Slashdot Mirror
Dealing with Intruders?
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
ignore them.
Unless they use a lot of bandwidth, that is the right decission to make.
Add their IPs to your firewall for a start.
If you seem to be getting it from the same group of people make a honeypot but have some obvious hints once they get in, leave very little on the server and put the logs of their activity in an obvious place. Just be sure to isolate that machine from the rest of the network so if they do end up owning it they got no further then their failed attempt at your real machines.
Who'd have thought!
When I had this problem I simply sent a mail to the ISP:s abuse-people. Most ISP has an e-mail address like abuse@theisp.com. Then they can send the guy a warning or whatever.
Martin
intrusion attempt >> /dev/null
ignore it. forget it. script kiddiz...
If you give them a more attractive target for a while, you may find there really aren't all that many attackers left to go after the systems that matter. Not only that, but it would be considerably easier to set up such a system to log their attack techniques, since it isn't actually doing anything. Finally, if they do break through, who cares? Just re-image the drive and let them start over. If they manage to repeat it, you now have a known weakness you can correct.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
I don't understand why you'd care how you come off to the people trying to crack into your system.
They're out to do you harm. If one of them gets through and does some damage, you could lose your job.
Hi,
As several posters have already stated you should complain to the abuse address for their ISP. Ideally, you should include logs of the attempt.
You should also be aware that that the machines which are attempting to connect to your network are probably zombies. There are a number of trojans and security holes which can be exploited to allow a remote user to take over a poorly secured system. The owners probably don't even realise that their machines have been compromised.
I'm not sure there's much an ISP can do other than try to find out which customer had been assigned that IP address at the time and write to them. Banning someone for having poor security on their machine is probably a bit harsh, even in these post-9/11 times.
Keith.
Basically I just gave a quick digest of the log clearly showing their IP and the attack in progress, and a note to the effect that I believed their machine had been compromised (in as plain English as I could muster) - and got the desired result.
I like the fact that there's some script kiddie out there cursing that one of his "boxen" is no longer..
I don't read your sig, why do you read mine?
Let me get this straight - you "got used" to logging in as root? And to compound your folly, you used to do it over *TELNET* ?!?!?!
I think someone needs to read up a bit more on why both these things are bad ideas - and why doing them both at once is just internet suicide...
Gentlemen, start your penguins
Unwise.
and sometimes I'd try to log in without thinking just after starting a telnet session.
Over telnet? Log in as root over telnet? AAAARRRGGGHHH!
Real Daleks don't climb stairs - they level the building.
Back in January 1999 when everybody used telnet for remote logins, several computers in our department were root-compromised and had a rootkit installed (password sniffer, backdoors, and patched versions of ps, ls, and such to prevent being detected). We noticed some strange activities but had no clue what was going on, thinking that other people were trying to intrude us, while actually the cracker used our computers to intrude other people. It felt a bit like being in a thriller, where we step by step discovered what was going on, culminating in a session where we witnessed live how the cracker was logged in on one computer, from which he tried logging in on a second computer where we already had changed all passwords. We contacted the internet provider (he was behind an IP-masquerading firewall) and an university where he apparently illegally had plugged in a computer on the network and of course the cracker had been reading a number of emails before we finally locked down our systems.
Since then, our computers got enormous attention from crackers, while suspicious messages appeared much more seldomly in other people's log files. This cracker was severely pissed off. We were compromised several times after that. Once, the presence of a rootkit revealed itself through the fact that an ls option wasn't working anymore. We repaired the situation and removed telnet/ftp from the computer (they had suspicious log file mesages), not knowing that it was the outdated sshd that caused the trouble. After the weekend, the owner of the computer came to me complaining that he couldn't log in. It turned out that the intruder wiped his whole home directory, which had no recent back-up! I can not believe that a cracker does something like that for any other reason than pure revenge.
These incidents have taught me the value of staying up-to-date. What I wanted to tell here is: don't let the cracker know that it was you who caused them trouble or you might get repercussions. Oh, and note that I am not a professional system administrator; I was a PhD student who happened to know a bit more about Linux than most others.
Avantslash: low-bandwidth mobile slashdot.
Hi,
I ran one of the first ISPs in the UK with live IP and since we went live about 10 years ago we have endured on average maybe one attack per minute or higher all that time.
So 10 years ago I wrote my own firewall with some traffic shaping and logging; it died recently I replaced it with a Cisco or two with more or less the same rules.
Now, even when no longer an ISP I still have to turn away 35,000+ SPAMs per day from my network which now hosts just two people, so I wrote my own reverse SMTP proxy to deal with the problem. (The source is available in SourceForge BTW.)
People continually attempt to steal the entire content of one of my free Web sites, and used to bring it and my connection to the Net to their knees, so I wrote a simple transparent servlet filter to detect and lock out f**kits who exhibited pathological behaviour.
All of these tools are mainly automatic with a few general rules and a very few specific data entries to keep out especially egregious people.
Don't play "whack-a-mole", and don't waste too much time trying to contact the idiot's ISP; even if they care, which sometimes they do, it'll end up being expensive and slow to stop.
Rgds
Damon
http://m.earth.org.uk/
Ignoring them and allowing them to continue poking systems around them is like letting people attempt robbing banks, shop lift, etc.
Even if you don't manage to rob a bank, but you get caught, you go to jail. Why would syber laws have to be different? Don't touch my server! Don't scan my ports!
Simpy
Insightful? HAH! To the moderator I give thee: +1 Funny
Good advice. Just ignore that script kiddies are trying stuff. Until one of them gets a 0-day exploit, roots one of your critical machines, and wipes out all your data.
Serious? Seriousness is well above my pay grade.
The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish.
And what's the problem? That is COMPLETELY LEGAL. If you create problems for that other guy, maybe if his connection gets cut off from his ISP because of your complaint, YOU are responsible for the damage (false accusation). Seems you are one of those types going crazy about some other computer sending from port 80 to a high port on your computer.....
Move Sig. For great justice.
]] and sometimes I'd try to log in without thinking just after
]] starting a telnet session.
] Over telnet? Log in as root over telnet? AAAARRRGGGHHH!
So how did you remotely administer Unix boxes prior to ssh?
c.
Log in or piss off.
I'm sorry, but how is adding an incoming port block on a firewall going to prevent using google? Serving up a quake server, maybe, but outgoing surfing and the like sure isn't going to stop him.
And if it's IP based, there's a whole lotta IP addresses in the world... methinks he'll run out of kernel memory long before he's finished blocking them all.
Comment removed based on user account deletion
Casing the joint would be when you then attempt to connect to each open port in turn, and try to verify the version of the server running on each port, perhaps by submitting malformed requests and looking for characteristic responses.
That would be indicitave of someone trying to find a way in.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Your analogy breaks down.
Are the rules of the road completely different if you're driving a Honda or a Ford? Are people daily finding ways to remotely take over your car and ram it into things?
People should not have to know every goddamn thing about their cars before they drive them - you do not need to be a mechanic to drive a car.
Hell, when I go to the mechanic, my eyes glaze over when he starts rambling on about what exactly went wrong. I don't give a fuck what went wrong, and I wouldn't know a carburator from a flux capacitor, how about fixing it and, if there's something I can do to avoid the problem in the future, lemme know.
Same goes for computing.
Yeah, it'd be great if people would lock down their boxes but the problem is not that people won't take responsibility, but that they are not educated about what to do to fix a problem.
I'm not a moron, but I tell you I have difficulty parsing what the fuck the latest 50 Windows Updates mean. How the hell is grandma supposed to know what the fuck that stuff means? Windows updates are bad enough, but *nix ones are even worse.
What needs to happen is that there needs to be a very basically written message: "Click here to keep people from taking over your computer" rather than the jargon laden crap that is there now.
Simply put, the people who are so up in arms about how people leave their machines vulnerable should solve the problem at the core of it, rather than castigating people for being "stupid" users. Fix the problem rather than bitching at people about it, and then we have something.
While modern scanning techniques do not require a full TCP connection, this does not have anything to do with spoofing. If you were to perform a SYN scan with a spoofed IP, it is no longer a scan, but a standard syn-flood DOS (denial of service) attempt. You cannot directly learn open ports (e.g. portscan) while using spoofed a IP.
But in effect what you say could happen, but it wouldn't be a portscan, but rather a malicious DOS attempt.
- Ois
PGP KeyId: 0x08D63965
1) Bad dude does SYN scan.
2) Bad dude gets firewalled off.
3) Bad dude performs another scan with a spoofed IP (conveniently provided as an option by the popular nmap)
4) Good dude is in trouble
Just say no to automatic firewalling.
Pathman, Free (as in GPL) 3D Pac Man
The real value of a honeypot is not a slap in the fact to the hacker.
The real value is in observing what kinds of attacks are being uses, especially to see if any NEW type of attacks are being used that your real systems may not have been secured against.
I'll see your senator, and I'll raise you two judges.
Of course you should make your box as secure as possible. Ignoring automated attack attempts is probably the wisest course of action, as well, otherwise you waste a lot of time and only draw more more attention to your network, making it a bigger target.
But for those intrusion attempts that appear to have a human being on the other end, a virtual smack upside the head would do the world some good. If it's some script kiddie, then let them know their feeble attempts do not go unnoticed, and are by no means appreciated, and chances are they'll find something more constructive to do before they get themselves into real trouble. If it's someone more hardcore, well, I guess it won't matter either way.
A post a day keeps productivity at bay.
I thought that is why we have routers.
My routers block all unused ports and use nat. i dont controll the web server so im not sure what goes on there. but i always believed that proper firewall and router configs can stop these kind of things before they start, please correct me if im wrong.
Chances are that you are not being directly hacked, but automatically probed by a system already infected with a root-kit installed.
There are alot of people out there who have no idea that their computer is infected with a root-kit and many would be greatfull to be told so.
In the physical-analogy sense, it would be more akin to closing your restaurant without putting up the "closed" sign. When people walk by and try to open the door, you got no business being offended - they're attempting to take advantage of the public service you appear to be offering.
And if you were really dumb and forgot to lock the door too, you've got no business being upset when they walk in and start wondering where the waiter is.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Log in as a normal user, and su, of course.
Tell me this is a troll. Please.
c.
Log in or piss off.