Slashdot Mirror
Dealing with Intruders?
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
ignore them.
Unless they use a lot of bandwidth, that is the right decission to make.
ignorance is bliss!
Add their IPs to your firewall for a start.
Use the DMCA to... I don't know, scare them or something. Mention RIAA and MPAA to their ISPs too.
I haven't seen any similar increase in activity. Does your firm have enemies? For instance, does your first name rhyme with Carl?
The accepted way is to send an email to abuse@ or to the abuse contact listed by ARIN for the netblock you are trying to lart.
http://www.arin.net
or lookup the RADB abuse contact
http://www.dnsstuff.org
If you seem to be getting it from the same group of people make a honeypot but have some obvious hints once they get in, leave very little on the server and put the logs of their activity in an obvious place. Just be sure to isolate that machine from the rest of the network so if they do end up owning it they got no further then their failed attempt at your real machines.
Who'd have thought!
on my University's network more than once. I ran Linux and I got into the habit of logging in as root, and sometimes I'd try to log in without thinking just after starting a telnet session. I didn't receive any notice from the U, but in this post-9/11 hellmouth, I'm sure I'd have been reported to the FBI as a potential terrorist.
When I had this problem I simply sent a mail to the ISP:s abuse-people. Most ISP has an e-mail address like abuse@theisp.com. Then they can send the guy a warning or whatever.
Martin
intrusion attempt >> /dev/null
ignore it. forget it. script kiddiz...
Write in sloppy block letters: Ve know who you are. Do it vun more time und ve get NASTY!
The world is my oyster. That's why it's always in a stew.
If you give them a more attractive target for a while, you may find there really aren't all that many attackers left to go after the systems that matter. Not only that, but it would be considerably easier to set up such a system to log their attack techniques, since it isn't actually doing anything. Finally, if they do break through, who cares? Just re-image the drive and let them start over. If they manage to repeat it, you now have a known weakness you can correct.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
I have also been seeing these kinds of "attacks" the last few weeks on a server which I admin. Usually attemts to login via ssh to well-known accounts (such as root).
The site is not a high-profile site by any means but rather a home for some personal projects. I just wrote it of as the script-kiddy attemt de jour but it's interesting to see that others experience the same thing.
you deal with the firewalls,
let your lawyers deal with crap like this
Just ignore them. Focus on keeping your server software up to date and staying informed of possible security issues instead of waisting time trying to track down instrusion attempts.
These two will detect most automatic attempts and then add the IP's to a drop list on your Linux firewall. www.snort.org. Guardian is listed under 'other tools'
You might consider sending a handwiten letter and use your own name, that would seem a bit more human. Also, most large companies will send polite-but-firm letters, so just threaten bodily harm to them and their pets, that should sound pretty un-corporate. I suppose only the first sugesstion is really a good one, but I like the second one more, so I'm not going to remove it from my comment.
Less look fast, more go fast.
Best chance for a response is to keep it polite and request a notification of what action (if any) they will take. Don't fill your letter or email full of legalese and vauge threats and I'm sure most of the people in charge of a particular abuse department will take you seriously enough. Whether or not they have the clout to take action on your behalf is another matter entirely however.
Another thing to do is to just keep yourself patched, firewalled, and a close eye on your network. If the attempts are rising, someone thinks your network/servers is/are an easy target. Prove them wrong and perhaps you won't need to write that letter after all.
Good luck.
Remember that there are a lot of automated tools, worms, and virii that turn home computers into "zombie" boxes under remote control. If you do decide to send out anything, it's probably best to assume the apparent source of the problem may be masking the real source.
I always write a really "nice" letter to the ISP of the intruder, where I explain the problem, and that it is causing my customers trouble and that it eats up valuable bandwidth. I ask them to take action, and if not, that I'll have to proceed further (never been needed once). I send the email from the admin account, sign it with my name + admin at my system and then I attach the logs pertaining the intrusion attempt.
... atleast nowadays), mostly for the more serious attempts (doing multiple attempts, different attempts, etc).
:)
So far, all of these "cease and desist" letters has resulted in action on the ISPs part, and in 50% of the cases, their admins write me back and give me feedback on the problem.
Ofcourse, I don't do this for every attempt (all depending on my mood
The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish. I actaully managed to get hold of the owner of the computer system that was scanning me and phoned him. Quite a hilarious experience. Needless to say, the portscanning stopped
If the attacks are just random script kiddies trying things that will never work, I'd probably ignore it.
If you're starting to see a pattern or an increase in the sophistication of the attack, though, you might want to just send their ISP a polite letter letting them know what you have found and your concerns. After all, what would you want to see if you were the ISP's sysadmin?
Ahh, I see you've decided to go psycho. Godspeed.
I had confidence in my setup, and no server I had control over was, to my knowledge, ever compromised.
We never had any sensitive data outside the firewall, anyway.
On two occasions it got serious (if an easily beaten DOS attack can be called serious) and even then it was only for 20 minutes or so. Our ISP (being a large telecom) was champing at the bit to go after people we had even a small scrap of evidence against, so on those two occasions we simply handed what information we'd gleaned to them, and they let out the dogs.
At some stage, you've got to stop worrying and learn how to love the internet!
Personally I tend to ignore the scans for ssh and so forth, as they're just SYN-packets and doesn't consume too much of my resources. Call me a lazy/non-caring bastard. However, it would surely be nice to send off a message to the ISP, as the machines the scans are originating from are probably cracked too.
.
.. it's days since the last virus from you! Keep up the good work!"
.. and so forth.
:)
I tend to report viruses. I grep my logs daily for viruses from various norwegian ISPs, to the mailserver I admin for my company. During the last five months I've sent daily virus reports to the largest ISP in norway, and they tend to reply within one business day - having notified their customer about the infection. If the customer gets several 'heads up' messages from the ISP without removing the virus, they get their port 25 access filtered until they've confirmed that they've removed the virus.
I tend to send emails such as this.
"
Hi there.
I've got several viruses from your customers today, and would appreciate it if you could notify your customers about the virus infections they probably have.
Here are the relevant snippets from my logs:
Virus: Netsky.B
Received: from at
Virus: Bagle.C
Received: from at
All timestamps on the server are NTP-sync'ed against
Thanks for your time
"
Recently I've also included a more personalized
"Oh, and I have to commend your ISPs efficiency, as since march - you've managed to reduce the number of virus sending users to us from about per day, to this
You could probably just adapt what I'm writing to something saying that a customer of theirs probably has been cracked, and that they are currently scanning for
If it's the actual cracker that's stupid enough to use his own computer, he'll get scared enough if they contact him telling him that his computers has been abused by others to scan people -- and will probably quit doing it.
"Rune Kristian Viken" - http://www.nwo.no - arca
Nothing beats the personal touch of hired goons...
or you'll spend half your time at work writing abuse letters. My logs at work show a constant barrage of windows attacks ( yes, code red is still there), 137 scans, numerous login hacks for any number of OS's, port scans that increment by 1 each time, etc. Sometimes it slows down. I am beginning to just consider it background noise. Just the cost of doing business on the web. As long as the probes arent massive or working, I just note and ignore. I only have so much time for this - it keeps me from downloading all that porn!
This kind of stuff is all over the place. Odds are most of these are automated worms and similar crap. Unless it's really a concerted attack on your machines, as opposed to random scanning, it's not worth the effort to do anything about it except maybe firewall the IP.
I don't understand why you'd care how you come off to the people trying to crack into your system.
They're out to do you harm. If one of them gets through and does some damage, you could lose your job.
Hi,
As several posters have already stated you should complain to the abuse address for their ISP. Ideally, you should include logs of the attempt.
You should also be aware that that the machines which are attempting to connect to your network are probably zombies. There are a number of trojans and security holes which can be exploited to allow a remote user to take over a poorly secured system. The owners probably don't even realise that their machines have been compromised.
I'm not sure there's much an ISP can do other than try to find out which customer had been assigned that IP address at the time and write to them. Banning someone for having poor security on their machine is probably a bit harsh, even in these post-9/11 times.
Keith.
Just don't tell my mom! She'll take away my Compaq, or make me install SP2!
Welcome the the life on the internet, now its time to make sure your servers are secure. Turn off ALL services that are not required. Configure SSH do disallow root logins and passwords. From now on the only way into the servers should be by using SSH cryptokeys.
I had an intrusion once - no wonder, really. The machine had an old SuSE install with all ports open, all services running: lpd, samba, X11, etc...
I didn't care much about it, it was just a small box and so I just sat back and watched the anomalous activity for about two weeks. But when the intruder installed a rootkit, I got nervous. Immediately removed the thing from the net and tried to figure out if they got access to the DB servers. Next day, the box was replaced by a hardened debian stable system, and we kept sure that only necessary stuff was on it and all the security patches installed.
We reported the incident to the police, but what can they really do? There were IPS from Bulgaria, Brazil and S. Korea exploiting the sshd at the same time....
We really learned our lesson there, and didn't have an intrusion since (well, except on that other old SuSE box...)
FWIW, I'm a student running FC2 on a college LAN in Australia. In addition to the default install, I've whacked on a more complex firewall and also installed portsentry (mainly because IT services believes that running nessus with all of the options checked against the university LAN is a good idea).
In any case, just recently I've noticed far more attempts to log into SSHd. The number of port scans detected by portsentry is about the same as always - 2 to 5 a day. From yesterday's logwatch, for example, there were attempted logins as admin, guest, root, test and user. According to logwatch they're always tried with no password, then a password.
eg:
Illegal users from these:
admin/none from 203.227.204.32: 2 Time(s)
admin/password from 203.227.204.32: 2 Time(s)
I've definitely noticed a major increase in these attempts over the last while. Personally, it doesn't bother me - I just make sure that my passwords are up to date, and that remote root logins are disabled.
(Edited the snippet above for lameness filter)
www.fearthecow.net
...the attempted intrusion detection package.
It's wasting your time.
It makes you worry.
It makes you ask silly questions on slashdot.
The solution is to trash it, you don't need it, Linux is unbreakable anyway.
try http://www.mynetwatchman.com/ works like a champ for me.
the system automatically sends a warning to the isp
Well, after having being doing what you are doing for the last 10 years, I can only say "Welcome to the real world". The level of suspicious activity today is way above the level where you can handle it by complaining to the source ISP. Possibly he has a compromised server on his network, but most likely he doesn't care or doesn't have time to deal with complaints. Why should he anyway.. Scanning and probing isn't illegal in 99% of the world. My advice to you is to secure your network. If you absolutely *have* to allow logins from the outside you should protect the login service by blocking it in the routers *and* use the build-in tcp_wrapers mechanism to control access. Start by blocking *everything* and then open up only those ports you need, and to those that need it. I.e. ports 80 and 25 can be publicly accessible but there is no need for anyone on the outside to send you packets on ports 137-139. Then, run tripwire, take backups and install a IDS. Not because it will tell you of anything in advance, but because they are good for forensics work (After you have been ass-raped by some 16 year old) Abowe all "be paranoid" and don't simply wait until you become a wictim.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I think it could be something to do with the Gene therapy! Whats happened is a million of these "super-monkeys" are sitting at a million terminals, all trying to create the works of Shakespeare on port 23....
Basically I just gave a quick digest of the log clearly showing their IP and the attack in progress, and a note to the effect that I believed their machine had been compromised (in as plain English as I could muster) - and got the desired result.
I like the fact that there's some script kiddie out there cursing that one of his "boxen" is no longer..
I don't read your sig, why do you read mine?
True story: About 8 years some friends and I were getting o3ned DAILY by a hacker. One of these friends had a buddy in IBM's security division, who somehow got us a name and phone # of our hacker. We felt like asses when we found out we were getting beat down by a 15 years old. But we called his dad, explained what was going on, and that we knew where he lived. Problem SOLVED :)
Religion is a gateway psychosis. -- Dave Foley
I didn't know that I was that big of a problem to your company, I shall stop. Sorry for any inconveinience.
-------
Support Indy Music. Buy
It's like some kids trying some random lock combinations in a locker room.
This guy wants to take fingerprints, find the kids, and call their mom?
I say if you want to protect your bath towel with more than 4 numbers, then buy a lock with more than 4 numbers.
mid july or so there were a bunch of random automated-looking and weak looking ssh login attempts all over the place ....
....
threads on the full disclosure mailing list archives and dslreports forums about that
wonder if this is what the topic poster was encountering?
God, mod me down if you think im just being a troll... but seriously mod this up if you think this guy asking the question is a total dumbass.
If you don't want incoming connections, block them through whatever means you feel necessary... from a firewall to actually unplugging the network connection. You will never stop attempts while you are connected to the Internet... there are 2^32 ip addresses... granted only a portion are in use and Internet routed, you still have way too many millions of emails to send ISPs every year...
Actual intrusions can be handled differently... but random connections and login attempts mean absolutely nothing.
I run an irc network for work and I've seen many fun things. Most of the time I'll just place a ban and let it slide. I've seen mail + web servers try to attack the network however and that'll justify an email to some poor sysadmin.
The most unusual was a machine with a google.com reverse dns. I emailed google and they said it was impossible to be them and told me to go away basically =/
Be sure though to include *all* relevant log files too. I've sent a couple of mails in the past to ISPs and i think i got a response from about 50% of the ISPs contacted, from which only one responded once by saying they contacted the individual and took appropriate actions ... whatever that may mean.
You'd be better off configuring your security better though.
US Democracy:The best person for the job (among These pre-selected choices...)
Last week I managed to login as root into a machine (from a chinese domain, as usual) for which I had packets logged in my firewall's log. Then, I installed in that machine chkrootkit: lots of executables were wrong (rootkits). Then, someone logged in remotely and left in /root a "readme.txt" message warning me not to log in other's computers .... Finally I did three things:
1.- Send an e-mail to the contact-addresses retrieved from APNIC
2.- Copied my shutdown executable to that machine (the original was obviosly tricked)
3.- Remotely, executed @> shutdown -h now
Just a suggestion.
Seriously, reading through most of the comments on this story has the odor of child script kiddiez... saying "email abuse@isp.com" or "hack them back" or "run nmap and then hax0r them" or "call their parents"....
whatever. Just ignore the shit, because it isn't a problem if there is no intrusion.
Despite the fact that you work for a small company, you will in fact be a corporate cease-and-desist gnome if you send out such a letter. That is unfortunately the price you pay.
Complaining to people won't get you anywhere, unless you go to the government and claim that you believe they are terrorists. That will get you some action.
My advise is to firewall them.
Personally I also try giving them a taste of their own medicine. You'd be surprised how many Windows machines are still vulnerable to the old 'smbdie'. I set up a cron job to 'smbdie' all hackers / spammers etc every 5 minutes. But of course this is horrible advise because ( and I'm sure everyone will respond and tell you that it's very naughty to fight fire with fire, and you will most likely go blind or some bullshit. )
So yeah. Firewall them. And if you've got time, email their ISP and tell them that you've firewalled them and if you have any complaints from customers about them not being able to access your sever, that you will advise them that their ISP is harbouring hackers and that they should switch ISPs.
Whatever they're doing to you have a go back at them... chances are their system isn't as secure as yours.
At the very least it's more fun than writting an e-mail!
The word liability will freak out any small ISP enough to contact the "user" and give them a stern warning... I don't know if you'd have any luck with one of the big boys (AOL, Earthlink...)
All the torrents you could want.
It's really normal to notice a huge increase in attacks this time of year. With the passing of defcon and black hat this month, a lot of new security vunerabilities have been released, and all of the 'script kiddies' are eager to try them out. The best thing to do is make sure all your software is up to date, and get familiar with the new vunerabilities that are out so you can protect yourself.
As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.
Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:
packetstorm security
Security Focus
Somewhat offtopic, but how do people deal with DOS attacks? /.ers deal with situations like this?
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.
well step #1 would be get your site on a server with enough bandwidth so that a few people holding down refresh key isn't going to DOS your site.
So basically I should give into the f*ckwad and fork over more cash for more bandwidth on a site that -under normal circumstances- doesn't require much bandwidth?
This thread explains your problem :
~ mo de=flat~days=9999
http://www.dslreports.com/forum/remark,10854834
Hi, this has been reported from several poeple. Read Full Discosure's thread "Automated SSH login attempts" about it. Nothing to worry about i'd say.
Thread - SSH problems
Figure out those kids for sure (should be not hard, eh?) and then send them letters saying that if they not pay you $20-$50 or smth then you will report them. Yes, blackmail :)
Try "ping -s 638 " If they are watching their traffic they will hopefully get the message.
If they aren't watching something like iptables mirror feature might be ammusing. Be carefull with this because if they fake their source address you will counter attack somebody who shouldn't be involved. Keep your logs if you do this just in case.
I mostly just ignore these attacks now. A couple of years back I reported a couple of kids for this sort of thing. Their ISP's responce was very favourable. Unfortunately about 4 days later the network that I was running was choked by incomming smurf traffic. I couldn't prove anything this time because it was all just response to a faked source. I managed to get the smurf relays to filter their networks but it still hurt for a while.
Bust a cap in their ass and call it a day, homes.
Well, I've seen this recently, there appears to be some script going about trying various password for root, admin nobody, guest, and other common accounts. I've noticed this happening to machines in 3 independent networks I look after.
Most important thing is to make sure you're software is up to date - there's no point spending time crafting letters when you should be updating.
Only if you have time, should you bother complaining to anybody.
Here's the template email I use:
Hi,
We intercepted a series on unauthorised login attempts to one of our hosts last night. This originated from one of the machines on your network, [IP ADDRESS], and started at [TIME DATE TZ].
We have seen similar attempts at other times originating from other hosts, so there is probably either an open proxy on this particular host, or it has itself been compromised and is being used as a zombie.
Either way, I thought you'd like a heads-up, it should be checked out. Full logs are listed below.
Thanks for your time,
I reckon I've had 50% success on the first attempt with this. Many of the people out there just couldn't be arsed in the first place, so I'm not going to waste my time complaining to them - or not until I've nobody else to complain to first.
"A goldfish was his muse, eternally amused"
Back in January 1999 when everybody used telnet for remote logins, several computers in our department were root-compromised and had a rootkit installed (password sniffer, backdoors, and patched versions of ps, ls, and such to prevent being detected). We noticed some strange activities but had no clue what was going on, thinking that other people were trying to intrude us, while actually the cracker used our computers to intrude other people. It felt a bit like being in a thriller, where we step by step discovered what was going on, culminating in a session where we witnessed live how the cracker was logged in on one computer, from which he tried logging in on a second computer where we already had changed all passwords. We contacted the internet provider (he was behind an IP-masquerading firewall) and an university where he apparently illegally had plugged in a computer on the network and of course the cracker had been reading a number of emails before we finally locked down our systems.
Since then, our computers got enormous attention from crackers, while suspicious messages appeared much more seldomly in other people's log files. This cracker was severely pissed off. We were compromised several times after that. Once, the presence of a rootkit revealed itself through the fact that an ls option wasn't working anymore. We repaired the situation and removed telnet/ftp from the computer (they had suspicious log file mesages), not knowing that it was the outdated sshd that caused the trouble. After the weekend, the owner of the computer came to me complaining that he couldn't log in. It turned out that the intruder wiped his whole home directory, which had no recent back-up! I can not believe that a cracker does something like that for any other reason than pure revenge.
These incidents have taught me the value of staying up-to-date. What I wanted to tell here is: don't let the cracker know that it was you who caused them trouble or you might get repercussions. Oh, and note that I am not a professional system administrator; I was a PhD student who happened to know a bit more about Linux than most others.
Avantslash: low-bandwidth mobile slashdot.
Alternatively: Get his RL location, pay him a personal visit. Get his F5 key plus all the rest of hardware fly some 5-10 meters in random direction (preferably down) (disregard any glass obstructing the flight route) and take a hard landing. You may use a heavy-caliber LART if he disturbs in the process. Preferably the job should be outsourced to a 3rd party subcontractor of foreign origin.
I'm surprised nobody has suggested this before but I would recommend a tactical nuclear strike against the intruder. I've found that this simple step typically quells the attack.
Hi,
I ran one of the first ISPs in the UK with live IP and since we went live about 10 years ago we have endured on average maybe one attack per minute or higher all that time.
So 10 years ago I wrote my own firewall with some traffic shaping and logging; it died recently I replaced it with a Cisco or two with more or less the same rules.
Now, even when no longer an ISP I still have to turn away 35,000+ SPAMs per day from my network which now hosts just two people, so I wrote my own reverse SMTP proxy to deal with the problem. (The source is available in SourceForge BTW.)
People continually attempt to steal the entire content of one of my free Web sites, and used to bring it and my connection to the Net to their knees, so I wrote a simple transparent servlet filter to detect and lock out f**kits who exhibited pathological behaviour.
All of these tools are mainly automatic with a few general rules and a very few specific data entries to keep out especially egregious people.
Don't play "whack-a-mole", and don't waste too much time trying to contact the idiot's ISP; even if they care, which sometimes they do, it'll end up being expensive and slow to stop.
Rgds
Damon
http://m.earth.org.uk/
You said, YOU are running a server for ONE client. Who is it that needs SSH access to the machine - YOU. What i would do is limit access to port 22 to IP adresses I am going to use. Add your normal internet adresses to the list (like your ISPs IP-block, work, girlfriends isp, ...) And of course you need to add a machine that is alwas up and has no such firewall restrictions (i.e. shell access to your server at home, i know you have one ;-)). This way you can login to the server from your most common locations, and login indirectly to the server using another box as "proxy" in case you are on vacation sitting in an internet-cafe.
i think it's also good practice to generally disallow direct root-logins in ssh-config and only allow shell users having group wheel to su to root.
Look up HTB on the net (Heuristic Token Bucket) - a firewall rule that limits network abuse while not obstructing normal network usage - every IP gets a pool of "tokens". One token is removed from the pool when a packet is sent, packets won't be sent as long as the pool is empty, but it gets refilled at constant, slow rate, until it's "full" again. So a user can download, say, 500K in one rapid burst at maximum network capacity, then his connection bandwidth goes down to some 5K. If he waits 100s he will be able to get 500K in similar burst again. This way, one page loads really fast. User reads the page, goes back, loads another one (minute later) very fast again. A loser who keeps reloading, exceeds his 500K bucket content in 2-3 reloads and then gets a constant drip of 5K upstream, hardly disturbing the others.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Ignoring them and allowing them to continue poking systems around them is like letting people attempt robbing banks, shop lift, etc.
Even if you don't manage to rob a bank, but you get caught, you go to jail. Why would syber laws have to be different? Don't touch my server! Don't scan my ports!
Simpy
I'm not sure this will work in your case.
Most people is probably not aware of the fact that your MAC address is transmitted over the Internet, peer to peer (except in those cases where it's explictly scrubbed ofcourse). While its not that common that firewalls can block trafic on the MAC level, some can, OpenBSD's pf being one example. But then again, if someone is using open proxies, this technique will probably fail as the proxie will send its own MAC address.
But how about logging access to the site, and sending clients that sends to many requests per second to TubGirl? :-)
I accually know his address and his real name.
Although I would like to give him a beating; I don't really think that is an option.
let them waste their time with those, misdirecting their attention away from your real servers.
works for me. its quite amusing to watch 5kr1p7 k1dd135 waste days/weeks on what they consider an "interesting" target.
It is not a much wise to solve your situation with C&D letters. You should not offload your own responsibility to others, because it is annoying, risky and ineffective in the long run.
Generally, flaws in any technology setup should not be solved by legal, but by engineering. Try to explore your intellect a little bit why it is so.
There you are, staring at me again.
Good advice. Just ignore that script kiddies are trying stuff. Until one of them gets a 0-day exploit, roots one of your critical machines, and wipes out all your data.
Serious? Seriousness is well above my pay grade.
Don't you use a firewall? You can't attempt to log in remotely if you're blocking the typical remote access ports -- SSH, telnet, etc.
So you've got a machine sitting on the internet, home to a million and one active worms, and are surprised that it gets scanned constantly?
Don't bother with the abuse reports -- more than likely it's just worm activity from computers whose clueless owners don't realize have been infected. A more recent one attempts SSH logins, which may be what you're seeing.
It it was a _real_ crack attempt then you:
1: Wouldn't know about it.
2: Would be unable to pin it down. It would be bounced through several victim networks, so your ability to see where it's "coming from" is really just the last victim machine in the chain.
Third possibility is script kiddies, in which case you would know about it and where they were coming from, but they would have no chance of success unless you are unwilling to keep up on patches and follow basic security practices like decent passwords.
Best would be to close off remote-login ports altogether. If you need remote login then block for all but the address range you'd be coming from. If you need remote access from random locations, then at least consider using a heavily locked down system (e.g.: OpenBSD) or work _really hard_ to get your systems firewall/logging/etc. set up well.
One OpenBSD/pf feature you might be interested in (also available from other systems) is the ability to tie Snort into the pf ruleset so that remote scanners, once detected, are ignored.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
Although I would like to give him a beating; I don't really think that is an option.
Thats where friends come in. Get them to go pay this little shit a visit, cut off one of his hands, and tell him that if he does this type of shit again he'll lose the other. Works every time.
Well you're not really giving in. If you want to host a website and be able to have the same resources as anyone else who wants to host a legit website, then you'll pay some company to either host it for you, or buy more bandwidth from a provider who specializes in internet connections for hosting your own servers. If lets say you were on a t1 and someone was DOS'ing you, you could call up your provider and tell them to block them before it gets sent down your smaller pipe.
Another option would be to install an IDS to block any host that tries to grab like 3 pages per second or whatever, but I'm personally against IDS's since a malicious person could use them against you. Or you may want to look into using iptables' limit module, but this would be an even worse solution because it would only allow N new connections every X seconds from every host, so lets say you say 5 connections per 1 second, the 6th person who tries to access your site that second would be blocked.
For this situation (assuming you don't want to "give in" and get a faster connection), an IDS would really be your only option, but there's a lot of other things he could do to you that would take your site down and you couldn't do anything about since your connection is so slow, and your ISP isn't willing to help.
In my opinon, Tom Hudson's way of dealing with these critters, is far more entertaining, than just ignoring them.
use different port numbers for your services for the outside interfaces (the ones to the net, e.g. ppp0).
like:
ssh -> 49022
http -> 49080
try to avoid ftp, but if you must then also +49000 (or any other number above 1024)
this way it'll seem like you have no (typical) ports open and therefore you'll only receive syn packets which will keep the traffic low and the "danger" minimal.
Why use traceroute (unless you're trying to find the ISP's upstream provider - or one of the ISP's upstream providers) - surely it'd be better to do a whois on the IP address, which often gives you an abuse address to try? Surely, if you're talking of root, you're a unix guy so should be using the command 'traceroute' - not the MICROS~1 MS-DOS-style named 'tracert'?
Well, smart-aleckness aside, I used to report every little intrusion, but there's so many I just can't be bothered.
These days, a better strategy is having the first line in pf.conf (or your OS's equivalent) that reads:
block in on all
Then just allow specific traffic. The secure default is blocked. Only allow remote logins from places they should come from (although in some instances, you need SSH available from everywhere so you can get to it when roaming).
Oolite: Elite-like game. For Mac, Linux and Windows
There is a worm floating around that tries to ssh in as root, guest, test and some other accounts.. Quite harmless unless you have these accounts unpassworded or with identical usernames/passwords.
As for the one/week or other such things, it's possible this is just someone who mistyped the ip.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
We receive a lot of intrusion reports but usually they are due to some worm activity from our users. We notify (if possible) a user but almost always do nothing else.
However, usually it works.
Nowadays people are accustomed to letters claiming they have a virus so probably some of them do not read
such letters any more.
We do not close outgoing port 25 either.
Post the name and address here as AC.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
Join DShield and keep a good general set of firewall rules, e.g. blocking SSH from any but a few select adresses or netblocks. DSHield will send out emails to ISP's with condensed reports on the worst offenders. That system has been labouring a bit recently, so consider a donation while you are at it.
Well, I'd say you need to use a firewall to restrict all communication ports and then allow at least port 80 (if it's a www server). Then, ask yourself do you really need SSH? Well, if you do, select protocol v2 and use complex passwds. Also, disallow root access on ssh logons, use some normal user account first and then 'su -' to root.
When configuring IPTables or other software firewall, use a DROP policy rather than DENY. DENY sends RST packets while DROP doesn't answer to received packets at all. This will reduce the amount of knock-knock-who's-there-type activity since the machine just doesn't seem to be there (except ports 22 and 80). No reply, no further knock-knocks, simple.
Then ofcourse, keep the server software always up to date. I think that should do it.
In the past week or so, I've seen a couple of failed access attempts from an IP address at one of the universities in China and from one on comcast.net (surprise surprise) - whoever it is has tried a couple of "standard" account names that I (of course) don't have on my server so the logs have just reported the failed attempts.
It would be tempting to send an "abuse@" email to someone but the fact is that the script kiddie is probably using those IPs as compromised boxes anyway.
So all I'm doing now is putting a shell-script in place that emails me when the logs pick up any more illegal access attempts and just adding the IPs I have to a barred list on my firewall that just drops the packets from those IPs for an extra layer of security. The added advantage is that this is a "passive warning" to the cracker - instead of getting any form of login prompt, (s)he'll just get nothing back in future.
This change in behaviour from my server should alert the cracker that I am aware of their presence and maybe act as a deterrent in itself.
Unless there is actually a successful intrusion, I think this is the best way to proceed - just monitor the logs and put an extra layer of security in place when you see anything unusual.
Just keep outsmarting them...
Gentoo Linux - another day, another USE flag.
This is really good advice, but you can do more. :-)
Most ISPs really appreciate the complete header of the mail, and sometimes even the body in case of spam. First of all it adds to the authenticity, and second they'll be able to forward your complaint to the responsible ISPs if you had too much beer while reading a spoofed header (more so for spam than virus mails). Some ISPs are quite helpful in this regard.
To aid in identifying the correct abuse addresses I can recommend the hinfo utility as a complement to whois. Oh and if you're stuck with a standard whois, consider replacing it with the one made by Marco d'Itri - it's the default in Debian, and has the ability to guess the correct whois hosts to ask.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
Actually, I'd have modded that as funny, myself. And I've got karma to burn. Some people just don't have a sense of humor.
When this happens, the only thing you should be seeing is a firewall log stating someone was denied access to port 22, so they don't event get to attempt to login. I can't believe this guy keeps SSH wide open.
tracert? Obviously you use Windows too much to be worth helping here on Slashdot.
I want my Cowboyneal
If you're only just starting to see several attempts a day, and your server's connection is from a commercial service provider's block of IP addresses, I suspect you may be missing a whack load of probes. My experience is that a couple of days after you put the box up you should see a half dozen probes a day, but as everyone says, they're just some robots scanning IP blocks. Unless your box reports back something interesting, no-one dangerous will come knocking. In the meantime, take a look at your backup practises.
You may have a local CERT office to which you can report these incidents. I guess that's what you "should" do.
However, in my experience that's a complete waste of time. CERT (both national and international) have proven themselves to me to be a bunch of flaming morons and pacifist hippies, either ignorant or afraid of their own shadows - well, maybe unless you're Raytheon or someone else who has friends that fund CERT...
What you can do, however, is to set up firewalling. Make it annoying - use "drop" rules instead of "reject" - so that SSH connections like you are seeing, made from "unwanted" IP addresses will simply hang for a small eternity before they time out, rather than giving the k!dd13 a login prompt right away.
Filtering out ICMP ECHO REQUEST message might be a good idea - nmap with default options will not portscan a machine if it can't ping it - so while this of course doesn't buy you any security in any way what so ever, it may lessen the number of attempted intrusions. First firewalling advise still stands though; set up rules to waste as much as as possible of the wannabe intruder.
Last but not least - make damn sure your systems are secure. (this implies; running a GNU/Linux distribution you can reliably keep up to date, or running some other OS you can reliably keep up to date)
How? When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.
The attacks dropped off rapidly after a few weeks. And since shed kept notes about who she talked with, when and about what, there was very little runaround. When she started that, it took about 45 minutes per day, but by the end it was down to around 15 on average.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Secure your systems and ensure they're running the latest copy of everything, avoid using old software that is likely to have security holes that are well-known.
/24 surrounding it, is my own motto. If one asshole can abuse you, and being that most abusive assholes live on DSL/cable with DHCP and can be in any address within a certain block, block enough space to cover any possible ingress. Then and *only then* can you rest easy.
Log as much detail as you can to tell when an attack happens and where it's coming from. Without that kind of info, you'll not know what's going on with your systems.
Abuse reports on especially egregious behavior should be filed. We want to discourage this kind of behavior, so the only thing to do is to check your logs regularly for anything that appears *not right*. If you find a large block of attempts from one source, extract those log entries and include them in a *polite* letter to abuse@[originating ISP].
Then firewall off the source, not just the single IP source but the
1) Tripwire is a file integrity checker. I suppose you mean portsentry or similar. 2) Automatic firewalling a VERY bad idea. Remember that most modern scanning techniques do not require a full TCP connection, and are therefore eminently spoofable. Not imagine someone spoofing a syn scan from the IPs of google.com. BOOM! No more google for you, you just firewalled it off yourself. BOOM! No more slashdot. BOOM! No more quake server. You get the idea.
Pathman, Free (as in GPL) 3D Pac Man
Sending cease and desist orders?
1) Assuming you can track them down
2) Assuming they're somewhere they would care (I'm sure all these Russian kids are just trembling at the idea of a "cease and desist" order from a US court)
3) Assuming the IP addresses you are even logging point to the source
I got news for you mang, this ain't nothing new and there's not much you can do except to run a tight ship and prevent breakins.
Welcome to the Internet,
-M
Seems like me posting that link, has resulted in it exceeding its allowed bandwidth. Here's the Google Cache.
Let me guess you're probably getting the following attempts on the accounts
test, guest, admin, user, and root
At least that's what I've been noticing over the last week on my boxes.
Just someone scanning by looking for accounts to exploit by the looks.
Back when I was 13 or so, one of my friends had convinced me that trying something like this would be fun. I was a bit reluctant, but I had some knowledge of Unix and networking, and it did sound like fun.
We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.
And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.
Most gratifying was one occasion when the same guy tried rooting me four times in a row, each time separated by five minutes while he was presumably rebooting.
PS: Yes I do think that turnabout is fair play, and no I didn't get attacked by legions of crackers afterwards.
Ask your management first. Don't do ANYTHING without their consent, even sending an abuse report.
Remember, you are there for technical work - Let management make the decisions or you may find yourself out of a job. Some companies do not want the embarassment or hassle of dealing with intrusions, and most usually want nothing to do with law enforcement.
Do you have policies in place? What are your procedures for handling "chain of custody"? Do you have evidence on trusted media, printouts, optical disc? Have you established a line of reporting to a senior manager who can observe your actions for an audit trail?
Don't play cop unless you know what you're getting yourself into. Ignore this at your peril.
......shoot them.
Preferably the job should be outsourced to a 3rd party subcontractor of foreign origin
Ack! Now even slashdot is promoting offshoring!!! Ugh...
Full-Featured GPL Web Hosting Control Panel
If you're really worried, change your SSH port. I too have noticed the increase attempts to guest, admin, test, and root accounts via ssh. I just changed the port. That has worked very well to keep them from even trying. Doesn't hurt to mix obscurity WITH security.
This space available for rent.
The MAB is a tool for searching the Amazon catalogs and browsing their products. It can be used as very impressive Online Application from Mozilla-like browsers
However, one time a few years ago, I was sitting at the console while multiple attempts were made on various ports. Being in the mood I was in, I looked up his IP address, and found that he was on a local ISP. Decided to call tech support of that ISP. The support guy confirmed my report, then suspended his account on the spot.
That was a bit of instant gratification for me, and probably a lesson for the (likely) high school kid on the other end.
>> "What would the robut do? Frame someone!"
your MAC address is transmitted over the Internet
Your MAC address is part of the ethernet frame (see here), which gets stripped as soon as it crosses a layer 3 device like a router. At best your MAC address is transmitted over your LAN, or maybe your cable modem neighborhood. MAC address filtering is only good for checking for foreign users on a local network, and even then ignores the fact that most hardware these days have configurable MACs.
Post his info here.
We'll take care of him.
they're cheap and small. perfecto for installing linux/bridge on and then making a firewall out of it. I only allow traffic from non-domain computers through to http(s), smtp and imaps. Best thing is, with a little work you can make yourself a set of webpages on your shuttle that will invoke iptables/ebtables to block off intruders. Then you don't feel so inadequate when you see someone trying to break in. In fact I've gone so far as to make my own IDS and have it look periodically for a few known things like sql server login attempts and smb... atleast that keeps my log files a little cleaner so I can assess the real problems easier. You never have to ignore anything... and this solution only cost me a grand. If someone wants it, I've made my shuttle capable of making a replica of itself on cd (live-cd at that) for easy distribution - running debian.
Cuckoo's Egg by Cliff Stoll. Not entirely relevant to today (describes tracking a hacker in the late 80s/early 90s), but a good read, and gives general ideas.
That's right, I read at +2 and post at +1. Not even I care what I have to say.
If you've got tracert, you are running the wrong OS.
:wq
In college, I was on what seemed like the world's biggest unswitched subnet. All the dorms could see the ethernet traffic from all the others. Some of us ran packet sniffers to see what interesting stuff we could learn. Eventually came the day when the packet sniffers got easy to use and just started dumping out passwords and logons. That's when the port scans followed by log in attempts got almost continuous.
Fortunately for me, about the same time, windows denial of service attacks and remote crash programs were also in vogue (http://www.rootshell.org , but it no longer seems to have the same focus). So, I made my finger port respond with about a dozen of the most popular remote DOS/BSOD exploits. This worked very well. Remote login attempts stopped.
For grad school, I moved off campus. We got a cable modem with Road Runner. I didn't disable that autoresponse. One of the ambitious admins (hi, Mr. Herrick) decided to do some port scans to verify nobody was running mail servers / IRC servers etc. About the third time he port scanned me (with a windows machine), our cable modem was disabled and I had to have a conversation with the admin about what was happening and why. He seemed to like my explanation, asked me to disable my countermeasures and reactivated my cable modem.
Don't scan my ports!
Worrying about port scans is a blast from the past. Let's see now, 65536 ports, that's 16-bits of space from which to brute-force your secret. Do you see anyone advocating 16-bit encryption as secure? I don't think so. You are truly pwned.
If your security depends on people not knowing which ports you have open, then you have no security.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
And it's so damn CATHARTIC!
Chas - The one, the only.
THANK GOD!!!
I've not had luck confirming this with anyone else (I have a friend that says they've seen the same and thought they had some security reference about this), but this only is recent, so may be part of it.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
You can do what I do. Try to hack them back. I don't do this for worm type attacks, but a if there are real obvious manual attempts to hack my system, I try to hack the person back. Doesn't always work, but what's really funny is so many of these guys have accidentally installed exploitable stuff on their machines, like BO2K server and otherwise have unprotected systems. I'll usually try to get in and leave a real obvious note. Maybe a message box or replace their wallpaper with a note saying, "Do you really think you ought to be hacking other people's boxes when you can't protect your own?" Stuff like that.
I'm not sure how effective a deterrent it is, but it sure is fun and gives me loads of satisfaction. As for the legal aspects, I can't say, but I figure someone trying to hack my box is pretty much giving me the right to hack theirs back. Of course, that's probably akin to vigilante justice which isn't legal...
What you should do is set up a chroot environment. Make it really easy for them to get in, but when they actually do gain access to the machine, they will be in a chroot'd environment. You could even set up all kinds of stuff in that environment to make them think that they are 31337. Once they mark their territory or whatever they want to do, they may never bother you again. Then reset the chroot environment so they next sucker thinks he's the first in.
geek n performer who performs morbid or disgusting acts, as biting off the head of a live chicken
The online cartoons - once again - show us how the world works. Here you can find the difference between Hollywoods form of dealing with intruders, and The Real Worlds:
Bigger Than CheeseFree PC version of ChipWits at http://www.breueronline.de/klaus/chipwits/
and wipes out all your data.
including connection logs ... so what's the point ?
Move Sig. For great justice.
This is like the kid that walks down the parking lot, checking all the car doors. Private property, which means the company has to call the cops.
If you want to do something, then you can send a letter to the ISP. Otherwise, you have to make like the Brittons; batten down the hatches and hope the Luftwaffe pass you by.
I guess you can go hunting, too. Hack the ISP, grab a ballbat, and send a "cease and desist" request yourself. An ounce of assbeating is worth more than a pound of Congressional Legislature.
When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.
The problem with your suggestion is that human response doesn't scale. At her average low of 15 mins per day dealing with the problem manually or socially, the rate of intrusions only has to increase 32-fold before it takes up an entire 8-hour normal working day. How many thousands of network admins are you going to hire to handle a DDoS attack from 100K sources? There is no limit to the number of owned Windows boxes out there.
It doesn't scale and it doesn't help. It is far better to spend your network admin's time on making your systems ever more impervious to attack, and if she has any time left over, to teach others how to do likewise. Ultimately, if all sites are securely tied down then it doesn't matter what the cracker kiddies are doing.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
"KILL THE HUMANOID! KILL THE INTRUDER!"
Old videogames have the answer to everything!
You must think in Russian.
Comment removed based on user account deletion
I once heard a story about a someone who had a (warez) ftp server which someone kept brute forcing. This happened here in Finland, in a small town of about 20000 residents (in which I don't live in, though).
:)
Being a little pissed off as the attacking continued for some time consuming his precious bandwith, he tracked his IP and with some social engineering he found out the attacker was just some high-school script kiddie, along with the information of where he lived. So he went where the attacker lived and left a note on his home door with something like "stop bruteforcing my server or else...".
Suddenly, the attacks stopped
ISP's are not in the business of pissing off their customers. They're in the business of keeping the ones they've got and getting even more. All you'll get is a form letter; most likely the person at the source address won't even hear from them.
In my experience complaints sent to government entities and most universities elicit a positive response. Just make sure you've got the logs to back up your complaint. Include dates, times, and packet captures if you've got them.
Lock your machine down and CYA (cover your ass) with lots of banners, any port that you have open to the outside, have a banner stating the AUP for your organization. For the main website, a like should be sufficient, but check with your legal department. After you post the banners, start recording the traffac, as with your AUP, consent to monitoring is perfectly legal if they click OK or continue to log in. That way you have more of a case should someone actually break into your systems ... or more of a case when you send a letter to the upstream ISP, they won't give a shit if you don't have banners.
just m $0.02
~ryan
Send a copy by snail mail.
They do not know if you'll sue but this should get a response. You might also make it clear that if the attacks stop you have no interest in any further legal action. This lets them know: get rid of your problem, and you won't be their problem.
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
Q: What is myNetWatchman?
A: myNetWatchman collects, analyzes and reports malicious access attempts to ISPs, who can then take action against the offending machines.
Q: How does it work?
A: A small client-side application runs as a background application on your system; reading your firewall logs, and creating near-real-time reports that are relayed to the myNetwatchman servers for analysis.
Q: How does myNetWatchman know the difference between a threat and a false alarm, and how does it respond?
A: When the analysis routine determines that a legitimate threat exists (based on reports from several agents), an automatic "Escalation Report" is sent to the abuse department of the offender's ISP. Any responses received from the ISP are also tracked.
When you want a computer system that works, just choose Linux. When you want a computer system that works, just, choose
Data integrity is more important than catching them. Rememeber that first.
5 708681/104-7409931-6853536?v=glance
1) Make notes about what you've found
2) Report the the abuse as per the WHOIS info for the offenders
3) Block their IPs at your border
If you're using a firewall, great. If not--get one.
If you haven't read Frisch's "Essential System Admnistration" read it:
http://www.oreilly.com/catalog/esa3/index.html
If you haven't read Stephen Northcutt's "Network Intrusion Detection" you should probably give it a good read as well:
http://www.amazon.com/exec/obidos/tg/detail/-/073
There are some good articles all over the web regarding Linux security. A few google searches will help uncover them.
Patch. It's not just for Windows.
Limit services with ACLs and host restriction.
Harden your system by partitioning read/write slices away from static mountpoints where your binaries are by mounting the read only ones as read only.
chattr +i on your binaries--makes it tougher for skript kiddies.
Talk to other admins--every day is a school day.
AND
Face the fact that you're not as smart as the crackers so you just have to create layers of security that keep you from being an easy target.
I might know what I'm talkin' about, but then again, this is Slashdot...
I agree with the others. Ignore the little shits. Yeah, they piss me off too. Sometimes people have nothing better to do with their time than to pull their puds and sit in front of a pc doing this $heot. I pose an open question to these freaks- why don't you all get a life?
Anyway, keep logging and checking. Make sure your machines are patched and your firewall is configured correctly. If they can't breach anything, eventually they'll give up.
God Save The Queen
It would be nice to adopt a routing protocol extension where you could ask an upstream router to block packets meeting a given criteria (*only to yourself, of course*). This would destroy DDOS attacks, which are currently the only really unstoppable attacks in existance, say you're getting flooded by ICMP from 250 hosts, and you just tell the upstream router to block ICMP traffic from the hosts in question (or for convenience sake, altogether, whatever really) It'd pretty much leave you scot free, in fact if it was extended further, DDOS zombies might get to the point that all their outbound traffic was blocked at their closest non controlled router point, which might clue in the users as to the status of their machines.
Patent Pending!
i actually create a block list of IPs that come in and attempt such attacks on my servers. i got tired of the worrying about if someone would get into something, so now i just shut the door on them for the next time. sure they could spoof their IP or come in from another one, but if i reach x amount from a certain IP range, i'll wildcard the remainder.... sux to think that i could lose a few customers based on that, but i'd rather ensure the security of the ones i do have.
Don't do anything. If you can see them in your logs, chances are they are just kids experimenting. They obviously have too much free time on their hands. Keep your sisters tight and learn from intrusion attempts but just let them play. No need to report it.
How else are they meant to learn? For a lot of geeky kids, this is their teen angst getting out. It's like the kids who steal your fruit from your fruit tree. It's an inconvienence, but they'll get over it eventually. And they'll develop an appreciation of fruit.
I used to be very security/network focused for a few of my highschool years. I grew out of it. Somehow life seems to get in the way.
Casing the joint would be when you then attempt to connect to each open port in turn, and try to verify the version of the server running on each port, perhaps by submitting malformed requests and looking for characteristic responses.
That would be indicitave of someone trying to find a way in.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Then send the NOC or Abuse desk something like:
"Ok, tell your user to knock it off, please. Thank you."
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
net send $THEIR_IP piss off
You might not be able to do anything about these intrusions. But, you should share your firewall log file with other network admins by sending it to DShield.org. This is the Distributed Intrusion Detection System. For those who have never seen DShield.org, it maintains a list of IP addresses of known/suspected intruders. They can be direct abusers or zombies.
If they manage to get root on your box, they'll probably do one of several things once you clean up all of the root kit mess.
If they put an irc bot on your server, you can steal their channels. They're practically giving you, someone they don't know, access to their botnet.
If they set up a warez ftp, you can have some fun with them by putting trojans into their files. Since they've already saved you the time of putting warez on your computer, be sure to copy anything good first.
If they're using your machine for DDOS floods, you may be able to hijack their DDOS network, use it against your enemies or competitors, and blame it on some dirty hackers.
If they steal your database of credit card numbers, it's a sign that you should quit your job and find a new career.
windows idiot
your box is already owned
enjoi
What the hell! Why not?
::ffff:203.186.65.92 ::ffff:203.186.65.92 port 4570 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39378 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39462 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39609 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39742 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39878 ssh2 ::ffff:217.115.83.1 port 40005 ssh2 ::ffff:217.115.83.1 port 40145 ssh2 ::ffff:217.115.83.1 port 40277 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 40412 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 49595 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 49726 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 49861 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 49983 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 50117 ssh2 ::ffff:217.115.83.1 port 50257 ssh2 ::ffff:217.115.83.1 port 50398 ssh2 ::ffff:217.115.83.1 port 50546 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 50678 ssh2 ::ffff:202.129.52.50 ::ffff:202.129.52.50 port 3258 ssh2
Aug 12 05:08:28 pokey sshd[7534]: Illegal user test from
Aug 12 05:08:31 pokey sshd[7534]: Failed password for illegal user test from
Aug 12 10:51:33 pokey sshd[7615]: Illegal user test from
Aug 12 10:51:35 pokey sshd[7615]: Failed password for illegal user test from
Aug 12 10:51:39 pokey sshd[7617]: Illegal user guest from
Aug 12 10:51:41 pokey sshd[7617]: Failed password for illegal user guest from
Aug 12 10:51:48 pokey sshd[7619]: Illegal user admin from
Aug 12 10:51:50 pokey sshd[7619]: Failed password for illegal user admin from
Aug 12 10:51:54 pokey sshd[7621]: Illegal user admin from
Aug 12 10:51:57 pokey sshd[7621]: Failed password for illegal user admin from
Aug 12 10:52:01 pokey sshd[7623]: Illegal user user from
Aug 12 10:52:03 pokey sshd[7623]: Failed password for illegal user user from
Aug 12 10:52:10 pokey sshd[7625]: Failed password for root from
Aug 12 10:52:16 pokey sshd[7627]: Failed password for root from
Aug 12 10:52:23 pokey sshd[7629]: Failed password for root from
Aug 12 10:52:27 pokey sshd[7631]: Illegal user test from
Aug 12 10:52:29 pokey sshd[7631]: Failed password for illegal user test from
Aug 12 11:01:41 pokey sshd[7659]: Illegal user test from
Aug 12 11:01:44 pokey sshd[7659]: Failed password for illegal user test from
Aug 12 11:01:48 pokey sshd[7661]: Illegal user guest from
Aug 12 11:01:50 pokey sshd[7661]: Failed password for illegal user guest from
Aug 12 11:01:54 pokey sshd[7663]: Illegal user admin from
Aug 12 11:01:57 pokey sshd[7663]: Failed password for illegal user admin from
Aug 12 11:02:01 pokey sshd[7665]: Illegal user admin from
Aug 12 11:02:03 pokey sshd[7665]: Failed password for illegal user admin from
Aug 12 11:02:07 pokey sshd[7667]: Illegal user user from
Aug 12 11:02:10 pokey sshd[7667]: Failed password for illegal user user from
Aug 12 11:02:16 pokey sshd[7669]: Failed password for root from
Aug 12 11:02:22 pokey sshd[7671]: Failed password for root from
Aug 12 11:02:29 pokey sshd[7673]: Failed password for root from
Aug 12 11:02:33 pokey sshd[7675]: Illegal user test from
Aug 12 11:02:35 pokey sshd[7675]: Failed password for illegal user test from
Aug 12 12:23:19 pokey sshd[7703]: Illegal user test from
Aug 12 12:23:22 pokey sshd[7703]: Failed password for illegal user test from
Aug 12 12:23:26 pokey sshd[7705]: Illegal user guest from
I remember monitoring for netbus attacks with this software called netbuster, and I would e-mail the ISPs that someone was trying to attack my machine from their service and it may or may not be because the users machine is compromised. I would usually get an e-mail saying they informed the user and also thanking me for alerting them, and so maybe this same thing applies here?
You apparently misstyped the URL of your porn server. Please resend.
--LordPixie
Just submit your logs to dshield.org and they will forward your complaints to the proper admin.
Casing the joint would be when you then attempt to connect to each open port in turn
I disagree. Port scanning is trespassing and falls under the same difficulties as the physical manifestation of the law. Dealing with a neighbor who constantly runs his lawn mower two feet onto your property, kids taking short cuts across your back yard, etc. is unrealistic and nearly impossible to prosecute. Yea, we all knew the crazy neighbor who would hide in his yard waiting to catch one of us slipping through, but most people ignore it or recognize the futility of going after every single instance. And on the Internet, it is increasingly likely that you'll find a neighbor (ala Area 51) who finds it useful to cause you considerable inconvenience when you decide to trespass (as well as sufficient experience to cause you to never wish to repeat the experience). Unfortunately a random IP address just doesn't give you the same warning as do posted signs stating "Warning: Protected Facility. Trespass beyond this point is really a bad idea."
However, as it becomes easier to trace the Internet equivalent of trespass (e.g. IPv6 and other mechanisms that reduce the ability to misrepresent your origination), the arms race will find balance once again. Just as zombies have automated the offense, expect the same in response that will provide aggressive reciprication from those who care about trespassers. Yes, much of this ability exists today but there is an ethical issue associated with launching a counter-DDoS when the verification of the origination address is not precise and exact.
So don't pretend trespassing is acceptable. It may be overlooked... today... but you will eventually encounter a neighbor who may have the interest and resources to ruin your day/week/month/career/credit/FBI file.
Someone tried like over 500 different usernames to get into my pop server. Too bad for them I only have like 3 users one, none of which are first names. Freaked the hell out of me at first. I also get the usual root connections to ssh and test and unknown.
They don't bother me anymore, when I'm bored I send emails to netblock owners.
tracert?? you're a windows geek?
move along... nothing to see here....
"We are not tolerant people. We prefer drastically effective solutions"
Figure out who they are and give them evil glares while in the cafeteria.
I know I for one have accidently typed root for my login name on someone elses box on more than one occassion.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Apparently there is a lot of talk here about involving law enforcement, the law, etc.
What a lot of you don't know, which I learned via hard knocks, was that unless you are a large corporate entity with gross yearly earnings in excess of $500k, there is NOTHING that you can do with any judge, law enforcement, or the FBI. They simply tell you to "deal with it".
This is why the issues of hacking and open spam relays, and all the other jazz will never go away, because it's not profitable or should I say; "chargable" under current statutes.
Good luck!
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
The real value of a honeypot is not a slap in the fact to the hacker.
The real value is in observing what kinds of attacks are being uses, especially to see if any NEW type of attacks are being used that your real systems may not have been secured against.
I'll see your senator, and I'll raise you two judges.
Awesome.
"I'm just here to regulate funkiness."
Yeah but, But Tom Hudson didn't plan on dealing with the DDOS of the SLASHDOT EFFECT
Why not create a honey pot that is weak enough for them to compromise it? Then you have evidence of a break in and the grounds to prosecute. Assuming you can identify the offender through the ISP you can make some serious threats with definite consequences.
Of course you should make your box as secure as possible. Ignoring automated attack attempts is probably the wisest course of action, as well, otherwise you waste a lot of time and only draw more more attention to your network, making it a bigger target.
But for those intrusion attempts that appear to have a human being on the other end, a virtual smack upside the head would do the world some good. If it's some script kiddie, then let them know their feeble attempts do not go unnoticed, and are by no means appreciated, and chances are they'll find something more constructive to do before they get themselves into real trouble. If it's someone more hardcore, well, I guess it won't matter either way.
A post a day keeps productivity at bay.
So, being a good guy, I never respond in kind (I could, but 1) it's wrong, 2) it affects more than just the target and 3) I don't feel like going to pound-me-in-the-ass prison), I just log every single packet I can, and when the attack is over find the worst offenders (typically the packets are not spoofed) and use Spamcop and whois to find the responsible parties for each one, and send them all an email.
Many (most?) emails elicit an automatic response.
Perhaps 10% get a personalized response, but usually this response says that I should contact the ISP of the offender (when in fact that's exactly what I'm doing.) Perhaps half of the responses I do get say they'll do something about it, which is good -- usually these are compromised drone/zombie machines, and need cleaning anyways.
Quite often, the attacker is stupid enough to ping my machine from his home machine (so he can see how it's going), not thinking I'll notice that. When this happens, I can also email his home ISP, the people who really know who he is, and the people who can really hit him where it hurts. Except that they ignore my email too, and if they do email me back, they just tell me that the attack did not come from their ISP so they can't do anything, or there's no proof that the pinging is related to the attack.
Phone calls are much more effective than emails, but you really need to make them during the attack for them to take them seriously. And often the attacks happen outside of business hours, so there's nobody to call. And they're very time consuming.
Though I did succeed in nailing at least one guy. He was in Romania, and he messaged me a few weeks after the attack basically pleading with me that it wasn't him, but his brother using his computer. Apparantly the police (in Romania) were questioning him, and one of the things they showed him was my email. The police had never contacted me -- I'm guessing that my email was just one of many pieces of evidence they had against the guy. I felt a bit bad for him, but not that bad. Not that I had any control over what was happening to him at that point -- it was out of my hands the moment I sent my email.
So, if it happens again, I'll do the same thing. I know it's not likely that anything substantial will come from my emails, but there's still a chance. Every time it happens, I know I nail at least some of his compromised machines, and have a chance at getting him. I'll win eventually -- either that, or he'll hit puberty, in which case we both win.
I have someone trying every email address (jon@site.com, jim@site.com) looking for ones to spam (or maybe to spam from!). Is there any way to stop that one?
"Arabs, technically, are caucasians. They're just curly haired, tanned white people. Not entirely unlike Italians."
;-)
WTF? Italians are white people?
I thought that is why we have routers.
My routers block all unused ports and use nat. i dont controll the web server so im not sure what goes on there. but i always believed that proper firewall and router configs can stop these kind of things before they start, please correct me if im wrong.
It's really a shame that most intrusion attempts are worms or automated bots with no one to see the clever responses. For my own home system where I'm not running a real web server, I have a script on port 80 serve up a redirect to the Department of Homeland Security. >:-)
I must admit that is probably one of the few things that might actualy work. How many virusses are there with attachments that MUST be opened before it works that are get spread beyond belief? People are naive and or just don't care. If they still don't know, get of the highway and make way...
You'll hate me for it, I know, but why do we have T-shirts with "No, I will not fix your computer"??? Because we know why it got broken, again....
Message from god, Please logoff, rebooting the Universe
Chances are that you are not being directly hacked, but automatically probed by a system already infected with a root-kit installed.
There are alot of people out there who have no idea that their computer is infected with a root-kit and many would be greatfull to be told so.
Failed logins from these: admin/password from 217.115.83.1: 4 Time(s) admin/password from 61.1.96.124: 2 Time(s) guest/password from 217.115.83.1: 2 Time(s) guest/password from 61.1.96.124: 1 Time(s) root/password from 217.115.83.1: 6 Time(s) root/password from 61.1.96.124: 3 Time(s) test/password from 217.115.83.1: 4 Time(s) test/password from 61.1.96.124: 2 Time(s) user/password from 217.115.83.1: 2 Time(s) user/password from 61.1.96.124: 1 Time(s) Illegal users from these: admin/none from 217.115.83.1: 4 Time(s) admin/none from 61.1.96.124: 2 Time(s) admin/password from 217.115.83.1: 4 Time(s) admin/password from 61.1.96.124: 2 Time(s) guest/none from 217.115.83.1: 2 Time(s) guest/none from 61.1.96.124: 1 Time(s) guest/password from 217.115.83.1: 2 Time(s) guest/password from 61.1.96.124: 1 Time(s) test/none from 217.115.83.1: 4 Time(s) test/none from 61.1.96.124: 2 Time(s) test/password from 217.115.83.1: 4 Time(s) test/password from 61.1.96.124: 2 Time(s) user/none from 217.115.83.1: 2 Time(s) user/none from 61.1.96.124: 1 Time(s) user/password from 217.115.83.1: 2 Time(s) user/password from 61.1.96.124: 1 Time(s)
What kind of attitude is "Bust them quick before they get smart", anyway?
I don't even know if it counts as an intrusion if someone's idea is log on and ask your machine politely for root. Heck, you were the one that set up your machine to sit there and *listen* to such requests, and (probably) to ignore them.
It's obviously malicious if they are actually trying real exploits, of course.
Given the possibility of compromised machines, isn't it possible that many / most of the IPs recorded are not, in fact, the guilty party? What if you end up getting some innocent family in trouble (who maybe have one kid smart enough to have a finger pointed at him), because their machine got owned by someone across the world- and *that* control was established by a library computer, effectively untraceable to the original malefactor?
Well, a brutish way to make a point is to block all the whole of Comcast's addresses.
Then, send a polite note to Comcast upper management (here's the list) letting them know what you've done, and why. Suggest that they visit your /. posts to see a very visible reference to their lack of customer service or concern for security. Explain how many people read Slashdot daily. Let them do the math on how many potential customers they risk alienating.
I'm not tense. I'm just terribly, terribly, alert.
If it were that easy, don't you think we'd be doing it? These attacks are insidious things. If you're not willing to take the time to secure your machine (or at least recognize when it's been cracked and have the responsibility to take it offline), then you have no business operating on the internet.
Parent is right. If you leave your box open and it is used to attack my server, it's completely reasonable for me to attempt to render your machine unusable.
I've found that most script kiddies aren't secure themselves. Deleting that io.sys file teaches them a few good lessons. And when it isn't a windows machine, send a dos attack.
http://www.forescout.com/activescout.html
This is the only silver bullet I've found, I wish I had the megabucks needed to purchase one.
Try the Demo Center
Or,
A very cool managed Linux backup (drop and forget) Mac and Win and you name it friendly.
http://www.kamaradata.com/
Saw this one in action a few days ago, it handles Mac resources and all, never have to even deal with the OS.
VPN tunnels in a managed node config, and I think they're looking at XGrid (Xgrid) for Unix as an optional service.
http://unu.novajo.ca/simple/archives/000022.htm
http://www.apple.com/acg/xgrid/
~hylas
You could probably go in without feeling uncomfortable, and they actually sell pretty good stuff. Plus, in giving them business you're paying them back for not throwing the book at you way back when.
I had some similar encounters with authority figures when I was a kid. Most of them weren't even intentional authority figures - just people who noticed I was out of line and stopped me from doing things I would have really regretted when I grew up and got a clue. It was embarrassing as hell at the time, but in retrospect I'm very grateful for what they did. Even mentioned one of them in the dedication to my book.
1. The ISP usually will not care even if you report it.
2. Chances are low that is actually the attacker's machine -- more likely they have compromised it and are using it as a stepping stone.
3. If you try to retaliate, the kiddie may get pissed and DoS you.
4. The feds don't give a fuck.
Cracker kiddies are like hornets. They swarm, but unless you piss them off, they won't attack. And they're too stupid to get in the door. Ignore them.
I am very confident that the challenge-response is secure by design. No one's been able to find any kind of hole in it. It's theoretically possible to brute-force it, but most people can't wait until the sun burns out to hack in.
PHEM - party like it's 1997-2003!
Sometimes you can do something.
-- Jack
This approach is not recommended.
I think it would be neat to have a program that could be easily installed on a box, that would act as the firewall for the system. Traffic that a firewall would normally allow is passed normally. Traffic that would normally be dropped, such as a query to a port that is not open on the firewall, would not be dropped but instead be passed to the honeypot module of the program, and from there responded to in a way set by the user through a scripting interface.
Example: You aren't running a telnet server on your box, so normally a connection attempt to port 23 would be dropped. Here you set your honeypot controls to engage a script that you have made (or that came pre-packaged with the software) showing them a fake login prompt that looks like whatever software you wish them to think you are using. Script appropriate responses to possible actions the hacker might try, based on what software they think you have. Let them appear to login with 'admin/admin' or whatever, and show them fake file directories and whatnot. Certain often-targetted files could be spoofed so the cracker can actually 'read' them and not be tipped off. Basically have the software fuck with them for awhile before revealing that "it's all been logged you luser, the Matrix has you, disconnect before things get worse"
You could make a windows box look like anything else to mess with them, if your arsenal of scripts is deep enough. The program could come with a whole whack of pre-defined scripts, and users could create and upload new scripts to a website for others to install in their systems. And when someone installs and runs the program for the first time, they are *forced* to choose a computer name, OS, and other details, so that every out-of-the-box install of this thing doesn't look like every other one out there, making it less easy to detect.
You'd have to make the main code smart enough to not bother if the intrustion appears to be a worm, otherwise such a machine would likely get pretty bogged down. I don't know how to do any of this, I would just like to have the software.
Please? Somebody?
someone might have suggested this already, but an automated script that does a whois on the ip from the appropriate internet number commitee (or whatever the hell you call them folks like arin, apnic, et al) and sends an email to the IP block's admin / abuse address would work. Mostly, these emails get ignored unless they start appearing in large volume (if someone is dumb enough to continue trying to intrude from the same ip block).
Vigilante Justice
Post the logs on a dedicated page, such as http://foo.com/intrusion_attempts/.
No one likes to see its IP address attached with an intrusion attempt, indexed by Google, available for anyone who searches for this IP.
Heck, once you let Italians in, it opens the door to considering Irish folks as white. Which is clearly bunk; they are Appaloosa at best. Freckles, you know.
this will only suppress people trying to get into your various info servers (telnet, ftp etc...) you will still get the vast script kiddie assault every day on port 80. you can allow people you want to connect to you on vpn or other services by adding their static ip to the file.
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
/bin/echo "Eat a dog poop. You are not welcome to use %d from %h..."
hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# Prevent those with no reverse DNS from connecting.
ALL : PARANOID : RFC931 20 : deny
# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for portmap(8).
ALL : 127.0.0.1 : allow
# internal ip
ALL : 192.168.1.100 : allow
ALL : 192.168.1.200 : allow
ALL : 192.168.1.201 : allow
ALL : 192.168.1.202 : allow
ALL : 192.168.1.203 : allow
ALL : 192.168.1.204 : allow
ALL : 192.168.1.205 : allow
ALL : 192.168.1.206 : allow
ALL : 192.168.1.207 : allow
ALL : 192.168.1.208 : allow
ALL : 192.168.1.209 : allow
ALL : 192.168.1.210 : allow
# other people you like go here
ALL : 00.000.000.00 : allow
# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
: spawn (echo Finger. | \
: deny
hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
# The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist
Scaring some poor sucker who's already been owned once is not going to change things much.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
I work for an isp in Oklahoma. We have about 2,000 DSL customers right now and if we receive email or a call from a person telling us that 'This ip was hitting my firewall on this day at this time.' we check our logs, find out who they are and call them, send them an email or send them a letter. We don't just let it go. If you contact their isp then usually they should handle it from there.
Seriously.
It's not causing you a problem. Don't waste time on them. If you like, keep logs, so you can backtrack later if something does happen.
Your main concern is keeping things secure, not hunting down everyone who tries to gain unauthorized access.
Further.. I think it still holds true that if you put up service that listen and answer publicly on the internet, you should expect people to try to use them, even for things like SSHD. It is completely within your technical means to prevent outsiders from being able to even connect to sshd to guess passwords... so rather than complain about it, do something about it.
You can run all the analogies you want, about how it's an attempted crime, and so on...
After all, it is. Attempting to gain unauthorized access to a system IS a crime.
But it's unrealistic to waste resources on something like this.. you should EXPECT people to try to log in through these remote services.. this is the internet. If you don't want people to even TRY to guess, don't put up the service in the first place. If you are confident that your system is secure, some attempts at access shouldn't bother you.
Think of this more like a fortress in a hostile war zone than a house or car in an urban law-abiding suburb.
The fact is if you start chasing down every little attempt, you waste a ton of your time to no real benefit. Spend that time making sure things are tight and secure.
On a related note, I've been thinking about setting my firewall / router box to have some automated defence things, along the lines of "if the same IP opens >5 connections to port 22 per minute (ie they're probably brute forcing passwords), block them, traceroute them, and add the output to my 'attackers to check out' list" - any ideas how I'd go about this? Ideally I'd like a scriptable userspace daemon version of iptables, but I know not of any such thing...
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
In the physical-analogy sense, it would be more akin to closing your restaurant without putting up the "closed" sign. When people walk by and try to open the door, you got no business being offended - they're attempting to take advantage of the public service you appear to be offering.
And if you were really dumb and forgot to lock the door too, you've got no business being upset when they walk in and start wondering where the waiter is.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Just thorw up some add banners on the page being spamed by the zombies which pay per page view. Collect some money off of that and use it to combat the problem (or just put it in the companies pocket, whatever:)
--The Dude
That's mathematically correct, but completely unrelated to the observed behaviour of the real world.
The attacks did not increase 3200%, they decreased 66%. The advantage of a human dealing with things, is that humans can change their plans as needed. If the attacks had increased 32-fold, the admin would presumably not have continued on that course of action. Since the actual effect was to decrease the attacks by an appreciable amount, presumably relatively efficiently in terms of the amount of time she spent at it, she was able to apply rational human judgement and decide to continue her approach.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
If the offending domain is on file at rfc-ignorant.org, sending an abuse report to them is a waste of time and resources.
Blacklist the offenders instead. (which includes major players like aol.com, rr.com, and comcast.net)
When enough people complain and 'jump ship' at the blacklisted domains, the income lost will motivate the 'powers that be' there to address the situation properly or else they will eventually go out of business.
Usually, this sign is found next to the rear entrances of people's homes, but it might work in this situation:
Warning:
Intruders will be shot
Survivors will be shot again
Occasionally, I've attempted putting in the extra work and translated before sending. My half-assed method is to write the note (without the log entries), run it through one of the above translators, and then run the result through the translator back to English. If I can make sense of the final result, I send the original non-English translation. I've gotten some nice non-English thank-you notes this way.
Luke, help me take this mask off
1) Find them,
2) Shoot them,
3) Send the bill to the parents.
If you weren't just ignoring the fact that people were attempting, you could have already blocked them. And your logs shouldn't be kept on the same host.
Serious? Seriousness is well above my pay grade.
"If all humans were extremely cautious and thought hard about consequences and ethics, the US would not exist, and the natives would still be abundant."
Except that we enslaved and killed the "natives". And then went and found more "natives" from other lands and did the same to them. I'm not too sure your point is valid.
Many windows machines, when trying to do a reverse dns lookup such as with netstat, will attempt to do a netbios lookup.
While port 139 is used a lot by worms, do not block someone who is hitting that port. It could just be their firewall doing reverse name lookup.
iptables -I INPUT -s domain name -j DROP
"...is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes."
Yes. You can actually send an email to these attackers. I have provided a format below to help you out
Dear [insertname]
I am [insert_african_name] from Nigeria. Recently, my Government was overtaken by a ruthless dictator [insert_dictator_name]. This dictator has taken most of my money. With great difficulty, I managed to transfer 3,500,000 (THREE MILLION FIVE HUNDRED THOUSAND DOLLARS) to a safe keeping....
And we'll "take care of you".
We both have an uncontrolable desire to poke it with a stick.
Now we KNOW there's places a stick shouldn't poke... but we have to poke the places we know won't hurt us.
Zanthor
Since the only way in is physical access, an alarmed, steel framed door, with a Schlage lockset, bundled with a Smith & Wesson .357 mag and a Browning 30-0-6 rifle, pretty much guarantee security.
I ran a tarpit under OpenBSD at a large university to protect our subnet. Hardly any department's subnet was protected--fair game to any outside crackers/scanners (or inside zombies). We put LaBrea tarpit on the first (x.x.x.1) address so all scanners got tripped up at our very first address, for hours or sometimes days at a time!
Want to automatically report the offending IP addresses to their ISPs? Check out DShield and and their free FightBack program where they notify the ISPs--not you. See some FightBack results.
There are scripts and clients to report the intrusion logs collected from dozens of IDSs, firewalls, routers and log utilities (e.g. Snort, Linksys routers, IPCHAINS, LaBrea). DShield has Linux and UNIX Client Scripts, as well as Windows Clients.
If the script kiddie/scanners are automatically trying to break in, why not automate the abuse reporting, too? Even if the scanner is a cracked zombie, at least they could be notified--could lead to them securing their machine(s).
For the most part if you ignore them they go away.
If you make a big deal about it, the perps may feel you are worth attacking.
If it seems really serious and you are a government contractor, contact the appropriate agency.
This gets used all the time but is an incorrect analogy. A house is private property.
A correct analogy would be to go to the mall, then try opening the doors of the shops located at the mall.
Portscanning by itself is only a _possible_ precursor (providing they are not performing a DoS) to illegal activity. Portscanning by itself is not a bad activity unless they are doing other "bad" activities such as spoofing addresses, etc in order to portscan a network that would not normally be regarded as public.
and do it well, unlike the script kiddies bombarding your systems.
then leave a note on their windoze desktop saying they've been pwned and to stop f'in around on other peoples servers or youll upload kiddie porn to their HD and send the secret service after you...and maybe you already did...
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
How about a fake shell which prints out a nice message telling them their attempt has been logged, and to kindly fuck off, and then disconnects?
not that i'm an expert or anything. But when i've found others doing ill/breaking the law on the net and informed their ISP... The ISP is unwilling to do anything. Unless your the cops with a warrent they do nothing, and if you are the cops with one, all they will do is give you info on the person. The ISP won't do diddely. I Think they should just like you but they won't and don't.
Linux Works
A "MAS 6000" is a Mitel Networks 6000 Managed Applications Server, which is a prepackaged Red Hat Linux server, usually in a 1U rackmount unit. "The 6000 MAS is simple to use and requires little or no IT expertise to install and manage," says the vendor. It provides a "firewall", E-mail, and other standard server functions. It's a "network appliance". The installation instructions actually say to put it in a closet and disconnect the keyboard. It's supposed to be secure out of the box.
There is at least one known FTP buffer overflow vulnerability for this system, but FTP must be enabled for it to work. Similarly, there's an SSH vulnerability, but SSH must be enabled for it to work.