Slashdot Mirror
On the Definition of a Hostile Network Connection?
"I have since changed the default configuration to NOT use my own FTP site. However, I still receive around one email every day that my machine has been hacked and has been 'probing' or 'attacking' their machine. Often times, these emails are CC'd to my ISP (or sometimes only sent to my ISP).
Since when did identd lookups become 'attacks'? Most email servers use identd regularly ... how come there are so many firewalls out there that log this as suspicious activity?
Additionally, are there really that many ignorant network administrators who look at a log of one refused identd lookup and one refused active-mode FTP connection every night at 2 a.m. and not realize that something on their end is trying to connect to an FTP site every night?"
And that would be bad because? Help me out here, I must be missing something...
Yes, and watch the average Windows user's head explode while you explain to him that he can't get onto IRC or Yahoo Chat because his digital X.509 certificate isn't valid or is missing.
- A.P.
--
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The pidentd ident daemon can do something quite similar if run with the -C flag. From the manpage:
So, when an ident request is made, the daemon returns an encrypted token that is useless to the other end without the key. If someone has a problem, s/h/it sends back the encrypted token, and the admin decrypts it and takes apropriate action.
This method has an advantage over the method you described if multiple users make connections to the same foreign box within the same time period. If one system is not using NTP (or other time synchronization), the time period could be as long as ten minutes.
Thanks. I really, really needed that image.
my favourite "you are hacking me" story is the guy who registered with the Linux Counter using an email account on his home machine, and then complained that I was hacking his home machine because I was connecting to port 25 every half hour....his email server was not turned on.
As a previous poster pointed out, I think this is most likely do to the boatload of personal firewall software out there. A lot of people who go buy Norton's firewall, use BlackIce, ZoneAlarm or whatever see that "A computer has tried to connect to your machine via FTP" and panic. I do deskside support and I get people who worry that they've done something "illegal" when they get the BSOD (no I'm NOT joking). The simple answer seems to be you've got people who don't know what the hell they're doing installing/using firewalls.
..
Nothing beats the one time I tried to telnet into an old shell, attempted to logon, and after login failed I realized it was a different machine. The admin somehow or another ran a finger query on the shell machine I was logged onto and sent me email demanding to know who I was and why I was connected to his machine. There are some psychos out there
Then again, you never can be too paranoid.
Like on a crowded subway car, people bump into each other on the Internet. Connection refused? Pardon me.
Ideally the person at the receiving end should understand and get over it. After all, they have sent their share of bad connection requests too.
Now we have paranoid admins who cry foul whenever someone sends one lousy connection request, or sends on strange packet, or whatever. If you can't handle a crowded subway car, don't get on it. Likewise, if you can't handle sharing the Internet, don't get on it.
In that vein, port scanning isn't too horrible. If you don't want people to see what you are running, get off the Internet. Otherwise, you just have a storefront on a busy street where people can see if the store is open or closed.
Retarded administration causes more problems than port scanning ever will.
Ident has its uses...
- IRC (your point)
- The previously mentioned email servers
- uh.... something else...
- (this space for rent!)
Seriously though, there are actually useful applications for identd, and most involve making sure you legitimately use the machine in question, and it's not just redirecting traffic on a certain port. I can't name another service that fills the niche that ident does -- I always thought of it as the internet's version of a BBS call-back. Everything else I know is on a case-by-case basis, and nowhere near as ubiquitous as ident is. That is ident's power.Also, current use is a far cry from the original intent of the daemon -- that's for sure. There was a time when an ident reply contained a valid email address. I know there are still some valid answers out there, but I know I've never taken an ident reply seriously. These days, either you get a reply (and the info is probably garbage), or you don't.
You can thank the those windows users (like myself at times) for that. Heck, when I first started using IRC, I had no idea what ident was, and I didn't mess with mIRC's settings... thus, whatever you saw was nearly the same as ten thousand others, and even more useless.
The fact that sysadmins now treat ident requests as 'attempted crack attempts' or (potentially) 'hostile network connections' says
- They don't appreciate the use of identd
- It's too much work to maintain and use it
- It's another port open on the firewall to that mean, nasty internet
- They're privacy freaks, and you don't need to know the username, you privacy-invading corporate whore, you!
You know, Wakko... I can't say I disagree with you. But do you have another idea for a lightweight 'that connection was authorized, here's who is accountable' mechanism?(Pick one, pick 'em all, your choice!)
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
Don't confuse the way it's misused by ill-informed sysadmins with its real potential.
The current IDENTD information is useless for the 'remote' site, but it can be invaluable to the 'local' site if a complaint is received. Not everyone is a single-user PC - if you're running a host with multiple users this can give you valuable information about who could be responsible. (Or at the least, who might have had their account cracked.)
There's also some proposals floating around to extend the IDENTD payload to include real authentication information. Having IDENTD pass something like an X.509 digital certificate that you can check might actually be stronger than using SSL/TLS-enhanced FTP that only uses anonymous connections.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
And you thought you were being funny, didn't you?
First it was port-scanning, now it seems that admins are crying wolf at any unknown client that connects to their network. Now I'm all for a dose of healthy paranoia, but is this going overboard?
You should have included somewhere on your documents, perhaps the FAQ, as to what exactly is being done by the client to ease the fears of clueless admins who ph34r j00. Seriously, place a quick Q&A as to why it connects to your site, for those who are too stupid to lsof|grep TCP && lsof|grep UDP to see nothing is happening.
After than make an autoresponder that points them to the url, after that case closed. Should they continue to harass you, then create a template complaint letter including what your program does, then fire it off to them and their upstream, and or bosses, to let them know your program is not some uber 31337 h4x0rspyw4r3 program on a mission.
I'm sure after they realize how stupid their concerns are, they'll piss off, or their bosses will rip em for being clueless admins.
Want Root?
- have more pressing issues to resolve than failed identd queries (e.g. exhaustive network probing, exploit attempts, etc.)
- have a clue (i.e. that an identd query probably corresponds to a client connection, and that identd lookups at a regular interval are probably from a cron job or similar)
When I ran a single workstation on my desk in college, I had plenty of time to write huffy emails each time a line was added to- screen the network with a firewall
- run an IDS (Snort http://www.snort.org)
- (largely) ignore all the crud that bangs into the firewall each day
Here's what this lets me do with the scenario described above:When I run end-of-period reporting against the IDS logs, the nightly identd query shows up as a traffic spike. That night, I set the network sniffer to log all traffic to and from the "suspicious" external host/network. Bingo! The outgoing FTP client connection is logged as well. The owner of the offending workstation gets a phone call to find out if they know about their cron-job.
After seeing the story about ESR's Zork/Adventure like configuration interface, I decided to see if I could find a Zork or Adventure server.
After a quick Google search, I located a link to a Zork server at University of Wisconsin, Eau Claire. The link was on an official university page about computing history.
I tried connecting to it, but, not surprisingly, it failed. I tried from another machine, still no luck. End of story.
Or so I thought. A few days later, I get a notice from my ISP warning me for trying to crack a machine, the machine I was telnetting to at UWEC... Luckly for me, my ISP is geek friendly, and my connection was not terminated on the spot.
I was pretty pissed, so I tracked down the email of the stupid a#$%!, incompetent and amateur admin responsible for notifying my ISP. I sent him a long, formal rebuke of his position that I was attempting 'unauthorized entry' and vaguelly threatened legal action if he did not retract his email. Needless to say he did.
However, how many other people, less internet savvy than me, would innocently click on some link found in a search, triggering a termination of their internet connection for no good reason? For me, loosing my internet connection would me a loss of tens of thousands of dollars that I earn doing remote development. Not to mention the damage to my professional reputation that would occur if I were thought of as a 'cracker'. Given that a large chunk of my consulting work involves security, that would be very hard to overcome.
I think that people who are admins need to be realistic. If you put a machine on the net, you will get people connecting to it in ways you don't expect (ports 139 and 53 come to mind...). If you react like the admin did at UWEC to harmless and random connections, then you will eventually do damage to either someone's business or reputation (or both). And that could very well lead to a lawsuit.
My servers get portscan about 2-3 times a day from various random IPs worldwide, I'm sure most of them have fairly hostile intents. The fact is that the net has become MUCH more hostile in the last five years and has MANY more clueless users. If you can't accept that, can't build procedures and systems that can handle that, then you are in the wrong business.
Quit now.
-- CKM
internet systems architect - scalability - commerce
-- I don't have a cool sig.
If you ask me, identd is nothing more than a waste of bandwidth. Someone, please prove me wrong.
ident is useful because it allows you to ask a trusted computer which of its users is making a connection. As a practical example, I use ident to authenticate users to PostgreSQL databases.
The details: my system uses Apache's SUEXEC to run different virtual hosts under different UNIX users. Since the information from identd can be relied on (it's trusted since it's localhost and fakeid support is turned off) I use pg_hba.conf and pg_ident.conf to configure what UNIX users can connect to what databases as what PostgreSQL users. Then end effect is, I don't have to embed passwords in my CGIs where I would have to otherwise. I could even seperate the SQL server to a different machine and still not have to specify passwords, as long as SQL machine trusts the webserver (it would, since I would own them both) and the network between (I would have them on the same subnet).
What, me worry?
Maybe it's just me, but wouldn't it make more sense (perhaps with "Internet 2" or any of these other projects) to create infallible network protocols/tools that can't be used for malaciousness? Or is this logically impossible?
It's not a logical impossibility. Practically, however, it is impossible - IP only works because it is a nice lightweight, easily-routed network protocol. If one were to extend IP or redesign it to try and prevent any misuse, you would almost certainly find it became too heavyweight for it to work successfully at the global level. Not to mention that someone would eventually find some minor chink in its armour and start exploiting that instead...
However, there's all sorts of things that one can do to make the IP world a safer place. Number one, and probably the best example, would be for all network admins (and router manufacturers) to turn on source route verification by default at their border routers at the very least. What this does is get the router to verify that the source address of a packet headed to an external destination is in fact inside the netblock that the router 'owns' before forwarding it to the next hop. If every network admin would do this, then packets with a spoofed source address would never get any further than their nearest border router, and the internet as a whole would be an awful lot safer. This isn't a new idea and the capability to do it is probably in every router made in the last 5 years at least. Certainly any modern Linux kernel can do it. However, some manufacturers of both router hardware and software routing solutions still insist on keeping it set off by default, and combined with clueless network admins who don't know to switch it on, the problem remains.
The problem is thus not one of inadequate technology (although IPv6 addresses some security concerns too) but rather one of education...
When they send you email about identd, send email to their ISP complaining about unauthorized use of port 25.
(You may want to read RFC 821 if you don't get the joke.)
I think Admins who jump at this type of traffic need to read TCP/IP illustrated guide, because it demonstrates a lack of understanding of what their logs are saying. If you don't understand that book, you should not even bother monitoring the logs or being an Admin in a tcp/ip networked environment for that matter, anymore than an iliterate man should be a proof reader. My 2 cents.
Show me an effect without cause and then I'll believe in chaos.
The paranoia goes beyond casual users. I cant ping outside of our LAN at work. Our admin never could explain the reasoning for it, but its very annoying.
An actual conversation with a friend of mine:
Me: "Hello"
Them: "YES HELLO! I installed a firewall and its blocking all kinds of stuff!"
Me: "Yeah, what?"
Them: "UDP, ICMP, some packets, hackers... bad stuff"
Me: "Why are you blocking UDP?"
Them: "Because you should always use TCP, its better"
Eh....
Over the past few years, I've had the opportunity to interview quite a few folks for the position of network and system administrators.
Let me tell you, there really are not that many good ones out there.
In my own personal experience, I'd say that 1 in 20 are worth the space that they occupy. One in 100 would fall into what I would classify as a true senior level admin. The rest of them are just an accident waiting to happen. All of them go around trying to sell themselves as 'senior unix | network system administrators'
The problem is that many of these places setup the firewall and block everything. all ICMP packets included. they dont take the time to learn what they should block and what the consequences are. they just block everything. Then when something does not work, they open things up till it does. For a good time, check out the firewall config of an admin who setup an exchange server that sits behind a firewall. Chances are they had no clue what the 'established' keyword was and just allowed ports 1024 through 64k. (in the cases where their firewall did not automatically recognize that exchange works in a fashion similar to rpc)
The really sad thing is that most of these admins pull 60-80K/yr (in the us) and think that they know everything. Ah, the ignorance of youth (even the 40+ year old ones who still dont have a clue). You see, the more you know, the more you know that you dont know everything.
The hard part for me is that with all of the gui's now dominating the server market, the level of knowledge required to get a system up and running is getting lower and lower. A trained monkey can install NT and most of the linux based distros out there nowadays. And as soon as they can do that, they add 'system admin' to their resume and try and go for the big bucks. And they can play that game till something serious comes up and they discover what vi is and then they discover that they have no idea of what single user mode is or how fsck works. At that point the game is over and the company that they work for discovers that they didnt hire a senior level admin, they hired a trained monkey.
So yes, you are screwed. If your ISP is nice, you can send them an email telling them to discard any emails that they get of 'attacks' from your ftp servers. If it goes to the right network admin (one of the 100) then you can probably sit back, smile and respond with an automatic 'hey stupid, please read rfc bla, bla and bla and then write back when you get a clue as to how ftp works and what your firewall is doing.'
In the mean time, all we can do is hope that companies start to find some way to tell when an admin really knows their shit and when they just know how to walk through the mandrake gui install.
I had sent an email to my wife and mistyped her address.
The default page in the Debian Apache package contains our logo. As a result, we are regularly accused of defacing Web pages when someone bungles a configuration change. I wonder how often time-A.timefreq.bldrdoc.gov gets accused of "attacks" as a result of the default configuration of my chrony package.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Anyone can point their web browser to the luser's machine, and have a look at the HW, even kick off HW diagnostics. Wonder how many of these eventually end up as script kiddie fodder.
-- Another senseless waste of fine bytes.