up on that network.

Yes, I'm one of those clueless admins who chooses to block UDP, IGMP, and certain ICMP packets - BECAUSE I DON'T NEED THEM! Is it a sin to disable what we don't need? I won't masquerade to be a master of networking. I'm just another guy who tries (and often fails) in a field that, IMHO, REQUIRES failing to learn.

I'm going to end this pointless maniacal rant with one last comment: perhaps most BlackICE equiped users are sheep. But at least they're showing some interest in security. Maybe they won't end up like my dad.

Re:So, um, do we really care about security?

[drinnen]

Yes, security _is_ important; admins should be able to enable/disable any services without being chided for being paranoid. But when computers are connected to the Internet, admins must accept the fact that their computers now have a degree of public exposure and that some of the public might be interested in what's out there. The reasons for interest are also not always because someone wants to break into a system.

I think that even if it were impossible to break into any system, people would still become angry when somebody did a portscan, ping, or whatever. Look at the standard reaction to someone doing a VERSION on somebody on IRC; anger, hate, and suspicion.

Re:i want to get a joby job! :)

he highest paying jobs don't go to the techs, they go to business types.

He's right! You can take my word for it because I read their emails.

Shitty ISPs

Why don't you configure your DHCP server nicely instead? Shortage of IP addresses leads to a need for DHCP and similar protocols, but there is no technical reason you have to force your users to IP hop every 2 hours. You can save on support costs that way, too.

Incidentally, is the term "DHCP leases" anywhere to be found in those nice pieces of paper you send new clients? No? And yet you blither this nonsense to them on the phone?

I'm sure glad you're not *my* ISP.

Re:Shitty ISPs

[Steeltoe]

Why are you against personal firewalls? It's a great concept for desktop use. True, not everyone should use it for lack of clue of what's going on, but sending out information about them could potentially minimize ISP problems.

- Steeltoe

Re:Shitty ISPs

[ninewands]

What the AC says is true. and I don't think a 2 hour renewal period for dynamic IPs is unreasonably short, especially since a renewal only requires the exchange of 4 or 5 packets. The truth of the matter is that administering any kind of firewall competently requires more understanding and effort than MOST ISPs lusers want to invest.

When I was on the Helldesk, I got a call from a user who wanted to know why her e-mail didn't work. She had installed Norton's PF and her neighbor, "who's a computer pro at ***** Co." had configured it for her. Of course, he blocked OUTgoing traffic on ports 110 and 25, so she couldn't connect to our POP3 and SMTP servers ... (SOME pro this is ... ). She refused to believe the firewall was the problem until I had her disable it and check her mail. Surprise ... it worked.

Because of company policy, I was prohibited from walking her thru the fix, so I told her what needed to be done and told her to have her neighbor fix it.

this is widespread - and usually fueled by idiocy

I used to work at Walnut Creek CDROM, the home of ftp.cdrom.com (or whatever they call it now). You would not believe the number of email we got saying "your machines are connecting to us!! stop it!!!".

The source? ftp, by default (ie when not passive), connects back to the source of the first connection. Yes, this is to send the actual files back that the user asked for. That's right, users were complaining about connections that they themselves had initiated.

Someone must have written a windoze-based "hax0r detected" or something like that - the equivalent of script-kiddie-admin'ing.

Peer to Peers

[Zack]

The most aggrivating part of this is the concept of Peer to Peers. Some one installs Black Ice and then leaves snotty messages about "hacking attempts" when they get a hit on port 6346... which is Gnutella!

They run a peer to peer and don't realize that, oh maybe the computers might have to CONNECT?!

We even had a script kiddie flood us for a connection, even though the punk had been on gnutella that same day!

I mostly put the blame on the companies that sell the firewall software for windows. The make this huge hype about those "evil hackers" and even bother explaining WHY machines might get REAL connections.

A better educated user base would be ideal, but I think I'm dreaming.

Re:Peer to Peers

[carlcory]

Better yet are the folks who complain about me "hacking" their machine on 6346 - who when I explain how Gnutella works, they start denying that they have used BearShare or Napster and that all of their MP3s are legal ... the RIAA would be proud.

Re:Blame the Users

[mosch]

No offense, but anybody who uses identd as any form of identification is just very very gullible. On windows boxes, it's a virtual guarantee that the identd response will be faked. On unix machines, it's pretty much a guarantee that the identd response can be overriden by each individual user via a .fakeid or .noident file.

All that you accomplish by requiring an identd daemon, is that every user have another potentially vulnerable network port open. It gives every single sysadmin one more thing to take care of. A quick bugtraq vulnerability search shows that there have been five identd-related security issues since 1999, with the consequences ranging from DoS to execution of arbitrary code with group 0.

Why on earth would you want your users using a completely useless form of authentication, that exposes them to potential risks?

--

Misinformed..

[Mike+Hicks]

The Internet is a two-way medium, people forget that a lot. Some protocols make more significant use of that fact than others.

I've seen a fair number of articles describing how to set up a host-based firewall on Linux. Unfortunately, I haven't seen them address the problem of how to properly filter out uninteresting data like this.
--

Re:identd needs to die anyway.

[Russ+Steffen]

Yes, and watch the average Windows user's head explode while you explain to him that he can't get onto IRC or Yahoo Chat because his digital X.509 certificate isn't valid or is missing.

And that would be bad because? Help me out here, I must be missing something...

not uncommon

[joey]

I suspect this hir-trigger response is not uncommon. The debian project has
certianly gotten several compliaints from users that ftp.debian.org is port
scanning them, or similar stupid misinterpretatons of a active mode ftp
connection. I forget if ftp.debian.org uses identd. We don't appear to get
quite the same magnitude of complaints that the author of autorpm does,
possibly because most apt users download via http, for ftp.

There is also another set of idiots who install debian and apache, and then
flame us for cracking their system and defacing their website. The debian
apache package comes with a default web page that prominently mentions
Debian, you see..

--

identd needs to die anyway.

[Wakko+Warner]

The only people who use it are the paranoid IRC admins, and they're not exactly the "cream of the crop" when it comes to network security. Why the hell do we still use ident anyway? It's pretty much worthless in the age where most client machines run Windows 9x, which has no concept of multiple users.

If you ask me, identd is nothing more than a waste of bandwidth. Someone, please prove me wrong.

--

Re:identd needs to die anyway.

[Wakko+Warner]

Having IDENTD pass something like an X.509 digital certificate that you can check might actually be stronger than using SSL/TLS-enhanced FTP that only uses anonymous connections.

Yes, and watch the average Windows user's head explode while you explain to him that he can't get onto IRC or Yahoo Chat because his digital X.509 certificate isn't valid or is missing.

- A.P.

--

Re:identd needs to die anyway.

[William+Aoki]

The pidentd ident daemon can do something quite similar if run with the -C flag. From the manpage:

The -C[<keyfile>] option tells identd to return encrypted tokens instead of user names. The local and remote IP addresses and TCP port numbers, the local user's uid num- ber, a timestamp, a random number, and a checksum, are all encrypted using DES with a secret key derived from the first line of the keyfile (using des_string_to_key(3)). The encrypted binary information is then encoded in a base64 string (32 characters in length) and enclosed in square brackets to produce a token that is transmitted to the remote client. The encrypted token can later be decrypted by idecrypt(8). There may not be a space between the -C and the name of the keyfile. If the key- file is not specified, it defaults to /etc/identd.key.

So, when an ident request is made, the daemon returns an encrypted token that is useless to the other end without the key. If someone has a problem, s/h/it sends back the encrypted token, and the admin decrypts it and takes apropriate action.

This method has an advantage over the method you described if multiple users make connections to the same foreign box within the same time period. If one system is not using NTP (or other time synchronization), the time period could be as long as ten minutes.

Re:identd needs to die anyway.

[Type-R]

Identd *ISN'T* for the IRC admin, it's for the admin on the sending end. IF you have a machine on the client end that's multiuser (say a box serving shell accounts), identd info (from the IRC server you attacked) can be slightly useful in pinning down which luser on the client was the idiot.

Granted if your stuck on a single user client it dosen't make as much sense, but how's the IRC admin supposed to know that :)

Re:identd needs to die anyway.

[Syberghost]

Seriously though, there are actually useful applications for identd, and most involve making sure you legitimately use the machine in question, and it's not just redirecting traffic on a certain port.

Except it doesn't do that, and never did.

If you can redirect one port, you can redirect two just as easily.

-

Re:identd needs to die anyway.

[Raven667]

Sure, from your network to your network. There should be no presumption that I am running ident on my internet-accessable hosts, and I don't presume that you are running ident on your hosts. I would imagine that only the very old-school and clueless would attempt, or pay any attention to, ident over the Internet.

Re:identd needs to die anyway.

[guacamole]

You are wrong. I work at a university campus with hundreds of unix hosts and large multiuser machines. Identd is still very useful for us.

Re:identd needs to die anyway.

[rhaig]

• The fact that sysadmins now treat ident requests as 'attempted crack attempts' or (potentially) 'hostile network connections' says

What it really says is that there are a lot of people out there who are calling themselves admins, who still have their heads planted firmly in their asses.

There are a lot of people hwo call themselves "SysAdmins" who don't know how the internet really works. All they know is their little NT box, or their little RedHat box, and that it logged something they don't understand. Therefore, the source IP must be a nasty person. (it takes them a while to figure out what a source IP is too)

Guys, do yourselves a favor and go back to development, or the mailroom, or janitor, or wherever it was that you came from.

Re:identd needs to die anyway.

[Raetsel]

Ident has its uses...

• IRC (your point)
• The previously mentioned email servers
• uh.... something else...
• (this space for rent!)

Seriously though, there are actually useful applications for identd, and most involve making sure you legitimately use the machine in question, and it's not just redirecting traffic on a certain port. I can't name another service that fills the niche that ident does -- I always thought of it as the internet's version of a BBS call-back. Everything else I know is on a case-by-case basis, and nowhere near as ubiquitous as ident is. That is ident's power.

Also, current use is a far cry from the original intent of the daemon -- that's for sure. There was a time when an ident reply contained a valid email address. I know there are still some valid answers out there, but I know I've never taken an ident reply seriously. These days, either you get a reply (and the info is probably garbage), or you don't.

You can thank the those windows users (like myself at times) for that. Heck, when I first started using IRC, I had no idea what ident was, and I didn't mess with mIRC's settings... thus, whatever you saw was nearly the same as ten thousand others, and even more useless.

The fact that sysadmins now treat ident requests as 'attempted crack attempts' or (potentially) 'hostile network connections' says

1. They don't appreciate the use of identd
2. It's too much work to maintain and use it
3. It's another port open on the firewall to that mean, nasty internet
4. They're privacy freaks, and you don't need to know the username, you privacy-invading corporate whore, you!

   (Pick one, pick 'em all, your choice!)

You know, Wakko... I can't say I disagree with you. But do you have another idea for a lightweight 'that connection was authorized, here's who is accountable' mechanism?

Re:identd needs to die anyway.

[coyote-san]

Don't confuse the way it's misused by ill-informed sysadmins with its real potential.

The current IDENTD information is useless for the 'remote' site, but it can be invaluable to the 'local' site if a complaint is received. Not everyone is a single-user PC - if you're running a host with multiple users this can give you valuable information about who could be responsible. (Or at the least, who might have had their account cracked.)

There's also some proposals floating around to extend the IDENTD payload to include real authentication information. Having IDENTD pass something like an X.509 digital certificate that you can check might actually be stronger than using SSL/TLS-enhanced FTP that only uses anonymous connections.

Re:identd needs to die anyway.

[funcan]

And that would be bad because?

...because your average Windows user could be your mom

And that would be bad because? Help me out here, I must be missing something...

Re:identd needs to die anyway.

[pete-classic]

I think that ident is nuts. I think that passing a cert is nearly as nuts.

I've never understood why ident responses aren't all the same "The connection in question has been logged." (or maybe just "0")

Then, if a human actually determines that there is a need for this info, he contacts the admin of the other box and has him get it out of the log.

Something like:

To: postmaster@bad.guy
From: Joe_Admin@good.guy
Subject: What gives?

Hey, postmaster, whoever made the connection from bad.guy to good.guy:23 is a bad guy. You should delete his account.

So, postmaster looks at the log (generated only because good.guy made an "ident request") and sees who the real bad guy is.

In my head I call this shydent.

-Peter

Re:identd needs to die anyway.

[catch23]

And that would be bad because?

...because your average Windows user could be your mom.

Re:identd needs to die anyway.

[Emnar]

If you ask me, identd is nothing more than a waste of bandwidth. Someone, please prove me wrong.

Actually, it's a (mild) security risk. From the nmap(1) man page:

As noted by Dave Goldsmith in a 1996 Bugtraq post, the ident protocol (rfc 1413) allows for the disclosure of the username that owns any process connected via TCP, even if that process didn't initiate the connection. So you can, for example, connect to the http port and then use identd to find out whether the server is running as root.

Nmap allows one to do exactly that with the -I option.

Re:identd needs to die anyway.

[slamb]

If you ask me, identd is nothing more than a waste of bandwidth. Someone, please prove me wrong.

ident is useful because it allows you to ask a trusted computer which of its users is making a connection. As a practical example, I use ident to authenticate users to PostgreSQL databases.

The details: my system uses Apache's SUEXEC to run different virtual hosts under different UNIX users. Since the information from identd can be relied on (it's trusted since it's localhost and fakeid support is turned off) I use pg_hba.conf and pg_ident.conf to configure what UNIX users can connect to what databases as what PostgreSQL users. Then end effect is, I don't have to embed passwords in my CGIs where I would have to otherwise. I could even seperate the SQL server to a different machine and still not have to specify passwords, as long as SQL machine trusts the webserver (it would, since I would own them both) and the network between (I would have them on the same subnet).

Re:identd needs to die anyway.

[boaworm]

Most windows [IRC] clients actually have a built in IDENT server so they can response to it.
Ident is probably not the best daemon there is but when used correctly it can be pretty nice. If you ask for someones "ident identity" you can see what username he is claiming, what he really uses and from where he connects etc.

I guess this could be used to support "cookies" in lynx ;), save a users www session based on ident. Not very secure but it could work.

And its not really a waste of bandwidth, since it hardly uses any. Just a simple very short message... so small it's virtually nothing :)

Re:identd needs to die anyway.

[Garen]

Well, it is worthless for it's intended use. However, it's valuable because: 1) The reverse connection verifies the source of the connection is 'real' 2) If authentication is stalled until an ident request is satisfied, that prevents a client from DoS attacking by connecting really fast.

Re:identd needs to die anyway.

[MxTxL]

It's a waste of bandwidth and it's very annoying. Connecting to any IRC network from a windoze box, you have to wait a long ass time for the ident to timeout.

It's a waste of time AND bandwidth.

Re:identd needs to die anyway.

[windows]

I think you forget the many users who use shells either for BitchX clients, eggdrop bots, bncs, and who knows what else. Clones eat up IRC server resources and thus the ident shows that multiple connections from the same host/IP aren't clones and shouldn't be d:lined or k:lined from the server. And at least in the past, most abusive clients didn't have ident. I'm not sure anymore, but I suspect this is still mostly true. And maybe this isn't a problem for small networks, but when it's big IRC networks such as EFnet with 60,000+ users, this can become a problem. It's not paranoia; the servers do get attacked quite frequently whether it be in the form of a DoS attack, clonebots, IP hijacking, or another attack. Just read efnet.org if you don't think I'm right about all the attacks that happen.

Why is this a problem?

[dmiller]

For years clueful IT people have been saying that end users should be more conscious of their security. Now that people are actually showing signs of doing this (albeit in a silly manner) they get criticised?

Not everyone wants to, needs to or has the time to know everything about network security. Don't jump down their throats just because they happen to care about the traffic traversing their networks.

Re:Why is this a problem?

[Raven667]

Too true. Many people thought it would be the greatest if everybody used Linux, then balked at the flood of clueless newbie users. The same people balk when users try to inexpertly secure their systems.

Damned if you do, damned if you don't

but still

[hawk]

It's hard not to be impressed by folks rounding up a real life posse, err, lynchmob, over a computer . .

:)

hawk

Yes, yes, yes..

[Precision]

I run download.sourceforge.net, which consists of 3 FTP servers. We host sites like ftp.debian.org, ftp.yellowdoglinux.com, and others.. needless to say we get one of these email about every day or so.. I simply point out the flaws in their logic and usually they're pretty good about accepting blame.

As annoying as it's something that isn't going to change.. people just install snort or something and see random connections.. they don't understand how protocols like ftp and ident and such work..

Re:And the vendors, too

[sheldon]

Umm, Compaq is pretty clueless when it comes to software development.

Over the years at companies I've been at we've tried to implement some of these desktop and server management tools.

They usually work, but not always and are sometimes more frustrating to try to setup than actually use.

Re:Blame the Users

[judd]

an endless loop of mutual fingering...

Thanks. I really, really needed that image.

Re:And the vendors, too

[Ben+Hutchings]

Automatically delete user directories that have not been accessed within the last days. This is an effective mechanism for only keeping information on the system for active users. (ON)

It sounds like this really means roaming profiles under NT. These are stored centrally and copied to and from other machines in the domain as necessary when a user logs on and off. They are not deleted when a user logs off - instead they are cached. So this may just be an option to clean up the cache, which NT doesn't do and which is a useful feature.

Re:Yup, there really are that many bad admins...

[armb]

> > Chances are they had no clue what the 'established' keyword was
> Just out of curiosity: how do you configure a firewall for those kinds of protocol?

Read the manual for your firewall. Try looking up "established" in the index. Or use Google http://www.google.com/search?client=googlet&q=fire wall%20established shows, for example,
"The established command allows the PIX Firewall to deliver traffic associated with protocols for which the firewall software does not have specific support. When the established command is in force, an outside server can make a TCP or UDP connection to any inside host with which it already has a TCP or UDP connection established."

--

Re:Yup, there really are that many bad admins...

[armb]

> Actually, wouldn't this "established" be a security hole in its own right?

I assume there is an option to specify ranges for new connections associated with existing connections on specific ports (at least when a well-designed firewall is set up correctly).
But I don't actually know, which is why I suggest reading your manual. (I'm confident our sysadmins know, but I don't plan on wasting their time just so I can give a more detailed answer on Slashdot).
Once my home computer is in a room with a phone socket, I might care about putting a firewall on it (hence "nonerightnow" as email address (work policy says don't use work email addess for usenet etc. (Slashdot is etc.)). If I get a cable modem or ISDN or other always on connection, I definitely will. But I've got to move house first (a long off-topic story).

--

Re:quis erudiet ipsos custodes?

[willfe]

Hmmm. I thought "Aw shit!" or the even more critical "Oh fuck!" from an admin made the managers nervous :)

Re:Yup, there really are that many bad admins...

[willfe]

The funniest part about the Solaris 8 install media (at least on SPARC; haven't messed with x86) is how you can completely skip the "installation" CD entirely, booting off Software 1 of 2 to fire off a more decent (but still irritating) GUI installer, or if you just run it over a serial console, you can burn through the text-only installer.

I still amuse myself being able to install a Solaris 8 system from scratch with that trick faster than my coworkers who use the "pretty" installer.

Re:You think this is stupid?

[MaufTarkie]

... or using Hotmail.

Re:You think this is stupid?

[MaufTarkie]

*sigh* Leave it to /. to screw up a link.

firewall logs are just too big to investigate

[Chutzpah]

I have an OpenBSD firewall set up at home, and I gave up looking into hits (usually just DNS'ing the IP and finding out who was trying to connect to me) as I would usually get 200+ hits a day, (and no I don't log FTP connections). I personally dont care too much who hits on my firewall, the only ones I really care about at this point are actual connections to my daemons.

You think this is stupid?

[Apuleius]

I saw one case where a Windows user with some grossly inadequate "personal firewall" panicked at an attempt to connect to port 13, i.e. "daytime", i.e. the one service least likely to be even remotely useful for an attack of any kind. Thanks to clueless users we are approaching the day when people will think port 80 is the only thing that exists in the IP protocol tree.

Re:You think this is stupid?

[Raven667]

That's not entirely true. daytime would be quite helpful in identifying ancient Unix boxes that actually run the service by default as well as defeating time-based protocols (like some bad auth systems). In any case I think that is suspicious but definately not panic-worthy. In fact, if you are denying the traffic very little is panic-worthy.

Re:You think this is stupid?

[dubl-u]

Solution: invent RPC over HTTP protocols. Problem solved!

And you thought you were being funny, didn't you?

http://www.xmlrpc.com/stories/storyReader$7

Re:You think this is stupid?

[vectus]

you're lucky you're not on @home.. that'd be reason enough to cancel your service.

Re:You think this is stupid?

[refactored]

http://freshmeat.net/search/?q=http+tunnel

It seems a lot of people have already thought of that....

Re:You think this is stupid?

[refactored]

You think that's stupid? Try this one. I got this email from a twit calling himself Callisto the other day (cc'd to my ISP's postmaster)

Can I ask why you are playing around in my account???? This is an account that I pay for, for private use and I don't appreciate people putting files into my account.

What great sin had I commited?
I had sent an email to my wife and mistyped her address.

Re:You think this is stupid?

[NutscrapeSucks]

Solution: invent RPC over HTTP protocols. Problem solved!

Re:You think this is stupid?

[NutscrapeSucks]

I think all of you guys need to reverse the polarity of your joke sensors.

Re:Personal firewall training needed

[psp]

Well, wouldn't you know, but not only email virus checkers alert on this one. I was quite astonished when norton antivirus threw a window at me, declaring that this _web page_ contained the virus "Unix Penguin".

Hack attacks on port 25...

[hta]

my favourite "you are hacking me" story is the guy who registered with the Linux Counter using an email account on his home machine, and then complained that I was hacking his home machine because I was connecting to port 25 every half hour....his email server was not turned on.

Re:Hack attacks on port 25...

[autocracy]

My favorite URL would have to be the one that tries to point to the Linux Counter site, but ends up giving you a bad /. link. I bet Pater is getting a lot of e-mails from people that can't figure this one out :)

Psst - try http:// next time...

Microshaft still OWNZ JOO!

Things to look for,

[AftanGustur]

What should administrators really be watching for if they are concerned with potential hostile activity over the net?

Administrators should take whatever log their IDS machines produce and periodicly run some statistics on it (every day/week/month). List remote machines in decreasing order of the number of different alerts they produce.
Example:
remote.hacker.org 4 types
&nbsp smurf 127
&nbsphttp-activeweb 54
&nbspNapster_Command_Long 8
&nbspNapster_Create_Account 1

But this is just one of the things to do, though I have found it to be one of the most useful tricks to definately mail down the ones that are scanning/attacking. And off cource you will have to go to your logfiles to find the corresponding entries to eliminate false positives.
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D7272 C3AF4F2snlbxq'|dc

Re:Things to look for,

[baptiste]

Which is why I love ACID which does stuff like this on teh fly with Snort & SQL. Of course it can get dicey if you log tens of thousands of hits each day, but that just means your ruleset is too broad.

It sure makes monitoring my Snort logs a lot easier.

i want to get a joby job! :)

[ananke]

in all seriousness: i know how it is. eventhough i just graduated [about 1month ago], i'm still having a hard time finding a job. quite frankly, my degree is worthless. purpose of it? i guess they want to know if i can read/write reports. one thing that sucks for me now, is the fact that economy is on such a slowdown, and nobody is hiring. on contrary, everybody is downsizing.

i think the only thing i can be thankfull, is the fact that i worked for my college all throughout my years there, and i basically achieved the rank of work study sys admin. the junk i learned in class is sad. heck, if i would have only my degree, i wouldn't want to hire myself. and yes, i'd hate to be in that catch-22 'need a job? must have experience. need experience? must have a job'.

now, if i could only find a position for a linux admin in the san diego area, i would be happy.

Re:i want to get a joby job! :)

[tomknight]

quite frankly, my degree is worthless

No! Roll the certificate up, shove it down your trousers, and all the young ladies will think you're hung like a horse. Yes, it's true, having a degree (even CS!) turns you into a chick magnet.

Tom.

Re:i want to get a joby job! :)

[FrostedChaos]

1) College is about more than getting a job. No, really. It might be the last time in your life you get to do what you want.
2) If it's experience you want, two words: internships! co-opts!

In any case, the highest paying jobs don't go to the techs, they go to business types. So if money is what you want, don't bother with computers. Then you can get your nice suburban house and 2.4 kids.

Re:Yup, there really are that many bad admins...

[ananke]

and how does that relate to the whole thing?

Blame the Users

[Splat]

As a previous poster pointed out, I think this is most likely do to the boatload of personal firewall software out there. A lot of people who go buy Norton's firewall, use BlackIce, ZoneAlarm or whatever see that "A computer has tried to connect to your machine via FTP" and panic. I do deskside support and I get people who worry that they've done something "illegal" when they get the BSOD (no I'm NOT joking). The simple answer seems to be you've got people who don't know what the hell they're doing installing/using firewalls.

Nothing beats the one time I tried to telnet into an old shell, attempted to logon, and after login failed I realized it was a different machine. The admin somehow or another ran a finger query on the shell machine I was logged onto and sent me email demanding to know who I was and why I was connected to his machine. There are some psychos out there ..

Then again, you never can be too paranoid.

Re:Blame the Users

[Raven667]

I totally agree, but this should be caveated with the fact that many other servers wish/require ident. The worst offenders are IRC networks and SMTP servers. If you just drop ident traffic you can increase connect times while the remote server waits on an ident response that will never come. Better to REJECT the traffic or write a small daemon (beware of DoS-ability) that only responds with some properly formatted garbage.

Re:Blame the Users

[Raven667]

Grr. Nobody used finger anymore, except in the rare case to run a .plan or pgp-key server. Unless you specifically know that a host is running finger is should not be assumed. Running the safe_finger rules from the tcpwrappers man page is, like, soooo 1992 8^).

Re:Blame the Users

[Lotek]

This is why Fdisk/reinstall exists. Oh wait, they don't have the original media? hm. rats.

Re:Blame the Users

[mpe]

I code on a irc daemon for a large network, and I get forwarded emails from people who accuse the network of "attacking" them with ident.

But no compliants about telnet. An unfortunate problem of "Wingate Scanners" used on some IRC networks is that they probe TC port 23.

Re:Blame the Users

[thrig]

Generalization: a lot of people don't know what the hell they're doing installing/using computers.

Quoting a paniced new unix user who knew just enough to be dangerous: "/proc is full!"

Re:Blame the Users

[Isomer]

It is because irc has no real concept of authentication. A lot of IRC users use shell boxes to try and avoid DoS against their home machines. If a IRC user is abusive, you want to be able to ban them from the network, and the only real way of doing so is to ban by ip. If the box is a shell box then banning by ip will hurt "innocent" users. So IRC uses ident, and, when it's used appropriately it will be used to ban one abusive user. If ident isn't used, or is set up to allow abusive users to evade, then the entire machine is banned. So admins that want their users to be able to IRC install ident correctly.

Re:Blame the Users

[Isomer]

I don't like the "personal firewall" products for this reason. People have the firewalls - thats good, but they have no comprehension of what they are doing (they're protecting me from evil people!) or what it means. Security isn't about buying a product thats going to make it all 'right', it's about understanding the issues, assessing the risks and taking action where warrented.

I code on a irc daemon for a large network, and I get forwarded emails from people who accuse the network of "attacking" them with ident. These people need to learn about the risks and understand why these products say that ident can be a security problem (it "leaks" information about your username if configured correctly) and why it probably isn't in this case (irc uses it for a weak form of identification, and on a windows machine it's probably what you put in the "what do you want to show as your ident?" box)

Re:Blame the Users

[Velox_SwiftFox]

The admin somehow or another ran a finger query on the shell machine I was logged onto and sent me email demanding to know who I was and why I was connected to his machine.

This is a sign they copied the "how to log suspicious connections" man page info associated with TCP wrappers (I forget which man page exactly - inetd? hosts.allow? hosts.deny?). The example given tries to safe_finger any detected rogue connection except other fingers (which could cause and endless loop of mutual fingering to start).

I don't know if it is a good or a bad thing (in terms of what this /. article is about) that the example usually fails to work on Linux distributions I've used, notably Red Hat, because TCP wrappers was compiled with options that need a different format.

But: To anyone else out there that uses the example in hosts.deny - guess what? Because TCP wrappers errors out on that line you let the connection in as a result - it never gets to the usual "ALL: ALL: DENY" at the end!

Re:Blame the Users

[Ronin+Developer]

Nothing beats the one time I tried to telnet into an old shell, attempted to logon, and after login failed I realized it was a different machine. The admin somehow or another ran a finger query on the shell machine I was logged onto and sent me email demanding to know who I was and why I was connected to his machine. There are some psychos out there ..

Well, that would be me...Seriously, a single attempt is probably not enough to warrant the attention of the sysop. However, you say it was an "old shell". That would imply that you had no real business being there in the first place...right?

Take for example a recently released (and disgruntled employee). How often is somebody released from a company and the IT department is the last to know? Just why did that former employee log into an account that should have been terminated (just like they were)? As studies have shown, most attacks against corporate systems are by disgruntled workers. Personally, the admin who caught you should be commended for due diligence.

But, when is "enough" enough all ready? Do I freak on IDENT connections? No. Do I give a rats ass about ftp connections? Not until I see a repeated pattern or coupled with other activity (such as a full nmap SYN scan). Telnet or SSH attempts? I'm a little more wary and more opt to keep a closer watch. Of course, we should all be running SSH anyway if you leave our public interfaces accessible...right?

Now, onto the subject of port scans. If my computer where a house and a cop saw you going door to door checking the locks, you can be damned sure they'd stop you. It's called "probable cause". Since the laws on the books make it very hard to stop network attacks, the only real recourse is to report the attacks to their ISP. If their ISP is responsive, they are probably knocked offline for 24 hours or so. If it was innoculous, their access is restored. If not, then the little bastards have to find another ISP. Piss 'em off? Tough. That's one less cracker I have to deal with during their "cooling off" period.

Re:Blame the Users

[GlassUser]

The example given tries to safe_finger any detected rogue connection except other fingers (which could cause and endless loop of mutual fingering to start).

Oh yeah, my friend told me about that porno last week

Re:Blame the Users

[Darth_Burrito]

A few days after moving into the Univeristy Dorms, my room-mate was sitting at his computer browsing the shares on the building's student network of PCs. All of a sudden a group of 3 or 4 very agitated guys show up and threaten to beat the crap out of him.

Apparently whatever software they were using had alerted them that jondoe.23 (University username = room-mate computer name) was connected to their machine on port whatever. They perceived this as a Cracking attempt and rounded up a lynch mob to find and stop this malcontent danger to society.

I must say, listening to him try to explain to them that he had only been browsing information that the fellow had been sharing on the network, had to have been one of the most amusing events of my college career. They ended up leaving with their tails between their legs carrying instructions about how to figure out what they were sharing and remove it from the network if they wanted to.

Not admins

[Duckie01]

These aren't admins, but windows people with "firewalls" like zoneAlarm or blackice or something. They don't know what a ident lookup is. They just see the message from their "firewall", stress out that they've been "hacked" and complain to wherever the program suggests.

Nothing but shooting them will stop them.

Re:Not admins

[PigleT]

Correct, they're lusers, who don't know how to handle identd properly. Probably best to go have a look at and work it out for yourself.

But more to the point.. *why must* an FTP server run identd? To help debug what user connected? Well diddums, most machines don't run identds these days, not unless you're connecting to IRC all the time. The first thing that's wrong is bothering with identd checks on the FTP server; the next thing is having borked firewalls, and lastly, having lusers who use said borked firewalls. Save the whole issue, don't request the blinking lookup!
~Tim
--
.|` Clouds cross the black moonlight,

Me = clueless admin apparently

[Hardware]

I WAS reporting scans and probes of my networks on a daily basis.

I'd semi automated this and at one stage was one of those that emailed Kirk without even realising that I had autorpm running on all my Linux boxen and that was what was triggering it.

I'd prefer to think of myself as over zealous rather then clueless.

I've since given up on the whole idea. Yes I managed to alert some people to the fact their machines had been hacked and they were very thankful for it. However that was not the norm and the time spent sending the emails (even once semi-automated) could not be justified by the results.

The norm was no response at all and often the worst offenders are the BIG ISPs in that department.

Eg. Telstra have a customer that regularly hits my network with broadcasts to a certain port which is presumably a misconfigured Innoculan (anti-virus) client. Do you think Telstra would bother to reply to me or pass on my message to their customer... Not likely!

Anyway in answer to Kirks question yes this is probably going overboard and admins should probably look at a combination of firewall logging and an IDS like snort to spot the true hostile activity.

I recently began running snort here and whilst I still don't bother reporting things at least I now have a better idea of what is thrown at my network each day and a MUCH better chance of picking up an attempted hack.

So far the most common malicious thing I see is an attempted exploit of LPRng for RedHat 7.0

I'll stop babbling now and Kirk you have my apologies for ever bothering you and my thanks for a great program.

Re:Me = clueless admin apparently

[Raven667]

I'd prefer to think of myself as over zealous rather then clueless.

Ich Auch! And that isn't such a bad thing.

The norm was no response at all and often the worst offenders are the BIG ISPs in that department.

Boringly normal. Even with a database of known good email addresses to override the crappy whois database I still only manage to get a 25-30% response rate (including autoresponders). I still file several hundred incidents a day (well, it is my job 8^). My experience: If you expect someone to jump every time you send an abuse mail you are expecting way too much. I believe that it is your responsibility as a good netizen to report unusual activity (probably from a rooted box). As long as the mail doesn't bounce, what they do with the information is up to them, it is not your problem (unless you are being DoS'd).

Anyway in answer to Kirks question yes this is probably going overboard and admins should probably look at a combination of firewall logging and an IDS like snort to spot the true hostile activity.

Caveat: You will run into the problem that you will never see the payload of any TCP connection that has been denied, making your IDS useful only for single packet UDP and ICMP attacks as well as TCP traffic that you allow (web, smtp, etc.).

Re:Me = clueless admin apparently

[U2BG]

The norm was no response at all and often the worst offenders are the BIG ISPs in that department. Eg. Telstra have a customer that regularly hits my network with broadcasts to a certain port which is presumably a misconfigured Innoculan (anti-virus) client. Do you think Telstra would bother to reply to me or pass on my message to their customer... Not likely!
I had a similar exp with Telstra, when I discovered that 20% of our 768Kb ATM was consumed by NNTP traffic. When I logged 2MB of NNTP packets it exposed that millions of hits/day attempting to get alt.comp.virus and this was the result of Hybris infected machines. Telstra were very apathetic and would only firewall NNTP traffic for "two weeks". As it turns out, there really isn't any defence we could use except change our C CLass(Their suggestion). I then enquired "So what will that mean for the next person to get that IP?, can you flag the IP to give the next client an idea?" That resulted in a flat negative. Since then I have left that employer, but I do wonder why Telstra's shares are dropping when they have this perfect revenue generator, as the NNTP traffic cost us about $2K/ month!

ibiblio/metalab/sunsite experience

[pjones]

I could tell tales that duplicate all of the notes so far. with each release of new 'system security software' and with each new news story about how vulnerable your wintel host is on a cable modem, we get a flurry of threatening emails, late-night phone calls, and redirects from the UNC legal folks. Some are hilariously silly. Others are earnest, sincere and misguided.

We developed a longish form letter that allows us to keep our cool and to try to inform the complainer that we are not, in fact, scanning his or her machine, but responding to their ftp requests (often requests that they didn't realize that they had made) or actually are the home of one of several vhost or vIP sites they barely recall visiting.

This works pretty well, but in one case (I can't resist) a self-styled "security expert for a major corporation" accused us of violating his/her privacy then enclosed a log that listed visits to sites that revealed too much about his/her medical concerns, bingo habits, and purchasing proclivities.

If /.ers would like our form letter, I can sent it on to you or post it.

Re:ibiblio/metalab/sunsite experience

[Raven667]

That's cool. I read firewall logs for a living and I like it when I get the "form letter" when I make a mistake as opposed to the "flame letter". It always hurts when some uptight admin reams me for accidently reporting some bogus traffic. I think that my incident form letter is pretty mild "This may be a probe or just a misconfigured client, etc." but I still sometimes get unfriendly critiques of my admin ability, my family's genealogy, etc.

I'm just trying to make the Internet a more friendly place, and it's always better to deal with others who are sympathetic to the cause.

Re:Unknown Clients

[FigWig]

You put your server out there on port 80, you have no right to complain if I connect to your machine. Even if my user-agent string were "Fuck your mom". So relax and have a beer instead of wasting your life peering through server logs.

Everyone is a target.

[jafo]

What makes somone the target of compromise attemts? These days, it seems that simply having a publicly-routable IP address is enough. Attackers don't say "I wonder if I can break into this site", they instead tend to just search as large an address space as they can looking for a machine that meets a profile.

"Is there a machine in this range of a million addresses that is running an older version of wu-ftpd?"

As a single user, it's hard to tell if a handful of packets constitute an attack attempt. Maybe somone just typed a name or address wrong. I've periodically been suprised that my attempts to SSH to the wrong address haven't been responded to.

It's easier to see an attack if you have a group of IPs. It's pretty obvious when you look at your collected logs across a bunch of machines and see that one site hit every IP on your networks, usually in a fraction of a second.

There are two things that can help smaller systems though. If they're hitting a bunch of common ports (21, 53, 111, 515), you've probably got an attack. The only other thing is if you can consolidate these packets. Say, a service which would allow users to submit packet denies and then when you see a few thousand hits (or whatever) you raise the red flag. I seem to recall there's something like this, but I don't know where. Anyone?

I'd probably be analyzing my firewall logs more if my attempts in the past hadn't been met with such a bad response. I've rarely had an e-mail replied to as the result of such a report. People just don't seem to care.

I wish more people did... I'd sure like to know if one of my machines is being used as a jumping-off point for an attack.

Sean

happens all the time at isps

[Cheeze]

i used to work for an isp and we would get an e-mail a week about some windows user running winNT4.0 that would say we were trying to hack into their machine. most of these cases, the user, or someone on their network was using napster or gnutella. well, gnutella and it's clones, makes port 80 requests all the time. people would e-mail our abuse e-mail address or just call up threatening to sue us if it didn't stop (good thing we had onsite counsel). what a pain in the a-hole to have to stop what i was doing to explain to a shotty admin what port connections are and how the internet wouldn't work without them.

almost EVERYTIME, it was someone running NT4.0 and a freeware or shareware firewall program that had some sort of e-mail detection (gets a port probe, e-mails a specified address). those things are evil in the wrong hands. it should MAKE you read the documentation, and then give you a short test to see if you actually read it.

oh well, basically, dumb users are to blame, and unless you want to teach the world about tcp ports (in perfect harmony, even), you have to live with it. if the same person keeps harassing you though, press charges. that'll get them to stop.

true admins will...

[Splork]

will just watch for email addresses of other stupid whiny "admins" who complain without a clue and autofile their email to /dev/null.

Re:Infallible

[Jeremi]

Maybe it's just me, but wouldn't it make more sense (perhaps with "Internet 2" or any of these other projects) to create infallible network protocols/tools that can't be used for malaciousness? Or is this logically impossible?

Wow, that's an awfully tall order... sort of liking asking people to come up with a car that can't be used to run into things. I might be wrong, but I think it would be impossible to have an Internet that is both "safe" and at all useful.

It just always seemed to me that, barring the script kiddies, the majority of people who use these tools seem to be hackers with malicious intent. Was the internet built with malcious intent as part of the protocol?

Not really... it's just that you always hear about the hackers and script kiddies. The fact that people are using these tools to conduct their day to day business just isn't very interesting news.

As for the Internet's design, the Internet was designed to allows computers to send and receive data, nothing more or less than that. The fact that the ability to send and receive data can be used to malicious ends is just an unfortunate fact of life.

Re:And the vendors, too

[Raven667]

LOL, I remember working for a place that was trying to use InsightManager. They were trying to run the management station on someone's workstation (Win98). This person had to make sure to keep Insight Manager running throughout the day while they worked, and since MAPI is a big steaming pile of non-standard crap they also had to keep Netscape open so the darn thing could send mail. This has to be the stupidest system I have ever seen a network admin try to implement. Foul and unreliable.

Re:What to look for.

[Raven667]

Not everybody has the same attitude or security policy as you. However anyone who gets rude over portscans or portscan reports needs to get a life in my book.

Re:Zork and telnet as 'attempted unauthorized entr

[Raven667]

I don't know what the UWEC admin said to you, but unless he was quite rude the response you describe was completely uncalled for. I manage many firewalls and if I see a connection attempt on port 23 to some random host I most certainly would question it and bring it up with the owner of the IP block that it came from. If it turns out to be nothing, then fine, but I should at least spend the effort to find out.

9/10 of the time, when I get a human response (mostly I get autoresponders from various ISP's ticketing systems), it is to report that the source machine was cracked and scanning and that they are very sorry, etc. Sometimes I get a generic, "It's fixed" message and rarely I get an abusive message from a person like you. I hate that.

Re:Blame the scare-mongers and vendor competition

[Raven667]

May I suggest to the newbies that the best practice when you see anything you don't recognize is to first do the research (Google, SANS, etc.) to find out what it probably is. Only if you can't figure it out through a moderate amount of searching should you contact the source and ask. May I also suggest that if you are running a commercial IDS that you may wish to double check your findings with Snort (or at least be familiar with the Snort ruleset). Snort is merely programmed to work well for the people who use it and there is little pressure to "bulk up" the ruleset with a lot of spurrious signatures.

Re:Doh ! security is a process, not a product !

[Raven667]

Yes! And I say this not just because I work for small managed security firm (Please ignore the fact that the website is ugly, I know). If you don't understand how to build a firewall or IDS then you should hire someone else to do it as it is very easy to get wrong (the concept of least privilege is lost on 99% of all network admins who just want things to work). Security takes time to do right and requires constant maintenance (logreading, etc.), if you don't have the time or knowledge to do it right you are going to get burned.

Re:Scanlogd Logs SuSE's Yast as an "attack", too

[Raven667]

But, face it. People are getting downright racist about packets. Any unknown packet is a bad packet, and it's just there to do something evil, and unimaginably bad.

That's me, the packet facist. While I do work from the assumption that any traffic that I haven't allowed is bad, I don't necessisarily believe that the traffic is evil. Every packet came from somewhere, unless you have really broken network equipment. In any case I believe that any traffic that you can't explain as good should be followed up with the source IP owner. But that's just me, the facist

Re:Firewalls for Flamers

[Raven667]

I know that on all the firewalls that I build ICMP Echo requests/replies are blocked through the firewall as well as UDP. All of our protected networks are RFC1918 addressed, both ICMP and UDP are stateless protocols making NAT error prone or excessively difficult. It is impossible to prevent random packets from being injected into a UDP stream, for example, exposing their client machines to more risk. If the client has a legit request they can change their security policy (at their own risk), but I wouldn't allow anything by default that wasn't requested.

Re:Yup, there really are that many bad admins...

[Raven667]

Just out of curiosity: how do you configure a firewall for those kinds of protocol?

That's easy. You don't. 8^).

There are only a few ways to do this. You can:

1. Configure the service to use a fixed port
2. Use firewall with stateful inspection of the higher layer protocol stream
3. Allow any high port to any other high port (ick, improper trust relationship)
4. Or just don't and use something else that you can firewall properly

Many firewall products try to inspect the traffic as it is whizzing by but this is almost impossible to get right and very, very easy to get wrong. Most of the time you can inject crafted traffic into a stream and cause the firewall to 1) Crash, 2) Give up root, 3) Open arbitrary hole. This kind of attack can effect IDS systems as well, as they are grabbing an analyzing hostile traffic. I believe that PIX, FW1, Snort, and ISS have all had these kind of problems in the past. Given enough time and effort I'm sure more will be found in the future. Plan accordingly.

Re:Crushing Crowds

[Raven667]

That's a really bad analogy. The Internet is nothing like a crowded subway car, packets don't just bump into your external firewall by random chance. It's deterministic, somebody sent them for a reason, whether by mistake or by malice.

Having my machine scanned by cracked boxes and script kiddies, forgetting for a moment the limited number of professional crackers, is definately something that I would wish to bring to the attention of the IP owner. It's common courtesy and not "retarded". It's also definately not something to get your undies in a twist about, and not something that should cause you to forswear the Internet over.

Just like the "Real World(tm)" the Internet is full of garbage and assholes, gee . . . Imagine that.

Re:Pardon me?

[Raven667]

You both should quit fiddling with your analogies, it's totally pointless. I believe that it is called "Arguing over Symantecs" 8^).

Re:Ignorant admins

[Skapare]

I'd bet at least 90% of the admins out there ... without even counting all the home boxes with personal firewalls and such ... have neither certification (all but CCIE being worthless) nor real experience.

Re:Uhhhhh....

[wazza]

Hm... do you perchance have a beeper, likes the ones on trucks for when they reverse? Does it come on when your sense of humour and your intellect drops out for awhile? It should.

Re:Yup, there really are that many bad admins...

[Wntrmute]

Damn, that Solaris web-based installer is really annoying...

I normally just use the regular GUI installer, but by favorite OS install routine has to be OpenBSD's. I've gotten to the point where I can tear through that install routine in no time flat, and I *know* there aren't 8000 stupid things running I will never use. (I even have all the disklabel commands memorized I've done it so much)

Now, if someone can please explain to me why Sun has so much inane crap running out of inetd on a default install, I would really appreciate it. I recently got a Solaris admin job at a company who's servers had been set up by 'consultants' and the first thing I did was turn off the 87 useless things that run by default in Solaris. (from both inetd and the rc scripts) If it weren't for the fact that they actually had a good PIX config in place, they would have been h4X0r3d long ago.

Re:Yup, there really are that many bad admins...

[Wntrmute]

Here's MY point. The more I learn, the more I learn how LITTLE I know. Hell, here lately, I've even found myself reading "man ls" and "man ps" at work looking for nuances ...

Good idea. Reminds me of a policy an old employer of mine (a small, regional ISP) had. One of the steps you had to complete to get promoted was to read the man page for *everything* in /etc, /bin, and /usr/bin on the FreeBSD systems they were using to run the show. Yeah, tedious as hell, but you sure learned a lot. (including a number of neat options you'd never know exist. )

Interestingly enough, that company got bought out by a behemoth company, which wound up doing away with their entire promotion and hiering polcies. As a result, overall employee compentance decreased, the good people starting leaving. And the parent company filed for chapter 11 not that long ago. (I had been gone for almost two years at that point, but some good friends of mine were laid off when they closed that location with *zero* notice. Just showed up on a random Wednesday and told everyone it was their last day of work.)

-Wintermute

TCP ECN + active FTP == false positives

[nyet]

ECN causes a ton of problems because most firewall vendors mark them as unknown TCP flag attacks.

Active FTP looks like a port scan because all the "PORT" activity causes FTP to use many different sequential TCP ports to be used.

What to look for.

[mindstrm]

Firstly, they shouldn't get all bent out of shape unless they feel something is being done wrong.

Although there is much furor over portscanning, I do NOT have a problem with it. Sure, my sniffers log it, and report it, of course.. it may be important information later.

Sounds like your admins feel like a straight guy in a gay bar... 'Why are all these guys looking at me! Make them stop!'

Admins who get uptight over portscans need to get a life.

Well..

[mindstrm]

Interesting use of ident.

The point of ident was *never* to be a form of authentication, it was only a mechanism to find out which user was associated with a network connection, for email, mainly. As you say, if you trust the machine, you can trust ident....

The continual insistence on ident by EFNet is the stupidest thing I've ever seen, it serves absolutely NO purpose whatsoever, yet they insist on it.

Unknown servers

[Chuck+Chunder]

A development webserver at work kept getting requests for advertising domains. Some twonk had apparently configured their hosts file so that various advertising domains pointed at my host so they didn't get adverts. This was somewhat annoying as it was a development server and the error_log was supposed to help me debug things, not be filled with 404 errors.

Of course, a little virtual host and mod_rewrite magic later they weren't generating 404s, they were getting rather unflattering images sent back. The problem fixed itself soon after that.

Re:Yup, there really are that many bad admins...

[cowbutt]

> Chances are they had no clue what the 'established' keyword was and just allowed ports 1024 through 64k. (in the cases where their firewall did not automatically recognize that exchange works in a fashion similar to rpc)

Just out of curiosity: how do you configure a firewall for those kinds of protocol? The principle of those protocols (Sun RPC, Java RMI, DCOM) is that the client does a first connection to a "naming service" (i.e. portmapper, RMI registry, etc.) which is on a fixed port, and then learns from that "naming service" which port the actual service uses. The latter being variable of course, which makes it tough to allow through the firewall.

Your remark seems to suggest that there is a general way of allowing those kinds of connections. Does it only work for specific RPC-like protocols, or does it also work in the general case? Wouldn't the firewall need to parse the actual "RPC-like" protocol to do it?

Yup. You'll need some kind of stateful firewall to do this right. The sad thing is that, to the best of my knowledge, no stateful firewall on the market deals with sunrpc or DCOM in a stateful manner. *sigh*

We had the problem here at work (both with java RMI and DCOM), and yes, we did eventually resort to opening everything between 1024 and 65535. If there is a cleaner way (i.e. a more selective way) to do it, I'd be interested.

Sometimes you can limit the range of ports that an RPC-like service will use at the cost of limiting the number of concurrent connections. Doing this, you could shift the RPC range up to about 60000-65000 or something, well out of the way of other services you would like to unconditionally block (X11, rplayd, Back Orifice, NetBus, Napster spring to mind, depending on administrative tastes). Yes, you're still letting a bunch of random connections through, but at least there's unlikely to be anything listening. Of course, if you're concerned about "Inside Jobs" (and you probably should be...) then this probably won't cut the mustard either. Life's a bitch. :(

Re:Likely cause

[Kevinv]

Nope. Getting an MCSE won't cover what the hell the ident protocol (or port 113) is used for. Heck, it barely covers what a port is. Even the TCP/IP test doesn't cover log checking.

You'll have to blame more than the newly minted MCSE -- they don't know enough to check logs.

I should know, I've got one.

Re:Yup, there really are that many bad admins...

[MindStalker]

Technical question was how many new lines characters are in a file???? Maby they were expecting you to use an editor like vi which prints out the line count at the bottom. Btw thanks for teaching me something new, didn't know wc existed :)

Re:There is a certification that does this.

[skullY]

Trying to land an IT job with just a Computer Science degree, but no experience seems to be impossible these days. To get a job, one must have experience... to get experience, one must have a job.

That's because companies are finally realizing that a degree in computer science is worthless. Those who like CS were studying it in high school, and by the time they get to college they know more than most the 3rd and 4th year CS students, and not wanting to wait to get to the good stuff they don't know yet, they decide to drop out and get a good job (Which was possible to do 6 months ago). Those that stay won't learn much (With a few exceptions) and in 4 years time will graduate with a shiny new CS degree, with the bubble having burst (like it did 4 months ago) and companies unwilling to hire, especially if you have no experiance.

True story:
A friend of mine works at a company near UC Davis, and had to interview 20-30 UC Davis students applying for a part time position. This campany makes network devices, so a resonable knowledge of networking was needed. Every single one of them was asked what a netmask is, and not a single one got it right. This was among a sample of students of all years.

So don't feel discouraged because you can't get a job with your shiny CS degree. You only have to proove yourself against the hordes of CS graduates with no clue.

Re:puerto

[Alex+Pennace]

If you leave all of your car doors open, you run more of a risk of something getting stolen. The same goes for computer security.

That is hardly a reasonable analogy. In this case it is more like executing someone just because they glanced at your car while walking by.

Re:Pardon me?

[Alex+Pennace]

A zone transfer *is* something to hide.

You are already publically publishing that information.

The only people who should be looking for a zone transfer are your secondaries. Either they are already allowed, or you have none. No one else should be requesting a zone transfer. Allowing them is stupid because you now allow in any bugs that are associated with dns zone transfers.

There are also bugs associated with straight DNS queries. Go, now, and shut down BIND.

I request zone transfers all the time, usually to keep track of what is going on under ma.us. If a given host, for whatever reason, doesn't want to allow zone transfers, then it simply declines the request. Otherwise, it accepts it. This is like a store with a "closed, come back later" sign vs. a "open" sign. Are people made criminals for looking at a closed store in your world?

There are FAR FAR too many known attacks against both bind and rpc to assume that either of these are accidents! Should I assume that some luser is not trying to attack when I see ports: 31337, 27374, 12345?

Again, see my open vs. closed store analogy. People normally walk into open stores in without seeking explicit permission. If there is nothing there they leave, and if they bust up the store then that is a crime.

The Internet is public. People use it. People see what a host has to offer publicly, as far as accepting email, anonymous FTP, or public web pages. There are facilities in TCP/IP and various upper level protocols to indicate that certain resources are unavailable to the requesting user, if available at all. The average Internet user has no idea that you are offended when they connect to port 31337 because they were trying to get to some high-port FTP site, but they can infer from the connection refusal that there is nothing there for them.

If security for you includes worrying about incoming TCP SYN packets, fine. But don't make trouble for users because they had the nerve to use the Internet as it was intended, because I'm sure you use the Internet too.

Re:Pardon me?

[Alex+Pennace]

And a spider crawl of a web site can be the prelude to an intrusion too. What's your point?

Re:Pardon me?

[Alex+Pennace]

You've never been responsible for administering a secure system have you? If you have, then you're miserable at it.

So far, so good, no one has managed to break into any of my systems. I've also discovered a vulnerbility in some software and have done code audits. You?

[...] Both of these books describe one of the primary security priniciples: "least privilege". In short it says, don't allow anything that you don't have to.

Least privilege is wonderful, yes. But as I pointed out before, you are already publishing your DNS information to the world, but you keep your TCP port 53 closed. That's fine, but you want to keep it closed and cause trouble to anyone who dares to connect. That has nothing to do with least privilege and is uncalled for.

[W]hen people come poking at my alarm system to see what happens, especially when they have no reason for doing it, I can't help but assume that they're trying to figure out my weaknesses for some other reason.

TCP/IP is a well defined, simple system designed to facilitate access to resources. An alarm is a system, maybe obscure, designed to restrict access to resources. A TCP connection does not amount to fiddling with an alarm.

Your analogy is collosally bad. It assumes that you can look at my computer, without it impacting my computer. In the store analogy, you are of course correct, simply looking at the store to see if its closed is not criminal. But looking at my computer, requires that you actively use bandwidth that I PAID FOR, and make use of computing equipment that I PAID FOR.

My analogy still stands. For one thing, you do not pay for the entire Internet. For another thing, think of the store owner who owns the sidewalk in front of his store (as is the case in some jurisdictions I'm sure). Though the owner owns it, it effectively becomes sort of a public right of way, and the owner has no recourse when people come onto his bit of the sidewalk to find his store closed. Your TCP/IP stack is effectively a store front and part of the sidewalk. Short of someone blocking your sidewalk (DoS attack), you should relax. Their behavior is harmless, maybe beneficial, and I'm sure you do the same.

You should have *no* expectation that I'm providing DNS zone transfers, therefore you should not go looking.

I have every expectation that if you aren't providing DNS zone transfers, you will refuse the connection. Ditto for connecting to port 80. If you have public information on either port there is no problem, if you deny connections there is also no problem. A few packets isn't worth breaking a sweat over. If it is, get off the Internet. You are like the person in the subway car who screams bloody murder when someone bumps into them.

You are an id10t. 31337 is the TCP connect port for BackOriface. 27374 is the TCP connect port for SubSeven. These are remote controllable trojan horses that have been widely spread through email virii. Anyone connecting on those ports, should by default be seen as hostile.

According to my copy of /etc/services, port 31337 is unassigned and port 27374 belongs to "asp." But in any event, I've seen HTTP and FTP servers running on 31337, and I'm sure there is nothing magical about port 27374.

Leave shooting first and asking questions later to the movies.

The original intention of the Internet also included the idea that no for profit organizations should be on the internet. The original intention of the internet included bugs. So, according to you, we should simply drop all prudence because someone 30 years ago couldn't forsee everything that would be happening today?

I was talking about protocol intentions, not philosophy, and a few bugs does not demand jail sentences for Internet users.

I think the deal here is that you want to continue running your port scans and justify it under the heading of "well it's just the way the Internet is sposed to work".

It is better than causing Internet users much grief over nothing.

But do that to my machines and I will make trouble for you. Don't like it? I don't care.

In order to avoid gaining your ire I would have to avoid ever connecting to your hosts. This is rather difficult since 1. I don't know who you are ("mjh?"), 2. I'm only human, I could accidently connect to your host while doing something else, 3. Hell, someone could do <img src="http://yourhost:53/"> in a web page I'm loading. To be safe from persecution I and everyone else would have to stop using the Internet. No thanks. I think it would be much better if you would relax.

Re:Pardon me?

[Alex+Pennace]

No, they will hit the web servers that someone forgot to secure. There is no difference.

Re:Pardon me?

[Alex+Pennace]

A single connection request often indicates an automated scanner. Particularly with the linux worms, I will get a single packet every few days to different address in our range.

It could also be someone mistyping an IP or port, or some lemur doing <img src="http://somehost:53/foo">, or any number of things.

Whether I chase it up depends on the port. Current favourites are 53, 111, 515, 21 etc.

A TCP connection to port 53 could be someone looking for a zone transfer. That isn't anything to hide, you are publishing it to the world anyway.

I trust your RPC service (port 111) has suitable access controls that declines unauthorized access attempts. But it is not good to consider such connections "attacks," what if some new whizbang Internet P2P application uses RPC (ignoring the merits of using it). Are those users all of a sudden criminals because they had the nerve to ask your host if it could talk a particular protocol?

I do send an email to obvious scanners, mostly the owner hasn't a clue what is going on, and hopefully they will learn a bit about security and close the more targeted holes. In this case notification helps the user and (very slightly) reduces the easy meat for crackers.

Not having them lynched sets you apart from other admins apparently.

Crushing Crowds

[Alex+Pennace]

Like on a crowded subway car, people bump into each other on the Internet. Connection refused? Pardon me.

Ideally the person at the receiving end should understand and get over it. After all, they have sent their share of bad connection requests too.

Now we have paranoid admins who cry foul whenever someone sends one lousy connection request, or sends on strange packet, or whatever. If you can't handle a crowded subway car, don't get on it. Likewise, if you can't handle sharing the Internet, don't get on it.

In that vein, port scanning isn't too horrible. If you don't want people to see what you are running, get off the Internet. Otherwise, you just have a storefront on a busy street where people can see if the store is open or closed.

Retarded administration causes more problems than port scanning ever will.

Scanlogd Logs SuSE's Yast as an "attack", too

[scotpurl]

Here's part of my scanlogd output, on my SuSE Linux box, when I did some package updating:

May 15 07:12:33 boxen scanlogd: 192.168.1.90 to 202.58.118.12 ports 4385, 4391, 4397, 4409, 4413, 4424, 4425, ..., ??rp?uxy, TOS 00, TTL 64 @07:12:17
May 29 06:28:05 boxen scanlogd: 192.168.1.90 to 202.58.118.12 ports 1510, 1514, 1520, 1523, 1525, 1527, 1532, ..., ??rp?uxy, TOS 00, TTL 64 @06:27:56
Jun 3 22:07:02 boxen scanlogd: 192.168.1.90 to 202.58.118.12 ports 1741, 1743, 1745, 1747, 1748, 1750, 1752, ..., ??rp?uxy, TOS 00, TTL 64 @22:06:52
Jun 10 14:54:39 boxen scanlogd: 192.168.1.90 to 202.58.118.12 ports 3226, 3228, 3230, 3233, 3237, 3242, 3244, ..., ??rp?uxy, TOS 00, TTL 64 @14:54:30

202.58.118.12 is ftp2.suse.com -- but if I'm dumb, I won't know why an FTP session went through that many ports. Post something big on your website, at the very top, saying something like "click here if you think this box is attacking you."

But, face it. People are getting downright racist about packets. Any unknown packet is a bad packet, and it's just there to do something evil, and unimaginably bad.

Re:Scanlogd Logs SuSE's Yast as an "attack", too

[haruharaharu]

Any unknown packet is a bad packet, and it's just there to do something evil, and unimaginably bad.

I like that attitude. Of course, I make a point of finding out what packets are what. Anything i don't like gets ignored.

Good and Bad...

[Polo]

On one hand I'm GLAD people complain. I hope that more people are called on the table for what they do. Yeah, it can be a mistake - some people don't understand enough about networking protocols to debug what's going on.

On the other hand, the place I used to work at had a load-balancer, and someone reconfigured one of the parameters that had an unfortunate side effect: sometimes the back-end machines would talk directly to the client machines instead of the load balancer.

for example, a client would contact our load balancer VIP, which would rewrite the dest address and forward it to the back end machine:

1.1.1.1 --> 2.0.0.1 (vip) ----> 3.0.0.1 .. 3.0.0.9
client[load balancer][back end machines]

Sometimes the load balancer would time out the association between the client and the back-end machine, but the back-end machine wasn't done with the connection. The misconfiguration allowed these packets to be forwarded on unmolested. So the client machine (only expecting packets from the 1.1.1.1 to 2.0.0.1 session) would get a replies from the "cracker machine" 3.0.0.1. This would trip all the firewall bells and whistles and we would get angry emails.

It was "pretty interesting" to get these uncensored email messages from the nice girls over in customer service. However, a couple people gave us excerpts from their firewall logs and we eventually figured it out.

Make 1/2 the symptom go away..

[schon]

Here's an idea.. turn off IdentD lookups on your machine.. (ie. with WuFTPD, it's the -I command line switch - but you're not running WuFTPD, are you? :o)

It won't stop morons who complain about active FTP sessions, but it should cut down on the Ident lookup complaints.. (Do you really need Ident info anyway?)

Doh ! security is a process, not a product !

[indaba]

>

If the key question is "What should administrators really be watching for if they are concerned with potential hostile activity over the net? " - then, this assumes a lot of things of the administrators .. to whom I would like to address these 8 questions

1. That you have an idea of your security risk (otherwise, how would you know if you should be concerned ?)
2. That you have an idea of your security exposure (otherwise where do you look , for what and how deeply / suspiciously ? )
3. That you have the spare time to look for something that is not there most of the time (ie can you handle 6 months of boredom and 4 hours of panic ??)
4. That you have the technical expertise to do this (do you really understand all the syslog messages from the various vendors ?, or, assuming that you are router-access-list god, then how good are you with spotting a cgi attacks ??)
5. That you can you really correlate a single , isolate port scan with a connection attempt a week later ??)
6. That you can ALSO devote the time to ongoing self-education ? (re the new and interesting attacks coming up weekly..)
7. That you have a written response plan formulated should you do detect an attack in progress ?
8. That you have senior management support for a highly technical, time-consuming activity that 90% of the time shows no results and that discards 98% of all captured data ?

We build and install networks for corporate clients and our experience is that the answers to the above questions is generally - "No"

We therefore advocate an ongoing process of risk assessment and penetration testing leading to a consultants report.

If the report indicates that they are an "at risk" target, then an ongoing, outsourced IDS service is offered,

Of course, this is assuming that a corporate security policy is in place. Again, generally the answer to THAT question is either "No, we don't have one" , or some feeble "Well, I know how the firewall is configured, and I wrote all the router access-lists .."

I'll stop the "Security is a process, not a product" rant at this point.

The point I really want to make is that before the slashdot-admins go racing into Tripwire, Snort, Netranger and nmap-land, they should take a long hard look at these questions and answer them with critical honesty.

Re:Doh ! security is a process, not a product !

[spiro_killglance]

"We therefore advocate an ongoing process of risk assessment and penetration testing leading to a consultants report."

Our firm did that with Baltmore, a little under 10,000 squidlets, for running cybercop and placing the output in a nice binder. We were not happy. They didn't even stop our NT servers (abmoniations that thankfully I don't have responciblity for) were reverable to the Unicode bug.

Hopefully other security consultants are less of a rip off.

RE: Ident through NAT

[Raetsel]

You have a good point about NAT and ident. Let me address one situation where I had to deal with this:

• I set up an OpenBSD NAT box for a friend of mine, who happens to be an IRC (Undernet) junkie. Most (if not all) of the Undernet servers
• require ident before completing a connection. I would have just forwarded the port 113 if his room-mate didn't want to do the same thing...

  but he did. Dammit.

  That left me searching for something to make IRC work through NAT, and I found the "Transparent IRC Proxy." It (optionally in conjunction with identd) handles ident requests, and returns a proper response based on entries in /var/run. These entries are quite simple -- they're just files named "user-n.n.n.n" and containing just the name to be returned for ident. Easy enough...

  It makes DCC work again, it enables ident to properly identify NAT'd users, and (as long as you find an Undernet server that allows more than one connection per host) it allows two people to be on at the same time. End of problem.

To answer your question, ident certainly has value in a NAT environment. It can be a pain to implement (look into TIRCProxy, it does more than just IRC), but once established, it provides some accounting of who has done what. This can be the difference between pulling your hair out and simply plonking a user. I don't see this being much help in a business environment... but it certainly has recreational applications.

NAT is a necessary evil right now. Hopefully, once IPv6 is in widespread use, ISPs will no longer be as stingy with the address space... and then it'll be a simple function of routing. Until then, I hope this helps.

Re:Yup, there really are that many bad admins...

[CBravo]

That you must be a Linux kernel hacker!

My mom...

[???]

I don't want to run into my mom on IRC...

Things to do with smb portscans

[ColaMan]

I try at least a few times a week to go through my firewall logs and fish out the port 139 probes.
Using the conclusion that if their computer is scanning me on these ports without their knowlegde (hey, not *everybody's* a script kiddie knowingly) I then fire windows explorer up and attempt to connect to the IP with SMB.
If I connect, I check out their shares and if there is a printer available, I install it on my system then print them a message. If I can't find a printer, I drop them a text file in their startup folder.

Normally something like :

HEY YOU!

YES YOU!

Your computer is insecure!
Shame on you for exposing this computer to the perils of the internet!
Boooh! Booooooooooooooh! :-)

It tried to access my computer(s) , but got blocked by our server firewall.
So , In the spirit of goodness etc, I have accessed your computer (as identified in my server logs) and have placed this file in your startup folder to alert you of this problem.

If you have not been trying to actively access my computer, I'd suggest you get a *good* virus scanner and *SCAN* you computer, as there are all sorts of deviant virii that spread in three easy steps, as outlined below :

1) Scanning networks for insecure computers
2) Copying themselves to said insecure computers
3) Repeating the process ad nauseum.

I noticed a file called 'network.vbs' in your 'C:\' folder. *network.vbs is a virus*
The fun thing about network.vbs is that no user intervention is required. If you are on the internet and sharing your 'C' drive to the rest of the world, it'll just hop on over to your system and copy itself about all over the place, sending out little probes to other computers ... and so on. This virii is reletively harmless, but the next one.. well, who knows?

Anyways, you most definitely should figure out a way to restrict access to your computer from the internet. I'd suggest unplugging it at present, or at *least* make your shared drives read - only. Preferably *BEFORE* the next person comes along and downloads your data and erases your computer.

So, to reiterate :
DISCONNECT YOUR COMPUTER FROM THE INTERNET
SCAN YOUR COMPUTER FOR VIRII
GET SOMEONE TO SECURE YOUR COMPUTER FROM THE INTERNET

Sorry if all this freaks you out - you (or your lawyers :-) can drop me a note at (my email address) for more info.

Anyway, my job here is done. Toodle-oo!

I find this passes the time nicely on those slow afternoons.
I had a user of a computer I dropped this note onto get in touch, and he said I shoulda seen the look on his face when this note came out his laser printer.
He has secured his system now :-)

Just doing my little bit to help :-)
** Windows has detected a mouse movement.

!= System Administrator

[CAIMLAS]

I think that the term, "System Administrator" is being confused here with "someone that has a form of firewalling installed." As a professional System Administrator, this is a slighting remark. Most of the SA's I know take great pride in their work, and truely know their craft. Reporting ident/ftp connections as hostile is... well, something that someone using ZoneAlarm or a default installation of the latest RedHat/Mandrake distro with a firewall script/program that someone else wrote would jump on.

I suspect that this is the case - ignorant linux users trying to be cool and intelligent with their new-found interest. To no fault of their own, really - they're simply not informed yet.

-------
Caimlas

clever black hats _USE_ this knowledge..

[radek]

by setting source port of their packets to the UDP53 or TCP20, and/or penetrating target network for destination set at TCP113.

Whole thread is right, but please do not forget that smart 'hacker' will (and in fact _IS_) using this knowledge.

As well as http which is enabled (in->out) at _every_ place so very often tunel through -the-big-and-great-firewall is a matter of setting http-ip tunel at one http location...

the moral: do not throw the child with a bath (sth like that ;-)

OT: blame personal firewalls

[anticypher]

The original question referred to IDENT being logged by machines on the internet when a cronjob tried to FTP across the internet. Someone needs to write a new RFC deprecating the use of IDENT on internet facing computers, since the usefulness of IDENT relies on trusted hosts. Other hosts on the internet cannot be trusted, so wu-ftpd and sendmail should not be sending IDENT lookups by default.

This exact same problem, except with windoze luzers instead of supposedly clued linux luzers, blew up at an ISP here. The sysadmins had configured most machines to never send IDENT, but the secondary DNS/backup mailserver were overlooked. During the migration to a new power circuit, the primary was removed from the net[uptime 183 days], and everyone switched over to the secondary. The support lines were clogged with windoze luzers running ZoneAlarm, BlackIce, or Norton. Complaints of "every time I check my email, your machine tries to hack into mine" started to stack up. Since the sysops had the monday off after working the entire weekend, it wasn't until today the problem was fixed.

I heard that the practical joker support guy told the most whingey luzer that failing to respond to IDENT was a serious violation of the law, as only 133t h4x0r5 would try to hide their identity. He pointed the cluzer to RFC821 and a few others, and told him if he continued to block port 113 with an illegal h4x0r firewall, they would ToS him. Luzer went away, presumably chastised.

I'll have to shout the monks some liquid recovery tonight.

the AC

another $.02

[laslo2]

at home, I am on a 56k dialup (NAT through a linux box). lately, 95% of the connections I get are either scans for windows shares, or windows name lookups. they get blocked for unnecessarily using my bandwidth and for being stupid. 4.9% are looking/scanning for already published exploits that I have patched. the other .1% *may* be coming after me specifically, so I keep an eye on them. if they knock once and leave, cool. if they keep trying, I'll figure someone's after me for some reason and I start worrying about it.

it's important to be on your toes, but random scans and connections really aren't worth getting your panties in a bundle over.

Re:Personal firewall training needed

[glitch!]

... and it complains and throws up a red flag when a ping sweep or SNMP querys are done, causing users to panic ...

If you really want to have some fun, add this inocuous line to their email:
cat /etc/passwd | mail

If I remember correctly, some email virus checker will see this and decide that there is
a dangerous virus about to attack their computer! (Don't try this at home, kids. Heh heh!)

Re:Pardon me?

[mjh]

A TCP connection to port 53 could be someone looking for a zone transfer. That isn't anything to hide, you are publishing it to the world anyway.

A zone transfer *is* something to hide. The only people who should be looking for a zone transfer are your secondaries. Either they are already allowed, or you have none. No one else should be requesting a zone transfer. Allowing them is stupid because you now allow in any bugs that are associated with dns zone transfers.

I trust your RPC service (port 111) has suitable access controls that declines unauthorized access attempts. But it is not good to consider such connections "attacks," what if some new whizbang Internet P2P application uses RPC (ignoring the merits of using it). Are those users all of a sudden criminals because they had the nerve to ask your host if it could talk a particular protocol?

There are FAR FAR too many known attacks against both bind and rpc to assume that either of these are accidents! Should I assume that some luser is not trying to attack when I see ports: 31337, 27374, 12345?

I scan my home logs everyday. I see tons of attempts on all of these ports. I pretty much ignore them because I know that they're not succeeding. But that isn't the point. They are attacks. IMHO SensitivePortHits - Accidents is about equal to SensitivePortHits.
--

Re:Pardon me?

[mjh]

There are also bugs associated with straight DNS queries. Go, now, and shut down BIND.

You've never been responsible for administering a secure system have you? If you have, then you're miserable at it. Read some. I'd recommend "Firewalls & Internet Security" by Cheswick & Bellovin. Or "Building Internet Firewalls" by Chapman & Zwickey. Both of these books describe one of the primary security priniciples: "least privilege". In short it says, don't allow anything that you don't have to.

If you have to allow DNS queries, then you have to. But just because you have to allow those queries doesn't mean you should also allow zone xfer. It's quite simple arithmetic: the number of security holes in DNS queries is less than the number of security holes in DNS queries + the number of secrurity holes in DNS zone transfers.

This is like a store with a "closed, come back later" sign vs. a "open" sign. Are people made criminals for looking at a closed store in your world?

No, but when people come poking at my alarm system to see what happens, especially when they have no reason for doing it, I can't help but assume that they're trying to figure out my weaknesses for some other reason.

Your analogy is collosally bad. It assumes that you can look at my computer, without it impacting my computer. In the store analogy, you are of course correct, simply looking at the store to see if its closed is not criminal. But looking at my computer, requires that you actively use bandwidth that I PAID FOR, and make use of computing equipment that I PAID FOR. You are already impacting my expenses. You should have *no* expectation that I'm providing DNS zone transfers, therefore you should not go looking. You should also not probe my syslog ports, nor my printer ports, nor my RPC ports.

Looking to see if the store is closed is one thing. Peeking through the window to see where the safe is kept is another thing altogther.

The average Internet user has no idea that you are offended when they connect to port 31337 because they were trying to get to some high-port FTP site, but they can infer from the connection refusal that there is nothing there for them.

You are an id10t. 31337 is the TCP connect port for BackOriface. 27374 is the TCP connect port for SubSeven. These are remote controllable trojan horses that have been widely spread through email virii. Anyone connecting on those ports, should by default be seen as hostile.

If security for you includes worrying about incoming TCP SYN packets, fine. But don't make trouble for users because they had the nerve to use the Internet as it was intended, because I'm sure you use the Internet too.

The original intention of the Internet also included the idea that no for profit organizations should be on the internet. The original intention of the internet included bugs. So, according to you, we should simply drop all prudence because someone 30 years ago couldn't forsee everything that would be happening today?

No. I think the deal here is that you want to continue running your port scans and justify it under the heading of "well it's just the way the Internet is sposed to work". Maybe. But do that to my machines and I will make trouble for you. Don't like it? I don't care.
--

Re:Likely cause

[Velox_SwiftFox]

Like the poster says, "There are no stupid questions, but there are a lot of inquisitive idiots."

Working as a consultant for an ISP for a while, I had to handle complaints about perfectly legitimate ICMP Unreachable Fragmentation Required messages being returned, by nimrod sysadmins who apparently programmed their routers and firewalls by the "ride madly in all directions" method. ("Don't Fragment" bit set? Duh. Expect them then...)

Re:Information is the key

[joq]

The first week after installing Zonealarm, you really get a feal for how many stupid pieces in you computer connect to whereever. Especially the windows components (with not-so-clear names) often send me off to check out a lot of stuff.

Isn't everyone an expert. I've been a firewall engineer while I studied (and still study) for my CCIE, and I can determing what's what. I've used Cisco Pix, Gauntlet, CP-1, Netscreens, you name it, and not once have I decided to ring the alarm because of connection attempts.

This is typical of people who don't understand networking, and security, period. Look before you leap is the old saying. So how is a simple connection, remember they're not a complete handshaking connection, going to cause you security issues? I've been so tired of hearing the typical bs. It's like when I'm on IRC, and some jackass swears someone is portscanning them for checking ports 8080, 3128, 80, when all thats being done is a quick proxy check,

Solution, don't get on the net if you're paranoid. Many things can seem to be intrusions, if you don't know how to weed them out, and especially if it's your job too, maybe you should take some classes in networking, and or security.

Cause, Effect, Solution

[joq]

First it was port-scanning, now it seems that admins are crying wolf at any unknown client that connects to their network. Now I'm all for a dose of healthy paranoia, but is this going overboard?

You should have included somewhere on your documents, perhaps the FAQ, as to what exactly is being done by the client to ease the fears of clueless admins who ph34r j00. Seriously, place a quick Q&A as to why it connects to your site, for those who are too stupid to lsof|grep TCP && lsof|grep UDP to see nothing is happening.

After than make an autoresponder that points them to the url, after that case closed. Should they continue to harass you, then create a template complaint letter including what your program does, then fire it off to them and their upstream, and or bosses, to let them know your program is not some uber 31337 h4x0rspyw4r3 program on a mission.

I'm sure after they realize how stupid their concerns are, they'll piss off, or their bosses will rip em for being clueless admins.

Unknown Clients

[Chris+Brewer]

My current role is administrator for a website (no ftp) and every so often I go through the stats to see what clients are connecting.

Ignoring all the boring Mozilla agents I look out for the 'different' agents and I try to find out who or what they are (googlebot is self explanatory). I get a bit paranoid when I see ones I can't find out info about, others there is ready information - I've have seen email harvesters come through, which sparked off my paranoia.

I had one case where I wrote to the admin of the incoming domain, politely 'demanding' that they provide an explanation for an access and the answer was that they had a user who modified his agent tag to '007'. And you wonder why I'm jumpy.

I am not a server admin. I admit I'm not trained for it. It's just that there is no one else in the organisation who can do it, c'mon it's only IIS!!!
--

Re:Yup, there really are that many bad admins...

[FooDog]

You know, just because it's old doesn't mean it's better. I started out building Linux from pure command line with the old Slakware distros. It was a pain in the ass. And setting up X? Oh good god, better get out the voodoo charms and chicken bones on THAT one. I LIKE the GUI installs. It's easier on the eyes, and makes less work for me. I'm not fully disagreeing with your point, as being able to get down to the nitty gritty command line is VITAL for any decent sysadmin, but I'd just like to point out that we should avoid being crusty old computer users who are resistant to change and sit around telling stories about how "Back in my day, we didn't HAVE Cdroms! We had to install Linux from cassette tapes played over a loudspeaker! But we were THANKFULL! Ya darn whippersnapper..."

Re:Paranoia

[Bagheera]

Actually, if you'd read what I said, you'll see my primary reference is to rubber stamp MCSE's hired as "system administrators" and (l)users who don't read the manuals that shipped with their products. Personally, I've worked with too many MCSE's who thought there were hot because of the piece of paper, but had neither real world skills or the experience to think beyond their indoctrination. I've done support for users who were so incredibly computer illiterate that they would insist - repeatedly - that they could use a RAS connection and send faxes from WinFAX Light (Under Win3.x no less) at the same time from the same 14.4 modem.

I have TRIED to teach these people. I'm sorry you decided to take a more or less rhetorical question and turn it into flame. While I may have been less than clear that there were -two- points in my post, you seem to have missed it completely.

What amazes me is that your post was moderated up, rather than marked flamebait.

You wouldn't work for me for very long.

Fortunate then that I don't. I don't deal especially well with a "boss" who's concept of debating a point is an open flame...

Do me a favor, save Slashdot and our readers bandwidth and don't post.

I'll ask the same favor, eh?

Oh, and for the record, I don't hang out in #linux, but have been known to ask "have you read the manual?" The point there being that people who are too lazy to at least try to read the manual aren't worth the effort in the lengthly explanation it will almost certainly take...

Paranoia

[Bagheera]

There's a difference between "healthy paranoia" and "Stupidly paranoid." If I were to jump at every hit I saw for NetBIOS and RPC scans on my router (which uncerimoniously drops the packets on the floor to be swept up and discarded later) I'd spend half my day sending out "Cease and Desist" emails to some script kidiot's ISP.

Which would acomplish nothing of note.

The thread seems to be "educate the users and admins, and life will be good." But where does it start? Another module in the rubber stamp MCSE that they will promptly forget? Big bold headers in the Personal Firewall manual (that the (l)user will never really read) saying "Not every connection is hostile!"

Who's going to teach people?

(l)users don't read /. or visit securityfocus. If they're (un)lucky they may have seen antionline, and picked up the wrong kind of paranoia.

I guess the addage is true: Some people really are too stupid to use the internet...

Re:Paranoia

[PatJensen]

Whoever modded this as Insightful is really full of crap. First you say,

"Who's going to teach people?"

and then you say,

"I guess the addage is true: Some people really are too stupid to use the internet..."

You wouldn't work for me for very long. You start by talking down and being condescending to novice administrators, then proceed to bash the MCSE certification and all the while saying .. Some people are too stupid to use the internet.

Not a very well thought out and educated post. You'd rather talk down to your fellow administrators then help educate them? Let me guess, you are one of those types that sit on #linux and laugh at every question asked and say RTFM?

I might suggest some firewall and packet filtering resources, even prepare some type of form letter to send out to administrators that inquire as to the source of packets to their network. Or prepare a web link documenting the services (active FTP, Gnutella, etc.) These are all quite constructive options.

Do me a favor, save Slashdot and our readers bandwidth and don't post.

-Pat

Re:Paranoia

[haruharaharu]

Some people are too stoopid to use the Internet. They tend to also be the sort of people who don't read manuals, so RTFM is all too appropriate. I'm not sure what MCSE is good for except cash for MS and maybe resume padding in an NT shop. If i had one, I certainly wouldn't admit it.

Re:Yup, there really are that many bad admins...

[BlueUnderwear]

> Chances are they had no clue what the 'established' keyword was and just allowed ports 1024 through 64k. (in the cases where their firewall did not automatically recognize that exchange works in a fashion similar to rpc)

Just out of curiosity: how do you configure a firewall for those kinds of protocol? The principle of those protocols (Sun RPC, Java RMI, DCOM) is that the client does a first connection to a "naming service" (i.e. portmapper, RMI registry, etc.) which is on a fixed port, and then learns from that "naming service" which port the actual service uses. The latter being variable of course, which makes it tough to allow through the firewall.

Your remark seems to suggest that there is a general way of allowing those kinds of connections. Does it only work for specific RPC-like protocols, or does it also work in the general case? Wouldn't the firewall need to parse the actual "RPC-like" protocol to do it? We had the problem here at work (both with java RMI and DCOM), and yes, we did eventually resort to opening everything between 1024 and 65535. If there is a cleaner way (i.e. a more selective way) to do it, I'd be interested.

Just for the script kiddies that may be listening: no, this is not our Internet firewall; it is just a firewall between two internal machines... Don't ask me why they put it there, sometimes our security department is a little bit paranoid...

Re:Yup, there really are that many bad admins...

[BlueUnderwear]

> When the established command is in force, an outside server can make a TCP or UDP connection to any inside host with which it already has a TCP or UDP connection established.

I see. However, in our case, this wouldn't help, as the machine supplying the DCOM services and the RMI services are known in advance

Actually, wouldn't this "established" be a security hole in its own right? An attacker could make a connection to port 80 of the corporate Webserver (allowed because that's where http listens), and then make another one to port 23 (allowed, because of the already established connection to port 80).

Re:READ: TCP/IP Illustrated guide = informed paran

[Phork]

they need a book from a series that has been joked about for years, TCP/IP for complete and utter morons!

Re:@Home Port Scans

[Phork]

im not sure if it is still true, but for a while the scans all originated from authorizedscan.security.home.com.
the purpose of them is to see if you are violating the AUP by running a serer.

In short...

[veg]

"A little knowledge is a dangerous thing"

and you can be sure that the users of these "personal firewalls"....sigh....really do have a *little* knowledge.

Either that or our mail server really is trying to "hack" windows boxes using IDENT.

Re:Yup, there really are that many bad admins...

[strobert]

Yup, have to agree with you. Of course it isn't just bad admins, it is bad technology workers in general. I have moved into Network/System admin full time now, but last summer I had the fun of interviewing people for software development positions. I think I interviewed about 50 folks over 2 months, and there were I think 2 that we considered, and they weren't what I would call senior.

*sigh*

Oh, which add solaris to the mix. With the new GUI installer I have seen people who are scared of a unix command line point and click their way through the Solaris 8 install.

These "enabling" installers that are around these days REALLY scare me.

it's not the admins that are emailing you

[brettbender]

... it's the users. The real network or security admins on a site of > 1 hosts are likely to:

1. have more pressing issues to resolve than failed identd queries (e.g. exhaustive network probing, exploit attempts, etc.)
2. have a clue (i.e. that an identd query probably corresponds to a client connection, and that identd lookups at a regular interval are probably from a cron job or similar)

When I ran a single workstation on my desk in college, I had plenty of time to write huffy emails each time a line was added to /var/log/security (by the default log levels, which I had only the slightest inkling of how to configure). Now that I (try to) secure a class B network, I do 3 things:

1. screen the network with a firewall
2. run an IDS (Snort http://www.snort.org)
3. (largely) ignore all the crud that bangs into the firewall each day

Here's what this lets me do with the scenario described above:

When I run end-of-period reporting against the IDS logs, the nightly identd query shows up as a traffic spike. That night, I set the network sniffer to log all traffic to and from the "suspicious" external host/network. Bingo! The outgoing FTP client connection is logged as well. The owner of the offending workstation gets a phone call to find out if they know about their cron-job.

Zork and telnet as 'attempted unauthorized entry'

[ckm]

After seeing the story about ESR's Zork/Adventure like configuration interface, I decided to see if I could find a Zork or Adventure server.

After a quick Google search, I located a link to a Zork server at University of Wisconsin, Eau Claire. The link was on an official university page about computing history.

I tried connecting to it, but, not surprisingly, it failed. I tried from another machine, still no luck. End of story.

Or so I thought. A few days later, I get a notice from my ISP warning me for trying to crack a machine, the machine I was telnetting to at UWEC... Luckly for me, my ISP is geek friendly, and my connection was not terminated on the spot.

I was pretty pissed, so I tracked down the email of the stupid a#$%!, incompetent and amateur admin responsible for notifying my ISP. I sent him a long, formal rebuke of his position that I was attempting 'unauthorized entry' and vaguelly threatened legal action if he did not retract his email. Needless to say he did.

However, how many other people, less internet savvy than me, would innocently click on some link found in a search, triggering a termination of their internet connection for no good reason? For me, loosing my internet connection would me a loss of tens of thousands of dollars that I earn doing remote development. Not to mention the damage to my professional reputation that would occur if I were thought of as a 'cracker'. Given that a large chunk of my consulting work involves security, that would be very hard to overcome.

I think that people who are admins need to be realistic. If you put a machine on the net, you will get people connecting to it in ways you don't expect (ports 139 and 53 come to mind...). If you react like the admin did at UWEC to harmless and random connections, then you will eventually do damage to either someone's business or reputation (or both). And that could very well lead to a lawsuit.

My servers get portscan about 2-3 times a day from various random IPs worldwide, I'm sure most of them have fairly hostile intents. The fact is that the net has become MUCH more hostile in the last five years and has MANY more clueless users. If you can't accept that, can't build procedures and systems that can handle that, then you are in the wrong business.

Quit now.

-- CKM
internet systems architect - scalability - commerce

Re: Ident through NAT

[iso]

wow, that's a lot of trouble to go through for identd. personally i just use either fake identd or null identd. both allow you to have ident send an arbitrary string that satifies IRC servers.

both of these utilities are a testiment to how useless ident is for any purpose. it's far too easy to fake an ident response.

- j

Re: What exactly is a netmask?

[erlenic]

You're kind of right. A netmask is a way of showing what bits in the host portion of an IP address your network uses for subnets. This does pretty much have the effect that you mention in your post.

For instance, in the example you list, the 255.255.255.0 states that all eight bits in the first three octects are used for the network address, and all eight bits in the last octect are used for hosts.

Re: What exactly is a netmask?

[ahde]

All I know is that it's the numbers that specify the range of addresses you listen at and you specify it with ipconfig (or TCP/IP settings). I couldn't give a more technical answer. I could tell you that with IP 192.168.0.1 and NETMASK 255.255.255.0 you'd listen to everything from 192.168.0.1 to 192.168.0.255

Would that pass the test?

Re: What exactly is a netmask?

[ahde]

would it be enough if i had said "ifconfig"?

ps. 255 for multicast

Re:Yup, there really are that many bad admins...

[mjprobst]

Of course I've had the opposite problem, where I haven't been able to interview with anyone banging two neurons together for the past several months. I get questions that are obvious off a script, with several possible answers based on what assumptions you make about the poorly worded questions, and can't give the one scripted answer character for character, and get passed over. There's a shortage of clue among the admins themselves, and among the people who are trying to hire them right now, which just makes the problem 42 times worse.

Re:Likely cause

[SamBeckett]

All I can say is... LOL!

Paranoid admins and the ISP

[sp1n]

At least once a week I deal with auto-generated or paranoid admins declaring 'port scanning' by our DNS server, mail server, etc. Most of the time, it's simply because of far-too-restrictive firewall rules. These newbies think DNS or IMAP attempting to respond to incrementing ports from where the query originated is 'scanning' their network. They need an 'eq any-established' rule.

The auto-arin-lookup-form-letter-firewall needs to go. Internet security has reached a level of stupidified paranoia. For the rest of these guys who call because some wu-ftpd worm scanned their net, well.. OBVIOUSLY YOUR FIREWALL IS DOING ITS JOB! NOW GO AWAY!

-Kevin@XM

Re:Firewalls for Flamers

[Jeppe+Salvesen]

Uhh.. You got the UDP part right. It is to be avoided.

However, ICMP is important. I HATE it when ISPs are blocking my traceroute when I'm trying to figure out where/if a line went down. What wrong is ICMP? Throttle it, of course, but otherwise it's a good thing!

Re:Likely cause

[ninewands]

Personally, I NEVER mention the "C-word" unless I'm expressly asked about them.

Re:READ: TCP/IP Illustrated guide = informed paran

[ninewands]

Frankly, I think anyone who panics over this type of log entry doesn't need the TCP/IP Illustrated Guide, the need "TCP/IP Networking for Dummies ... REAL Dummies".

Re:Likely cause

[ninewands]

Excuse me???

The Computer Science Dept. at the University of Utah is WAY out on the cutting edge, having taken the lead on (among other things) the Mach kernel, the GLUT library and GLX extensions used by BOTH OpenGL and Mesa, and the Flask OS which has served as a base for the NSA's SELinux kernel security extension research.

Calling that program sub-par to cover the fact that you 1) don't want to work hard enough to get a four-year degree, or 2) can't get in, or 3) can't cut it, boggles the mind and borders on disingenuousness.

I apologize if you find my remarks hurtful or insulting, but I've just about had my fill of the "common sense and tech training is better than book-learning" argument.

Regards,
ninewands

Re:Likely cause

[ninewands]

" ... competent HR person" is a contradiction in terms when you are dealing with IT positions. The ONLY reason I even got an interview for the position I currently hold was because the technical managers personally attended a job fair I went to and liked what they saw enough to red-flag the resume I gave them.

Hint #1 to IT people who are job-hunting ... Hit the Tech job fairs, you might get lucky like I did. Hint #2, leave the fancy MCSE and MCP graphics off your resume ... if you DO happen to hit a geek instead of an HR drone and you have the right stuff, you don't NEED the graphics, if you don't have it, they'll see through you after about 3 minutes of conversation. I got a job, the guy ahead of me, who had all those Msoft certs hasn't yet, to the best of my knowledge.

Re:Likely cause

[ninewands]

Well ... not knowing the reasoning behind the blanket statements, I'll skip over your 1) and 2) .... 3) it's been said that a Bachelor's degree is merely a license to learn accompanied by most (not all) the tools needed to use the license productively. I've found this to be true ...4) I didn't attack anyone's intelligence ... 5) I don't think anyone with a doctorate (NOT in CS) doubts, or lacks knowledge of, the value of an education, and 6) I got the job I have now because I had the technical qualifications for the job and I was lucky enough to skim past the HR drones. However, at the time I was fortunate enough to do so, I knew no one employed by my current employer.

Regards,
ninewands

Re:And the vendors, too

[ninewands]

Sooner or later, all of them ...

Re:Likely cause

[ninewands]

Actually, I worked on the Helldesk at the largest IP in Houston, Texas up until November of last year, and they were 100% a MSoft shop (except for routers and switches) until they were acquired by Internet America who proceeded to impose a certain degree of sanity (and also laid me off).

Re:Yup, there really are that many bad admins...

[ninewands]

Speaking of Solaris 8 and the Web installer ... does anybody know how to break out to a shell when it DOESN'T work? ... seems like I get a configuration failure about 35% of the time and eventually wind up having to stumble around until I get a "magic combination" of settings (which are different from machine-to-machine) then straighten things out after the system is installed ...

Even for a GUI installer, this sux.

Re:Likely cause

[ninewands]

Well, I can't speak for the newly-minted MCSE part of the question, because I only admin n*x boxen, but yes, ignorance is a large factor here ... a failure to understand the nature of the internet is the other big part.

Personally, I don't consider a connection "hostile" unless there's an actual connection made (thank You Wietse, TCPWrappers is a Godsend) from an unauthorized host, or ... until I receive an inquiry from another admin whom I have reason to believe is competent about a port-scan or other probe from one of the hosts I admin. Of course, at the University where I do my magic, postscanning from the Computer Lab is PROHIBITED.

As for the "healthy dose of paranoia," I've been informed that this is a professional requirement for a Unix admin ... but then, so is an in-depth understanding of how TCP/IP works ... after all, "the network IS the computer" ...

Regards,
ninewands

Re:Yup, there really are that many bad admins...

[ninewands]

Let me tell you, there really are not that many good ones out there.

Only thing wrong with this sentence is that it restates the obvious.

In my own personal experience, I'd say that 1 in 20 are worth the space that they occupy. One in 100 would fall into what I would classify as a true senior level admin.

I think you're a tad bit over-optimistic. I regard a TRUE senior Unix admin to be a "Unix God" type ... and I've only met one or two of them ...

The rest of them are just an accident waiting to happen.

I'm sort of a mid-level Unix admin and still find myself feeling this way.

[SNIP the firewall stuff. It's an amusing story, but not relevant to what I'm writing]

The really sad thing is that most of these admins pull 60-80K/yr (in the us) and think that they know everything. Ah, the ignorance of youth (even the 40+ year old ones who still dont have a clue). You see, the more you know, the more you know that you dont know everything.

Here's MY point. The more I learn, the more I learn how LITTLE I know. Hell, here lately, I've even found myself reading "man ls" and "man ps" at work looking for nuances ...

The hard part for me is that with all of the gui's now dominating the server market, the level of knowledge required to get a system up and running is getting lower and lower. A trained monkey can install NT and most of the linux based distros out there nowadays.

This is not bad ... in fact, ease of installation/administration is a necessary component of Linux's move toward "world domination" ...

And as soon as they can do that, they add 'system admin' to their resume and try and go for the big bucks. And they can play that game till something serious comes up and they discover what vi is and then they discover that they have no idea of what single user mode is or how fsck works. At that point the game is over and the company that they work for discovers that they didnt hire a senior level admin, they hired a trained monkey.

This is the employer's own fault for giving the HR drones the authority to "screen" applicants. This results in the hiring official only meeting those who fit through the HR dept's round hole. Because of this, the newly-minted MCSE (or Sun Certified System Admin) makes it through while the ancient geek who beta-tested Windows 2.0 but never bothered with certs doesn't ...

[SNIP most of the rest]

In the mean time, all we can do is hope that companies start to find some way to tell when an admin really knows their shit and when they just know how to walk through the mandrake gui install.

The only way this is going to happen is for the technical managers to take back the initial screening of candidates from the HR drones. As long as your candidates have to fit in the cookie cutter to get past square one all you'll get is interchangeable parts ... and that description doesn't fit the few gems you're looking for.

Regards,
ninewands

Re:And the vendors, too

[Saidin]

Automatically delete user directories that have not been accessed within the last days. This is an effective mechanism for only keeping information on the system for active users. (ON) (WTF! Oops, last years holiday photos just disappeared. Junior, did you delete dad's pr0n collection?)

Oh, like there is ever a few day period when the pr0n collection hasn't been accessed.

Admins whining

[SnApDaD]

In general whining and hollering about random connects is the response of a paranoid and insecure admin. ./snapdad

Re:Likely cause

[rprycem]

Try using periods. You will sound more intelligent that way.

Personal firewall training needed

[demaria]

Story I've heard. On a university campus, many people have BlackICE installed, and it complains and throws up a red flag when a ping sweep or SNMP querys are done, causing users to panic and call the help desk worrying that the networking staff is hacking them. :)

Re:Likely cause

[chmod000]

There are no HR people competent enough to "screen out" applicants for technical jobs.

A telling point. You see, if they actually have the knowledge to judge IT applicants, they aren't likely to be working in HR.

Re:Yup, there really are that many bad admins...

[R.Caley]

Hell, here lately, I've even found myself reading "man ls" and "man ps" at work looking for nuances ...

It's a little known fact that Ken Thompson added fucntionality to ps and ls which occassionally adds or removes an option at random from executable and man page. This allows, over time, for more possibilities than there are characters available.

An experienced user will usually be able to schedule their work so as to fit in with the functionality changes.
_O_

Knee jerk reactions

[stox]

Howdy Kirk! Are you still jumping out of fast moving vehicles? ;-> This is a symptom of the ever dropping skill sets of the admin population these days. Anything, they don't understand, must be an attack. Time to send some folk to Internet network administration 101.

Re:And the vendors, too

[Explo]

It's not a big thing, but Compaq got this remote web management included (and enabled by default) on their PCs. Every few seconds, they broadcast to port 2301, hitting thousands of machines on mediaone's cable network.

That manager is pretty annoying; I had to add an extra rule to my firewall to not log those packets which that crappy piece of software broadcasts.

Re:What I love...

[BiggestPOS]

What a poorly crafted troll. ZoneAlarm not only blocks the DHCP server from completing the DHCP lease renewal, it also reports to the user that "Someone attempted to access files on your computer." Its annoying as hell explaining this to people who think that Yahoo.com IS the internet.

What I love...

[BiggestPOS]

Is lusers with Zonealarm and Blackice calling up asking why they lose their IP every 122 minutes. Well lets see, our DHCP leases are 122 minutes, Have you set your firewall to block the DHCP server? Oh, you have? Well then, as long as you are doing that, you are going to lose your IP every two hours. Please configure your firewall correctly, and then you can call me back. And they always ask "Can you do that for me?" Its great, these people break their computers with other peoples products (Bonzai Buddy anyone?) And then call their ISP to have it fixed.

Re:What I love...

[crond]

If they're blocking the DCHP offers, how can they get assigned an IP address in the first place?

Something's wrong with your logic, my friend.

crond@undernet
Norwegian Linux Community

Re:What I love...

[dasunt]

Odd, Zonealarm (at least the free version) can block servers? AFAIK, zone alarm just allows/denys programs to create an internet connection and to allow a program to accept incoming internet connections.

Therefore, I use zone alarm not as a firewall, but as a free (beer) way of making sure programs don't "phone home" without my permission.

Anyways, please reply how Zone Alarm can block DHCP....

Re:What I love...

[blang]

Its annoying as hell explaining this to people who think that Yahoo.com IS the internet.

What a bunch of losers! Everybody knows that the internet is Internet Explorer.

Re:Likely cause

[Chessucat]

Logs?! What's that? The only logs I check are the ones in the porcelain pot after I get up. I might be the one you got.

Education, Education, Education

[marm]

Maybe it's just me, but wouldn't it make more sense (perhaps with "Internet 2" or any of these other projects) to create infallible network protocols/tools that can't be used for malaciousness? Or is this logically impossible?

It's not a logical impossibility. Practically, however, it is impossible - IP only works because it is a nice lightweight, easily-routed network protocol. If one were to extend IP or redesign it to try and prevent any misuse, you would almost certainly find it became too heavyweight for it to work successfully at the global level. Not to mention that someone would eventually find some minor chink in its armour and start exploiting that instead...

However, there's all sorts of things that one can do to make the IP world a safer place. Number one, and probably the best example, would be for all network admins (and router manufacturers) to turn on source route verification by default at their border routers at the very least. What this does is get the router to verify that the source address of a packet headed to an external destination is in fact inside the netblock that the router 'owns' before forwarding it to the next hop. If every network admin would do this, then packets with a spoofed source address would never get any further than their nearest border router, and the internet as a whole would be an awful lot safer. This isn't a new idea and the capability to do it is probably in every router made in the last 5 years at least. Certainly any modern Linux kernel can do it. However, some manufacturers of both router hardware and software routing solutions still insist on keeping it set off by default, and combined with clueless network admins who don't know to switch it on, the problem remains.

The problem is thus not one of inadequate technology (although IPv6 addresses some security concerns too) but rather one of education...

story about NO paranoia where I work.

[Klowner]

Well, we've got 4KB/sec connection, and an FTP server running on the computer connected directly to it. No big deal? of course not, except when someone overlooks the fact that anonymous access is allowed, with full read/write access. Needless to say, we ended up with a few gigs of DivX movies (most of them were harrison ford movies, no clue why). So we set up a port listener for a few days, finally they quit, so now we don't care and theres no more ftp server. Another good reason to make me the "computer guy" at work and not the guy that was currently "computer guy" at the time of that happening. Just a non-amusing story about having no paranoia. Klowner

Re:Upgrade idea for identd

[i_m_sane]

I am a resedent college student and at my school we are required to login to our network each time the computer reboots. What that does is hard links a DNS name and our IP address to our username. So with my school both IDENT and DNSlookup would result in the username of the person at the computer.
| - Adam Sane :-)

Re:Yup, there really are that many bad admins...

[juha0]

God damn!! Maybe I'm a bit slow this morning, but definitely woke up...

A Time of innocence lost

[ostone]

The security we are dealing with today is an insult to the MIT TMRC Hackers that started oh so long ago. Back in the day (before I was born) there was ITS, and on this mystic machine even privlages were basically all open... no passwords... and, of course, a command DESIGNED to crash the system. Security on computers (especially home Microslothy ones) is just funny to me. People install Firewalls thinking they are Virus Scanners and vice-versa. This parinoia amoung home users wouldn't even exist if the 31337 HaX0RZ (Script Kiddies) would stop with thier m4d Ski11z (VB Script "Programs") and would just stop R0X0R1NG the public (double clicking .exes and hoping they can make some poor guys day misrable)... Frankly I don't have much need for security (I mean I won't hand out my root password or anything) and the little I do have is plenty enough to keep unwanted people out (to some degree). So, 31337 K1DD13Z stop... and others calm down, nobody wants to delete all your precious word documents.

Parinoia Sale on Aisle 4

Perhaps yet more metaphores are required...

[riprjak]

... It seems to me that a firewall is alot like body armour. One should be significantly more concerned by what goes through than what bounces off :)

err!
D.

'NASA's law of planetary motion (apologies to keppler) : US$130oddMCrater/(0.0254*12)=Orbit'

Re:Likely cause

[ErikTheRed]

You're absolutely right. When I hire people and they start going off about their certifications, I'm like "And your point is...?"

Likely cause

[ErikTheRed]

Additionally, are there really that many ignorant network administrators who look at a log of one refused identd lookup and one refused active-mode FTP connection every night at 2 a.m. and not realize that something on their end is trying to connect to an FTP site every night?

Probably related to the number of freshly minted MCSEs hired as sysadmins for medium-sized companies. Or even more freshly (as in freshly shat out) minted MCPs (or worse: A+ Certified!) drones hired by large corporations.

It would be nice if someone came up with a certification system that actually separated those who can barely regurgitate what they crammed over the last few weeks from those who command secret ninja networking powers.

Re:Likely cause

[guinsu]

He did say IT though, not Comp Sci or programming. In my comp sci education I learned nothign about IT other than what I did on my own. I would assume U of U would be similar.

Re:Likely cause

[megaduck]

Ouch.

Us "freshly shat" MCSEs should be so lucky. The sad truth is that the majority of IT managers these days share your low opinion of Microsoft certifications. Sysadmin? I wish. I'm struggling to get a support position right now, despite my cert AND five years of experience.

I don't have a degree, but I know my stuff. I thought an MCSE might give me an edge. Nope. Thanks to the "Internet gold rush", the popular perception is that all MCPs come from these damn cram schools and can't find their asses with two hands and a flashlight. I got laid off, and without a college degree I'm back where I started. Now I'm studying (on my own) for a Cisco cert in the hopes that that might still have some credibility.

Re:Likely cause

[Waffle+Iron]

... The Which brings up a point- although I was an engineering major, I punished myself by taking Business and Technical Writing as one of my humanities electives. I was the only geek in the class, and it turned out to be one of the hardest classes I took.

It was graded by a perfectionist on a non-curved scale, and we were forced to write letters to respond to impossible customer service nightmares. (My favorite: Try to convince a doctor to keep using your baby food brand after he found half of a dead cockroach in it. I'm not kidding.)

Despite this, B&TW was just about the single most valuable course I took. A large part of success in the real world depends on how well you communicate.

Re:Likely cause

[0-9a-f]

It is not just the kiddies or fresh sysadmins full of self-importance who are stressing over this stuff.

While working at an ISP, we received a demand from the Supreme Courts, complete with logs, that required us to stop "attempting to break in" to their network. Oddly, they were only concerned with our nameserver (thousands of customers, dozens of servers, and they're worried about our dedicated nameserver??)

Twice we threw their request back, pointing out that these were low-volume, and actually being BLOCKED by their firewall. Curiously, they were all UDP port 53, and coming from all over the Net.

When they (twice) refused to believe us, and then pointed out that it was still occurring (predominately late in the afternoon, especially Friday), we pointed out that that these were probably legitimate DNS requests, being blocked by an over-paranoid firewall.

In the end, the administrator told us he understood that it was not an attack, but was at a loss how to explain this to the manager who started all the grief in the first place. Eventually, at our gentle suggestion, he simply turned off logging of those particular packets.

The manager then saw that the logs were void of "attacks", and his reports to upper management were clear. Clue was redefined, and duly distributed.

So, do not be too quick to blame the poor sysadmin! Often, all they need is a little non-technical assistance.

Re:Likely cause

[sabinm]

Sorry, buddy, chose to reply to this because it was the only one that was intelligent. Let's make some points. 1. This includes CS majors. 2. A degree in CS is still a paper degree 3. I've checked out the degree. The problem w/the CS degrees is simply that they include too much and do not spend enough time delving into the meat of the theories that they port to teach. 4. I restate: An attack on one's intelligence usually is an inidcation of one's own inability to accept one's own limitations. I should know. I fell for that trap after graduated w/honors from high school with a solid gpa and a promising scholarship to BYU. 5. Anyone who thinks that studying intently is for idiots does not know the value of an education. 6. Get real. The only reason you are where you are...I repeat, is because you knew someone. Not because you know something. I also am tired of the common sense and tech training argument too.

Re:Likely cause

[sabinm]

As you say yourself, Lucky enough. I need not say more. Don't be so quick to judge those who choose all venues to pursue an education. Most people's work who you have built upon were engineers forced into a new world and didn't have the benefit of a CS major. You seem to put yourself in a different situation than most. I personally know several Computer Sci majors in Utah who are making 7 bucks an hour at an internship because of the lousy job market. You are not too informed. Don't confuse luck w/skill Don't confuse unemployment with lack of skill

Re:Likely cause

[banshee2000]

LOL I had to check your nick to make sure it wasn't my husband that posted that. You took the words right out of his mouth LOL. No wonder the damn dot.com's went belly up. Good post :P

Re:Yup, there really are that many bad admins...

[shippo]

I agree entirely on the HR issue.

In late 1999 I attended an interview with a local IBM Global Services office. Remote sysadmin for a major supermarket chain.

The two interviewers were utterly incompetant. I was asked one technical question, to which the answer was "wc -l". The rest of the interview consisted of one of the interviewers reading off a list of mainly obscure 3rd party products, of which I had experience of half.

I was told in the rejection letter that I didn't have enought Unix experience. If 9 1/2 years was not enough, I've no idea what they were looking for!

Re:Yup, there really are that many bad admins...

[shippo]

I had even sillier questions asked in a telephone interview by a headhunter on behalf of $BIGHARDWARECO. This headhunter had the exclusive contract in the UK for this company.

I've no idea who compiled the questions, but most of them were unanswerable.

The only one that was really answerable was on the layout of the S5 filesystem. I hadn't used that filesystem for mumble years, and I guessed on the precise location. The other questions included these classics:

What's the significance of memory address $F0000000.

What's the difference between a Unix and a Windows PCI card.

The first was unanswerable without some context, which the headhunter was unable to expand upon. The second was unfathomable. The only difference between PCI cards I've ever ascertained is in those few with a BIOS, which must be processor specific. This didn't register with the headhunter either.

I later learnt that this company had problems recruiting competant staff. I wonder why!

Re:Yup, there really are that many bad admins...

[shippo]

B*ll*cks!. Forgot to press preview!.

Re:Speaking of ... stupid?

[PatJensen]

I have to call you on this and correct your rather obvious mistakes. Unless you have the bindings for Windows File and Print Services disabled, or you have uninstalled them completely on your workstation or server - there WILL be something always listening on TCP/IP ports 137-139 on your Windows machine. Now, I think your intention is to say that there was a live -connection- to your ports 137-139. Now I continue.

NetBEUI is a non-routable transport protocol. NetBEUI has nothing to do with this picture that you are presenting. NetBEUI has nothing to do with Windows File and Print Services, other then that fact that it is a protocol that can carry NetBIOS traffic. NetBEUI does not use port numbers like TCP/IP does and netstat.exe would not have showed any live connections to your machine anyways. netstat.exe is a TCP/IP utility.

NetBIOS/SMB is the communication layer that Windows products use to communicate over a network. Do not get them confused. Block the NetBIOS ports (or do not specifically forward them) on your NAT gateway and DISABLE the services or remove the bindings on your Windows machine to stop the problem. Again, NetBEUI has nothing to do with this.

Hope this helps. Get a Windows networking primer book. It might help you sleep at night.

-Pat

Re:Speaking of ... stupid... or dumber?

[PatJensen]

NetBEUI was originally built as a transport protocol by IBM to carry NetBIOS connectivity for mainframe traffic. Before Windows File and Print existed. Before Windows was 32-bit.

He was saying his NetBEUI was being hax0red on his NetBIOS ports. NetBEUI doesn't have TCP/IP ports. Your reply has nothing to do with the original post. Read it.

-Pat

Norton Firewall Addicts

[Spazmania]

My boss, who is not a sysadmin, installed Symantec's firewall product on his DSL connected home computer about 6 months ago. I applaud his interest in security, but it was a big embarassment when he complained to the registrant of a multicast address about the hacking attempts to his PC and the registrant happened to know me. The packets with the multicast source address were, of course, coming from his other Windows PC.

Re:Yup, there really are that many bad admins...

[duffbeer703]

There are alot of bad admins because the truly talented ones move on to bigger and better things.

In most organizations the system administrators are treated like plumbers -- nobody knows your there until the shit backs up.

I found SA work to become boring after a year or two. Once you start getting a clue, things become less challenging intellectually. In order to be doing really interesting work, you need to be a consultant or work for a really fast-growing company with lots of cash.

Now I'm a developer/dba/firefighter and have a wide variety of things to keep me occupied.

You got attacked on port 25!

[IvyMike]

When they send you email about identd, send email to their ISP complaining about unauthorized use of port 25.

(You may want to read RFC 821 if you don't get the joke.)

Re:Yup, there really are that many bad admins...

[bn557]

lol, I read the man page for the kill command at work today just to find out the proper way to do a bumper sticker I'm making... only problem is the man page on my system doesn't agree with my kill's internal help.

The bumper sticker is:

#kill -e end_user

the man page said -e allowed for killing by process name...

anyways... enuf rambling...

Re:Port Scanning

[Gordonjcp]

Yep. Mandrake has some security stuff that will port scan a machine that makes a connection that is refused.

We did once get in trouble over this though, the paranoid PFY at some place tried to get our connection pulled because "it was an obvious attempt to hack our computers".

Ah well, it's time... Hand me my LART.

Pardon me?

[dhammabum]

A single connection request often indicates an automated scanner. Particularly with the linux worms, I will get a single packet every few days to different address in our range.

Whether I chase it up depends on the port. Current favourites are 53, 111, 515, 21 etc. I mostly avoid querying something that could be legit, for example port 25 connections to our web server or the now infamous ident query.

I do send an email to obvious scanners, mostly the owner hasn't a clue what is going on, and hopefully they will learn a bit about security and close the more targeted holes. In this case notification helps the user and (very slightly) reduces the easy meat for crackers.

Re:Pardon me?

[boomi]

aaah, finally a sane person out there :)

Re:Pardon me?

[haruharaharu]

A zone transfer *is* something to hide.

You are already publically publishing that information.

Not in bulk. A zone transfer is the first step in a network scan; once you get all the hosts and their IPs, you can feed it to nmap to check for vulnerabilities. Good if you're targetting a specific network.

Re:Pardon me?

[haruharaharu]

the spider crawl won't hit the shell servers that someone forgot to secure.

My hack proof ways of sysadmin.

[interstellar_donkey]

If you can't see it, it does'nt happen.

Don't keep logs. Don't run any port scanner detection software. Don't restrict any ports on your machine. Don't run TCPdump.

Don't look for anything out of the ordinary. Run NT, and if anything goes wrong and the boss asks, blame it on Microsoft.

Don't let your users download anything. Make them save all their files to a floppy. Burn a CD with a good hdd image and make them re-install everything once a week.

Don't read security updates, don't bother running virus scan programs. Force all of your users e-mails to run through you first. Complain that you don't have enough time to monitor everything and make them hire you an assistant. Make your assistant run to the store to buy you beer.

Trust me. This works.

Re:Yup, there really are that many bad admins...

[driftingwalrus]

I call them "gimmies". When I quit from my last place of employment, I was replaced by a gimmie. What a moron. He hasn't touched a thing, even some of the HUGE security holes that I had temporarily left open just to get some bugs worked out and meant to close.

System administration should be an apprenticed trade.

Re:I have to agree

[humanasset]

That mirrors my feelings exactly...

The job is about more than technology

It's an epiphany when you realize that the technology is only part of the job. Many times it't the smallest part of the job.

READ: TCP/IP Illustrated guide = informed paranoia

[raretek]

I think Admins who jump at this type of traffic need to read TCP/IP illustrated guide, because it demonstrates a lack of understanding of what their logs are saying. If you don't understand that book, you should not even bother monitoring the logs or being an Admin in a tcp/ip networked environment for that matter, anymore than an iliterate man should be a proof reader. My 2 cents.

Firewalls for Flamers

[kstumpf]

This is pretty common now. People install some kind of packet filter and then throw a tantrum when they see traffic.

The paranoia goes beyond casual users. I cant ping outside of our LAN at work. Our admin never could explain the reasoning for it, but its very annoying.

An actual conversation with a friend of mine:

Me: "Hello"

Them: "YES HELLO! I installed a firewall and its blocking all kinds of stuff!"

Me: "Yeah, what?"

Them: "UDP, ICMP, some packets, hackers... bad stuff"

Me: "Why are you blocking UDP?"

Them: "Because you should always use TCP, its better"

Eh....

Re:Firewalls for Flamers

[NZKiwi]

We've found there's absolutely no need to allow any ICMP into our network.

...and that shows how little you really know....

Try 'Source Quench' (ICMP type 4) which is a rather useful little number for reducing congestion on heavily loaded links (like when your T1 tries to drown someone on a 56k dialup, or an internediate router is overloaded). As it's originated by the drownee, it is inbound to your network, and ignoring it only compounds the problems down the line with retransmissions of timed-out dropped/lost packets.

Yup, there really are that many bad admins...

[segfaultcoredump]

Over the past few years, I've had the opportunity to interview quite a few folks for the position of network and system administrators.

Let me tell you, there really are not that many good ones out there.

In my own personal experience, I'd say that 1 in 20 are worth the space that they occupy. One in 100 would fall into what I would classify as a true senior level admin. The rest of them are just an accident waiting to happen. All of them go around trying to sell themselves as 'senior unix | network system administrators'

The problem is that many of these places setup the firewall and block everything. all ICMP packets included. they dont take the time to learn what they should block and what the consequences are. they just block everything. Then when something does not work, they open things up till it does. For a good time, check out the firewall config of an admin who setup an exchange server that sits behind a firewall. Chances are they had no clue what the 'established' keyword was and just allowed ports 1024 through 64k. (in the cases where their firewall did not automatically recognize that exchange works in a fashion similar to rpc)

The really sad thing is that most of these admins pull 60-80K/yr (in the us) and think that they know everything. Ah, the ignorance of youth (even the 40+ year old ones who still dont have a clue). You see, the more you know, the more you know that you dont know everything.

The hard part for me is that with all of the gui's now dominating the server market, the level of knowledge required to get a system up and running is getting lower and lower. A trained monkey can install NT and most of the linux based distros out there nowadays. And as soon as they can do that, they add 'system admin' to their resume and try and go for the big bucks. And they can play that game till something serious comes up and they discover what vi is and then they discover that they have no idea of what single user mode is or how fsck works. At that point the game is over and the company that they work for discovers that they didnt hire a senior level admin, they hired a trained monkey.

So yes, you are screwed. If your ISP is nice, you can send them an email telling them to discard any emails that they get of 'attacks' from your ftp servers. If it goes to the right network admin (one of the 100) then you can probably sit back, smile and respond with an automatic 'hey stupid, please read rfc bla, bla and bla and then write back when you get a clue as to how ftp works and what your firewall is doing.'

In the mean time, all we can do is hope that companies start to find some way to tell when an admin really knows their shit and when they just know how to walk through the mandrake gui install.

Re:Yup, there really are that many bad admins...

[BroadbandBradley]

any thoughts on how to land a high paying system Admin Job while not knowing much?
hell, if there are so many bad admins out there, I'd like a piece of that 80K pie. I can be a dumbass as good as or better than the next idiot.

I don't have that much time to worry about identd

[trentfoley]

I have a dsl connection on a nat'ed lan. I used to pay a lot of attention to my logs from ipchains/iptables and report obvious intruders (12345, etc) I've since stopped for the most part. If they keep at it for a long time, and they are local, I'll try to hire them as babysitters for my kids -- that'll teach 'em. I do still log troubles from .edu's because I think they would like to know. Otherwise, I figure since they haven't gotten past my firewall, and haven't gotten into my private lan, I'm ok and they will get busted by somebody else if they go too far.

Just my three cents.

Ignorant "Network Administrators"

[Burdell]

I've been a systems/network admin for an ISP for 5.5 years, and I've seen that there really are a large number of "Network Administrators" that have no idea what they are doing.

In some cases, it is not their fault. One of our customers (a bookstore with several stores) ordered a T1 line to their "corporate headquarters". When our installer arrived, it was to a warehouse. The job of "network administrator" was a secondary job for someone; his primary job was driving the forklift. Would a company ask the forklift driver to do their accounting? Why should they ask the same person to manage what they are now considering an important part of their business infrastructure? As the Internet (and networking in general) "matures" and becomes a more important of business, companies will have to realize that they can't get away with just picking the employee that seems to recognize a computer when you drop it on his foot and calling him the "network guy."

Part of the reason so many ISPs either keep raising prices or go out of business is that people expect their ISP to do their network support. When we tell a customer that our resposibility ends at the ethernet port of the router (because they want that T1 line cheap), they get irate. Our choices are to try to help them, even though we don't know a thing about their network (and because of that we may screw things up more) or to tell them it isn't our problem (which makes them mad and may cause them to move their service). The small "mom and pop" type ISPs can afford to do more of this kind of help in the short run, but they can't maintain it in the long run (been there, done that). The same thing holds true for residential (dialup/DSL) customers. People (including me) love to complain about the quality of most tech support groups, but try asking an ISP how much of their revenue goes to support. You get what you pay for.

I handle our abuse email, and we get all kinds of reports. We've had people complain that our DNS server is attacking them on port 53 (the DNS port), that our Akamai content distribution servers attack them every time they go to CNN, and so on.

We had an Army network admin call us a couple of weeks ago because he was getting flooded with reports of an attack originating from our Unix shell account server. It turns out that someone from his network had connected to our server via SSH. When you make an outgoing TCP connection, a random port is chosen for your end of the connection. The port his computer had chosen happened to be one on which some old Cisco switches had a security hole. Every single packet this guy received (he was connected for 4 hours) cause an alert on the Army firewall. The network admin didn't understand what was happening, and instead of going to the computer within his network that was the "target", he jumped on us.

I could go on :-), but I better stop now.

Speaking of paranoid...

[(H)elix1]

last night I was reading about the attacks at GRC.com since I had given up all hope at CounterStrike.... I did a netstat -an and found I had something listening on port 137-139. I don't have NETBEUI running on any of my home network boxen, so I freaked.... and then noticed my Linksys box was misconfigured.

Nothing like thinking one of your boxes is owned to put the fear of god in you... FDISK usually purifies and redeems - I was just digging out my ISO's when I remembered that 192.168.x.x was internal. Ah, never mind honey - you can have your laptop back. Everything is fine.

Re:Speaking of ... clueless luser

[(H)elix1]

Nothing like dropping the shields and admitting you do not know everything about everything. The point of my post was this, I was one of those clueless networking lusers who discovered just enough networking information to have the crap scared out of them. Since the original post was about people responding poorly to port requests they do not understand, it seemed relevant. I had to look up what port 137-139 were - and when I saw it was NetBEUI , I dont have that protocol installed or have file / print sharing enabled on my box, and my other boxes are running Linux and Solaris - I got scared.

A big part of that is not knowing the tools and networking. While I code for a living, my networking skills are limited to connecting a few boxes together for gaming and sharing my broadband connection. I have taken the time to harden the OSs where I could, but I know better than to think I am invincible!

The UDP requests were coming from my firewall. I just did not realize it until after I freaked. I had configured it to block NetBEUI from the outside world, but had not expected to see it inside my world. On a brighter note, I learned a bit more about the "pure magic" side of networking.

Inept security "experts" are paranoid

[einhverfr]

IMO, the basic problem appears to be the people who have not done their homework when it comes to determining whether something is a probe, attack, or normal traffic.

Paranoia is a prerequisit for working in the area of network security, but you had better be prepared to do some researche before crying wolf. I myself have built and maintained ipchains-based firewalls and have had to severely tune the firewalls to filter out the noise in the logs that the amateurs are calling attacks. I use the following criteria:

1. Is the address public or private-- if private, it is not normal traffic but we can't get in touch with the owner-- we just make sure we monitor any trends.
2. Is the source port a well known port? If so, is this expected for this sort of service (identd, active ftp, etc)? If so, we consider it normal and try to avoid logging it if there is much of it.
3. What is the destination port? Wht service could be listening on it? Is it normal? Are there known vulnerabilities (i.e. I see scans of port 515)? Is there a known trojan that uses this port (see scans for port 12345)?
4. Is this part of a trend?
5. Is there any other reason to expect the traffic? F. ex. is it @home looking for NNTP servers on their network?

When I see something new, I investigate, and then I determine whether to:

1. Monitor it
2. Report it
3. Adjust my ruleset so it does not show up in my logs

But most amateurs are paranoid without a methodology for determining risk of a set of packets...

Not excusing mediocrity, or laziness, but -

[westfieldscientific]

I follow the policy, and would broadly encourage those in the industry generally not already doing so, of encouraging Windoze users to switch to Linux.

This suggestion I'm pleased to see is gathering increasing momentum, and it's arguable that this is a substantial part of the effort made by distro developers to create and improve their GUI installation interfaces.

This isn't a bad thing per se, and their elimination would be counterproductive to the objective of broadening the overall number of Linux users. Also worth mentioning with that objective in mind are installation routines that fail. We're doing this in a climate of strong competition with m$, who go far beyond the truth loudly repeating how easy their products are to operate.

Granted, Linux, or any of the other *nix variants, aren't Windoze under another name, and shouldn't be. Part of the attraction for newbies is the achievement of working successfully through the learning curve, and human factors such as impatience or downright stupidity are an issue here.

Please don't take this posting as flamebait - It's not uploaded with that thought in mind. If you prefer managing an installation through the console, by all means do so: That's what it's for. I've been using CLI here dating back to before the DOS era, and do so routinely and often with Linux right now, so I both respect and understand your preference.

I would comment though that the best cure for a weak GUI is an improved one, and I agree emphatically that opening every port in the universe by default is a real dumb idea. (Why the hell would anyone want that anyway?)

Re:Shenanigans!

[megaduck]

I can't believe that I'm responding to an AC. Oh well...

I'm open minded. It's entirely possible that I just suck at finding work. On the other hand, are you currently looking for work? In California? The IT market right now is totally saturated with mid-level techs. Nobody's hiring, and every day there's another dot-com closing its' doors.

You can always snatch up a job if you're a Unix god or C wizard, but that wasn't my point. The point is that an MCSE isn't enough to make your resume float to the top of the stack. IT managers right now can afford to be choosy about who they interview, and an MCSE doesn't have much prestige with most of them.

I can't even get an interview right now, but it's possible that I might have my head screwed on backwards. I'd like to hear from other people. Is anyone else having problems finding IT work right now? If so, what's your story? If not, then maybe you can give me a few pointers.

Re:Uhhhhh....

[baptiste]

Hm... do you perchance have a beeper, likes the ones on trucks for when they reverse? Does it come on when your sense of humour and your intellect drops out for awhile? It should.

ROFLMAO! Between this and the endless loop of mutual fingering - I'm still in shock that a /. story about identd would have me rolling on the floor laughing - of course its 3AM and I'm posting to /. so go figure

Certs again save the day

[NDPTAL85]

"But throw a complex problems that arise in say database queries/network routing/parallel computing and without college level math/stats/cs you aren't going to get very far."

Wouldn't those be covered by an Oracle cert, a Cisco cert and only the last one require a CS degree?

There is a certification that does this.

[zerofoo]

It's called a computer science degree.

Re:There is a certification that does this.

[zerofoo]

Most CS programs require the completion of two internships and an independent project. Usually, if you are any good at what you do, these pan out and become job offers. -ted

Re:There is a certification that does this.

[JBowz15]

If only that were true.

Trying to land an IT job with just a Computer Science degree, but no experience seems to be impossible these days. To get a job, one must have experience... to get experience, one must have a job.

If you disagree with this analysis, then make me a job offer please :)

Yes, there really are that few.

[AnotherBlackHat]

With over 5 million computers connected to the internet, even if 99.99% were clueful, then that's still over 500 idiots.
Welcome to the internet.

The idiots who complain of probes on 192.168.1.10 are annoying (and yes, I have gotten such a complaint) but the ones I hate are those who think attempting to connect to a service on their machine is an attack.

"Yes, I did attempt to connect to bar.foo's DNS server while trying to resolve bletch.bar.foo ... Yes, I did do it intentionally ... No, I will not pay your company for damages, or fix your software for free ... No, I've never met an FBI agent before ... "

I wonder if these people call the phone company to complain when someone dials their phone number by mistake.

Re: Ident through NAT

[dossen]

Well, isn't it actually the trafic they pay for? Because that might very well increase, if you connect more boxes (assuming you are not already saturating your link ;-)

On pinging

[freeweed]

Yeah, the company that's paying for our DSL connection and our router (long story) did this. Now, whenever the connection seems to die, I can't bloody well ping ANYTHING. Great way to test connectivity.

Installing a hub and a very low end *nix box solved that problem rather nicely, however to this day they still claim it's a huge 'security risk'.

Best Solution?

[kanayo]

I guess the best solution would be to state VERY CLEARLY the terms of using your software. If it is going to contact your web site for any reason or by any means, give the reasons why, make this understood, and make ALL your intentions known. And of course, always give the users the freedom and the choice to accept or reject your terms.

This way, it would be much less likely that you will be misunderstood or accused of anything unethical.

My $0.02.

Re: Ident through NAT

[ByTor-2112]

ISP's will always be stingy with IP addresses because they think you should pay more to connect multiple computers. Have you ever had one refuse to give you more IPs if you pay for it?

In the past, cable companies used to charge per TV despite the fact that you could pick up a splitter at radio shack for a couple bucks. Congress finally put a stop to that. Maybe they will do the same here. After all, what costs your provider money is the bandwidth and adding more PCs doesn't increase that.

Re: Ident through NAT

[ByTor-2112]

I suppose it would have some effect on aggregate bandwidth, but less of an increase than whatever they alot per customer. The telco's need to get off their massive bills for bandwidth wagons. Unfortunately since they have built their revenue models around this, it won't happen any time soon.

But isn't it a good idea to stay alert?

[bwhaley]

Although I agree with several of the points made by other posts, I believe there is also a time and place to be careful. For example, every morning I come in and see several hits to my FTP server. I use a mid-level logging so that I can see their IP/domain, User name, and the servers response. Nine times out of ten it seems to be some kind of script kiddie try to use an exploit. They're always trying to create long numbered/lettered directories, changing to /pub/incoming or /upload, etc. It takes me all of 10 seconds to write a rule to ban that network and put it in rc.local. I think it's always a good idea to stay aware of things like this...

There are two major products that come out of Berkeley: LSD and BSD. We don't believe this to be a coincidence.

Social Engeenering ?

[da5idnetlimit.com]

Well,

You could also have forbidden their IP on your firewall...

It wouldn't have been much, but then...

no lies
no trickeries...

just a line more on your firewall.

sad, isn't it ?, when you think about it.

you darkened a mans soul, had a firewall compromised (IP please...8)all that to save 5'.

Or maybe it's just you don't know how ? 8)

...are there really that many ignorant...

[John+Hasler]

The default page in the Debian Apache package contains our logo. As a result, we are regularly accused of defacing Web pages when someone bungles a configuration change. I wonder how often time-A.timefreq.bldrdoc.gov gets accused of "attacks" as a result of the default configuration of my chrony package.

Re:Speaking of ... stupid... or dumber?

[Blowit]

NetBEUI has nothing to do with Windows File and Print Services, other then that fact that it is a protocol that can carry NetBIOS traffic.

NETBEUI has Everything to do with Windows File and print services. You can run NETBEUI ONLY and have File and print services available. It is just a NON Routable protocol.

Ok so how do I manage a firewall?

[Tachys]

Can anyone tell me of any resources anywhere I can find which say how to manage a firewall correctly?

Re:Ok so how do I manage a firewall?

[vertical_98]

Well, I'd start here.
and then maybe go to here.

Vertical
9 out of 10 men who have tried Camels prefer women!

Re:Stupid

[Bud+Light+Presents]

Announcer: Bud Light Presents... Real American Heroes.
Singer: Real American Heroes!
Announcer: Today we salute YOU, Mr. Slashdot Hidden Goatsecx Link Poster.
Singer: Mr. Slashdot Hidden Goatsecx Link Post-er-er!!
Announcer: Nothing says "manly" quite like a giant, gaping anus.
Singer: OOoh-hoo that's gro-ooo-ss!
Announcer: Without you to keep us on our toes, we would be blindly following links without checking, and double checking. Because while we have no business reading slashdot on the job, we do it anyways.
Singer: Please! Don't get me fired!
Announcer: So crack open an ice-cold Bud Light, Mr. Slashdot Hidden Goatsecx Link Poster.
(Sound of can opening)
Announcer: Because the slashdot populace isn't quite paranoid enough without your work. So we'll hover over those links, and when we do, we'll remember YOU, Mr. Slashdot Hidden Goatsecx Link Poster.
Singer: I'll always remember to ho-over-er-er!!
Announcer: Bud Light Beer, Anheuser-Busch St. Louis Missouri.

Oh and one more thing!!

[Dutchie]

If you don't stop your actions, I will be forced to contact your ISP, and their ISP. I read securityfocus, bugtraq, slashdot, I KNOW what I'm doing, TRUST me! I will bring your site down, IF YOU DON'T STOP IT!!

• Imagination is more important than knowledge.

*Urgh*

[Dutchie]

Well DAMN wazza!! I could not agree with you more!! However, I must share with you this little secret that I posted these three posts while I had a buzz. Guiness rocks. I have to admit I had to rub out my eyes when I saw the original post had been moderated up. But then again, this JUST indicates that slashdotters can read between the lines and recognise a Guiness response! Life is good. *beep*

• Imagination is more important than knowledge.

Dear Sir,

[Dutchie]

I am a Linux newcomer, but I am not STUPID! Don't think you can DoS me with your scripts 'n all you SCRIPTKID evil hax0r!!! I have read all the security FAQs and trust me, I KNOW what I'm doing! I saw it in my syslog!!! You connected to my ident port!! It is the LAW that you cannot PORTSCAN me, it is illegal!

• Imagination is more important than knowledge.

Re:And the vendors, too

[blang]

Compaq must really hate their customers. Here's are all the options that are on by default:

Setup the WBEM HTTP server to automatically configure local IP addresses as part of the ADMINISTRATOR group. This means that any user with access to the local console will be granted full access to the WBEM components, without being challenged for a username and password. (ON)

Automatically delete user directories that have not been accessed within the last days. This is an effective mechanism for only keeping information on the system for active users. (ON) (WTF! Oops, last years holiday photos just disappeared. Junior, did you delete dad's pr0n collection?)

Allow the WBEM HTTP server to participate in HTTP auto-discovery of managed nodes. If enabled, the WBEM HTTP server will broadcast HTTP auto-discovery packets every (default 1) minute(s).

Allow the WBEM HTTM server to participate in HTTP auto-discovery of managed nodes as a Master HMMD. (ON) (This probably means something, but not to the average compaq customer)

And the vendors, too

[blang]

It's not a big thing, but Compaq got this remote web management included (and enabled by default) on their PCs. Every few seconds, they broadcast to port 2301, hitting thousands of machines on mediaone's cable network.

Anyone can point their web browser to the luser's machine, and have a look at the HW, even kick off HW diagnostics. Wonder how many of these eventually end up as script kiddie fodder.

Infallible

[SilentChris]

Maybe it's just me, but wouldn't it make more sense (perhaps with "Internet 2" or any of these other projects) to create infallible network protocols/tools that can't be used for malaciousness? Or is this logically impossible?

It just always seemed to me that, barring the script kiddies, the majority of people who use these tools seem to be hackers with malicious intent. Was the internet built with malcious intent as part of the protocol?

Blame the scare-mongers and vendor competition

[Helevius]

Two factors are working here:

1. Several personalities in the network security/IDS community made a living convincing newbie security folks that testing round trip times and load balancing software were signs of malicious activity. They raised the paranoia level so high that "odd" packets freak out the newbies. And, when you're just starting, almost EVERYTHING looks different than Richard Stevens said it would. I've been doing hands-on IDS for almost three years, and I probably see something new every day.

2. IDS vendors compete partly on the number of signatures they "detect." Ident connections, although almost always benign, are reported to pad detection statistics (just like anti-virus technology).

Personally, I'd set up a spam filter that auto-replies to the emails you're receiving.

Helevius

Ted Turner Syndrome...

[Saeger]

The problem is obviously a combination of network ignorance and a territorial personality.

Hypersensitive admins/firewalls are like retarded versions of Ted Turner cursing out geese for trespassing over his property. :-)

? heh?

[TrollMaster3000]

Ive never heard of an ISP that does that. Any particular ones that do? I would assume somthing like AOL, MSN, or some other big, low support ISP.


1. Chinese food. No soul food here.
1. I'm no punk bitch !!!
2. I'm no punk bitch neither !!!

Aim your sights a bit lower

[jrp2]

Maybe you folks are the exception, but.....many times the issue is you expect to land a big job paying monster bucks right out of the gate. Set your sights a little lower, get a lower paying job to get started, take advantage of whatever opportunities you have to learn on or off the job, and keep your eyes open.

You are not likely to find the job of your dreams in the paper, on monster.com or whatever. Jobs are almost always filled by referrals by someone who worked with you once. My advice is to take a low paying, entry-level, job that is probably "beneath you", work your ass off, have a good attitude, someone will almost certainly notice and give you the break you are looking for. One of the best guys I ever worked with was a kid fresh out of the military, no degree, working in our warehouse. I'll skip the long story and just say his superior attitude got him a long way, he skipped the intermediate jobs and was well on his way to success as a networking guy. He makes a shitload of cash now. I could give you a dozen stories quite similar.

Bottom line, there are always jobs for computer savvy people. If you can't find one you like, find one you don't like (or is beneath you) where you are likely to get noticed, then weasel your way up. Don't consider a degree and/or cert as the magic key, just one of the keys to the many doors you will need to open.

Hope this helps, best of luck.

Hows this for a solution.

[GreyOrange]

However, over the years, I have received more and more emails accusing my machine of 'attacking' their machine ... through identd and failed FTP active-mode connections.
Everybody goes back to Apple IIs and modify one instrucion of the proccessor, hexedit all corresponding programs ,then we use archaine networking standards nobody understands. And if they somehow got access into the system they wouldn't understand it anyway and all there programs would fail to run. The flaws I see it is systems would crash from faulty attempts to run them, *nix and other OS's would be hard pressed to run on these machines, and it would take a long time to and elite programming skills to link the network to the internet to access porn sites again. But it would make it very difficult to be paranoid about people hacking you as this would be undecteable by the standard.

-------------------

Information is the key

[Saggi]

I consider myself an expert user, but even the logs or firewall responses sometimes puzzle me. And then I have to check it. We have to stay paranoid to some degree to protect our self. But if we can find a reasonable explanation then its fine.

The first week after installing Zonealarm, you really get a feal for how many stupid pieces in you computer connect to whereever. Especially the windows components (with not-so-clear names) often send me off to check out a lot of stuff.

I believe that most of the junk come (as lots of the other replies and comments state) from personal networks. But whatever it is an unknowing administrator or stupid personal user, information is the key to solve the problems. As stated, make a FAQ or set-up a web page on the IP address. Zonealarm can find the ip address and link to it as a web page. On this page place the information like "This IP number is used for FTP by... bla bla bla."

Easy access to the information is the key... you might even educate a few, now that you're at it.

Saggi

Re:Information is the key

[Saggi]

Look before you leap is the old saying.

That's why information should be posted. As I wrote in the original note "...often send me off to check out a lot of stuff.", I don't mean activate the alarms or anything, but to go look for the information. A good search engine can usually tell you what "NTVDM.EXE" is. But when you see it for the first time you will have no clue to what it means. As time goes by we learn...

...I can determing what's what. Can you? I think no one can. But both of us might have an idea about where to look for the information, if its there.

Saggi

morons

[nixxy]

This problem is due to untrained/inexperienced admins who do not know what daemon uses what port and have no clue about how to read logs.

The other cause is as someone has already said idiot users with some personal "firewall" softwarethat complains about ever single connection to or from their machine, and they have no idea what it means.

113 (identd) is used primarily for irc but it is also used by some websites (also part of CGI specifaction) as well as mail servers.

If these "admins" where logging 110 activity and had a pop3d they would prolly complain to themselves they are that stupid.

I personally would only consider a connection hostile if it was on an unkown port or it was the same thing over and over in a very short space of time, other than that they are just interesting.


------------

@Home Port Scans

[vertical_98]

ATT@Home (My ISP) port scans my firewall every day for port 23 and port 21 (telnet and FTP). They neither asked for permission or state anywhere that they are going to do so. I find it interesting that their acceptable use policy allows them to do so. Which you can find out about AFTER you call and specifically ask.
Personally, I think you should be happy knowing your firewall works. But that's just my opinion.
Vertical

agreed

[Bagman867]

I agree with you. I run a machine at my university and I get lemurs running 'blackice', 'zonealarm', etc complaining that their machine is getting attacked by St. Claus every 5 minutes.

Re: What exactly is a netmask?

[flicker581]

You are right; but don't quite right. Yes, hosts on your network will have IP addresses from 192.168.0.1 to 192.168.0.254 (not .255, there will not be any packets from .255 normally). But any other address may be used in IP header, and your host will still be receiving those packets.

It seemes that you have "empirical" knowledge from using Microsoft systems. Nice, but not enough for network admin.