Slashdot Mirror
Dealing with Intruders?
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
ignore them.
Unless they use a lot of bandwidth, that is the right decission to make.
If you seem to be getting it from the same group of people make a honeypot but have some obvious hints once they get in, leave very little on the server and put the logs of their activity in an obvious place. Just be sure to isolate that machine from the rest of the network so if they do end up owning it they got no further then their failed attempt at your real machines.
Who'd have thought!
When I had this problem I simply sent a mail to the ISP:s abuse-people. Most ISP has an e-mail address like abuse@theisp.com. Then they can send the guy a warning or whatever.
Martin
intrusion attempt >> /dev/null
ignore it. forget it. script kiddiz...
If you give them a more attractive target for a while, you may find there really aren't all that many attackers left to go after the systems that matter. Not only that, but it would be considerably easier to set up such a system to log their attack techniques, since it isn't actually doing anything. Finally, if they do break through, who cares? Just re-image the drive and let them start over. If they manage to repeat it, you now have a known weakness you can correct.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Why?
If they are just sending of SYN-requests, then who cares? They'll get a few RST-responses. Having your firewall bogged down by rules just to ignore some dialup user that'll probably have switched IPs the next day will just decrease others chances of contacting you.
Secure your network. Have a nice firewall with okay rules, but there should be no need to add individual IPs to your ruleset all the time -- that just increases complexity and maintainability.
"Rune Kristian Viken" - http://www.nwo.no - arca
Basically I just gave a quick digest of the log clearly showing their IP and the attack in progress, and a note to the effect that I believed their machine had been compromised (in as plain English as I could muster) - and got the desired result.
I like the fact that there's some script kiddie out there cursing that one of his "boxen" is no longer..
I don't read your sig, why do you read mine?
Better yet, block everything and whitelist your shit.
Exactly, why is he letting just anyone ssh into his boxes in the first place? Most of the services the company uses should be on private IP space inside of the firewall (NAT box), the rest of the devices on the outside need to be locked down good from Joe IP address.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Actually, most of the machines attacking me recently have been compromised static-ip servers at various hosting providers.
.. not necessary.
It depends on what kind of 'attack' we're talking about, of course. If it's just an automated attack which scans large ranges of IP-addresses for common vulnerabilities which you've patched against, there really isn't any need to add them to your firewall ruleset, unless they're pretty invasive.
By invasive I mean that they grope and poke, and grope and poke. If it's just a couple of packets - why care at all? You can always fire off an email to the hosting provider, but adding them to your firewall is just
Take the recent increase in SSH scans for the 'test' and 'guest' accounts without password, or whatever it was one came into agreement that it was.. if you've got a patched SSH daemon, why care? Let them scan - and get rejected. Why bog down the firewall with hundreds, if not thousands, of extra matching rules?
If it's likely that you've got vulnerabile machines on that port, block it entirely - or just allow it from specific IPs. Playing whack-a-mole against scanners are just a waste of time.
Patch the system, have a good general firewall ruleset that covers what needs to be covered - and let the scanners that isn't actually continously filling your log files just scan on.
I've had to block _one_ abusive scanner during the last year. It was someone scanning for open http-proxies from Israel. They were hitting my machines several times per seconds, filling my apache logs with relay-attempts to mailservers. Which was quite frankly annoying.
Those scans were from four IP's within the same subnet, and their ISP didn't care. I got the ISP null routed due to their customers filling my logs (and my company doesn't do business in Israel at the moment, so it wasn't a loss anyways).
A few packets now and then on the other hand.. playing whack-a-mole with such is just a waste of time.
"Rune Kristian Viken" - http://www.nwo.no - arca
Unwise.
and sometimes I'd try to log in without thinking just after starting a telnet session.
Over telnet? Log in as root over telnet? AAAARRRGGGHHH!
Real Daleks don't climb stairs - they level the building.
Back in January 1999 when everybody used telnet for remote logins, several computers in our department were root-compromised and had a rootkit installed (password sniffer, backdoors, and patched versions of ps, ls, and such to prevent being detected). We noticed some strange activities but had no clue what was going on, thinking that other people were trying to intrude us, while actually the cracker used our computers to intrude other people. It felt a bit like being in a thriller, where we step by step discovered what was going on, culminating in a session where we witnessed live how the cracker was logged in on one computer, from which he tried logging in on a second computer where we already had changed all passwords. We contacted the internet provider (he was behind an IP-masquerading firewall) and an university where he apparently illegally had plugged in a computer on the network and of course the cracker had been reading a number of emails before we finally locked down our systems.
Since then, our computers got enormous attention from crackers, while suspicious messages appeared much more seldomly in other people's log files. This cracker was severely pissed off. We were compromised several times after that. Once, the presence of a rootkit revealed itself through the fact that an ls option wasn't working anymore. We repaired the situation and removed telnet/ftp from the computer (they had suspicious log file mesages), not knowing that it was the outdated sshd that caused the trouble. After the weekend, the owner of the computer came to me complaining that he couldn't log in. It turned out that the intruder wiped his whole home directory, which had no recent back-up! I can not believe that a cracker does something like that for any other reason than pure revenge.
These incidents have taught me the value of staying up-to-date. What I wanted to tell here is: don't let the cracker know that it was you who caused them trouble or you might get repercussions. Oh, and note that I am not a professional system administrator; I was a PhD student who happened to know a bit more about Linux than most others.
Avantslash: low-bandwidth mobile slashdot.
Good advice. Just ignore that script kiddies are trying stuff. Until one of them gets a 0-day exploit, roots one of your critical machines, and wipes out all your data.
Serious? Seriousness is well above my pay grade.
Don't scan my ports!
I fail to see how scanning ports is akin to robbery. Actually a port scan by itself is a completely legitimate activity as it simply is querying what services are available.
Personally I am the view point that if you have a port open with a service that is easily accessible without a password, or the default password, (like NFS, say) then anybody using it is not in the wrong, as how are they to tell that the service is not intended for the public especially since it is on the PUBLIC internet.
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
I mean some of you guys sound like the ignorant dude that setup an RSS feed and then got pissed when a service used it as intended. The difference with him is that he learned the error of his ways.
I also fail to see how someone using the word "syber" can run any server safely.
So if you leave the front door of your house open (by mistake or on purpose), it is okay for anyone to come in, check out what you have in the fridge, use your bathroom, etc.?
Incidentally, this is similar to what happened to me yesterday. After hearing the noise coming from the other end of the apartment, I went to check it out and found a stranger in my bathroom. She followed some woman's directions and came to my bathroom, thinking it's a public bathroom, simply because I didn't lock my front door. I was polite, but I showed her the way out. I certainly couldn't just ignore her and let her be, could I?
Simpy
True, port scanning in and of itself is not comparable to robbery. Rather, it is like casing the joint: trying the doors to see if they're locked; testing the windows (ahem) for a good seal; checking all the security cameras to see where they're pointed, or if they're turned on at all.
A business owner who saw someone doing that type of thing at their bricks and mortar presence might be a little suspicious. Sure, the 'port scanner' isn't doing anything illegal at the moment, but there are few applications for the information gathered that are legitimate. Most businesses (on- and offline) don't have much use or sympathy for freelance 'security consultants' providing convenient and unsolicited 'security audits' for them.
The individuals attempting to login as root are admittedly being decidedly unsubtle, and are probably relatively harmless due to their lack of skill. On the other hand, if there was a mentally deficient individual wandering the neighbourhood trying to pull open front doors on random homes...wouldn't you want someone to at least keep an eye on him, even if you did keep your own door locked?
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
What conclusions, pray, should be drawn from multiple attempts to gain root access to someone else's boxen? The original poster also specifically asked for an appropriate message to send that didn't sound like a corporate cease & desist--he just wants a 'kid, stop rattling my doorknob' message, to make the point that the 'investigator' has crossed from your 'public' internet on to a decidedly 'private' server.
~Idarubicin
Comment removed based on user account deletion
Casing the joint would be when you then attempt to connect to each open port in turn, and try to verify the version of the server running on each port, perhaps by submitting malformed requests and looking for characteristic responses.
That would be indicitave of someone trying to find a way in.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Of course you should make your box as secure as possible. Ignoring automated attack attempts is probably the wisest course of action, as well, otherwise you waste a lot of time and only draw more more attention to your network, making it a bigger target.
But for those intrusion attempts that appear to have a human being on the other end, a virtual smack upside the head would do the world some good. If it's some script kiddie, then let them know their feeble attempts do not go unnoticed, and are by no means appreciated, and chances are they'll find something more constructive to do before they get themselves into real trouble. If it's someone more hardcore, well, I guess it won't matter either way.
A post a day keeps productivity at bay.
Chances are that you are not being directly hacked, but automatically probed by a system already infected with a root-kit installed.
There are alot of people out there who have no idea that their computer is infected with a root-kit and many would be greatfull to be told so.