Slashdot Mirror
Dealing with Intruders?
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
The accepted way is to send an email to abuse@ or to the abuse contact listed by ARIN for the netblock you are trying to lart.
http://www.arin.net
or lookup the RADB abuse contact
http://www.dnsstuff.org
I always write a really "nice" letter to the ISP of the intruder, where I explain the problem, and that it is causing my customers trouble and that it eats up valuable bandwidth. I ask them to take action, and if not, that I'll have to proceed further (never been needed once). I send the email from the admin account, sign it with my name + admin at my system and then I attach the logs pertaining the intrusion attempt.
... atleast nowadays), mostly for the more serious attempts (doing multiple attempts, different attempts, etc).
:)
So far, all of these "cease and desist" letters has resulted in action on the ISPs part, and in 50% of the cases, their admins write me back and give me feedback on the problem.
Ofcourse, I don't do this for every attempt (all depending on my mood
The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish. I actaully managed to get hold of the owner of the computer system that was scanning me and phoned him. Quite a hilarious experience. Needless to say, the portscanning stopped
Personally I tend to ignore the scans for ssh and so forth, as they're just SYN-packets and doesn't consume too much of my resources. Call me a lazy/non-caring bastard. However, it would surely be nice to send off a message to the ISP, as the machines the scans are originating from are probably cracked too.
.
.. it's days since the last virus from you! Keep up the good work!"
.. and so forth.
:)
I tend to report viruses. I grep my logs daily for viruses from various norwegian ISPs, to the mailserver I admin for my company. During the last five months I've sent daily virus reports to the largest ISP in norway, and they tend to reply within one business day - having notified their customer about the infection. If the customer gets several 'heads up' messages from the ISP without removing the virus, they get their port 25 access filtered until they've confirmed that they've removed the virus.
I tend to send emails such as this.
"
Hi there.
I've got several viruses from your customers today, and would appreciate it if you could notify your customers about the virus infections they probably have.
Here are the relevant snippets from my logs:
Virus: Netsky.B
Received: from at
Virus: Bagle.C
Received: from at
All timestamps on the server are NTP-sync'ed against
Thanks for your time
"
Recently I've also included a more personalized
"Oh, and I have to commend your ISPs efficiency, as since march - you've managed to reduce the number of virus sending users to us from about per day, to this
You could probably just adapt what I'm writing to something saying that a customer of theirs probably has been cracked, and that they are currently scanning for
If it's the actual cracker that's stupid enough to use his own computer, he'll get scared enough if they contact him telling him that his computers has been abused by others to scan people -- and will probably quit doing it.
"Rune Kristian Viken" - http://www.nwo.no - arca
or you'll spend half your time at work writing abuse letters. My logs at work show a constant barrage of windows attacks ( yes, code red is still there), 137 scans, numerous login hacks for any number of OS's, port scans that increment by 1 each time, etc. Sometimes it slows down. I am beginning to just consider it background noise. Just the cost of doing business on the web. As long as the probes arent massive or working, I just note and ignore. I only have so much time for this - it keeps me from downloading all that porn!
Look up HTB on the net (Heuristic Token Bucket) - a firewall rule that limits network abuse while not obstructing normal network usage - every IP gets a pool of "tokens". One token is removed from the pool when a packet is sent, packets won't be sent as long as the pool is empty, but it gets refilled at constant, slow rate, until it's "full" again. So a user can download, say, 500K in one rapid burst at maximum network capacity, then his connection bandwidth goes down to some 5K. If he waits 100s he will be able to get 500K in similar burst again. This way, one page loads really fast. User reads the page, goes back, loads another one (minute later) very fast again. A loser who keeps reloading, exceeds his 500K bucket content in 2-3 reloads and then gets a constant drip of 5K upstream, hardly disturbing the others.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Don't bother, the real crackers are probably usings some lusers box to launch the attack from. You're just warning the person who didn't secure their box, and they're not likely to understand why you are telling them they are attacking your box.
All those moments will be lost in time, like tears in rain.
1) Tripwire is a file integrity checker. I suppose you mean portsentry or similar. 2) Automatic firewalling a VERY bad idea. Remember that most modern scanning techniques do not require a full TCP connection, and are therefore eminently spoofable. Not imagine someone spoofing a syn scan from the IPs of google.com. BOOM! No more google for you, you just firewalled it off yourself. BOOM! No more slashdot. BOOM! No more quake server. You get the idea.
Pathman, Free (as in GPL) 3D Pac Man
Yeah I know the gentleman's approach.
I don't subscribe to it. I look at it like this:
To drive a car, you need a licence. You have to follow rules. You drive on the correct side of the road. You don't drink and drive. You obey the speed limit. And why do we have to follow the fules? It's because there are other people who also want to use the road, and therefore all drivers have a responsibility to ensure that the safety of others is protected.
Sounds like common sense, right? Well the same should apply to placing computers on the internet. If you want to have viruses and backdoors and worms etc running on your home PC, then fine. Whatever. But if you put your home PC on the internet and take absolutely no fucking responsibility for what you are doing then you are waiving all rights you have over the the safety of your computer. If your computer now pisses me off, I'll 'smbdie' it off the internet. If you're fine with all the rest of the shit that's infecting your PC, then you don't really have any right to complain about me rebooting it once every 5 minutes. And yes I'm doing everyone a service. Firstly, the computer is on the internet for less time than it otherwise would have been, so there's less chance of others being infected. Also, the idiot who owns the computer will be far more likely to do a complete re-install, or at least get a god-damned virus checker and get Windows up-to-date.
Do you know how many people come bitching and complaining to me about their PC being rooted, and when I boot it up find that they're running Windows 2000 SP1 and NO virus protection at all? It's not good enough. And the only ways to get them to take responsibility for their computer are:
a) Legislate. No-one wants legislation covering their computer. It will screw things up for the responsible among us and have no effect on the rest.
b) Make it so unconfortable to run an unprotected computer that they get the hint and protect it.
Having said all this, I know most people will still disagree with me. That's fine. Be angels. Just keep your damned computer secure and you've got nothing to worry about.