Slashdot Mirror
Dealing with Intruders?
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
This probably would have to be the best option so far. Then you could also log how they cracked the machine (using another machine). This would let you secure your other machines as well.
(I've been told to say, "you're a facsist" so I did)
Best chance for a response is to keep it polite and request a notification of what action (if any) they will take. Don't fill your letter or email full of legalese and vauge threats and I'm sure most of the people in charge of a particular abuse department will take you seriously enough. Whether or not they have the clout to take action on your behalf is another matter entirely however.
Another thing to do is to just keep yourself patched, firewalled, and a close eye on your network. If the attempts are rising, someone thinks your network/servers is/are an easy target. Prove them wrong and perhaps you won't need to write that letter after all.
Good luck.
Yeah cause, there's no such thing as Dynamic IP addresses.
Better advice would be to only allow login connections (eg sshd) from known IP addresses.
Other measures depends on what services you are trying to secure, but make sure you've run through the http://www.cisecurity.com/ lvl 1 benchmarks on an Internet connected machine (at the very least run the scoring tool).
US Democracy:The best person for the job (among These pre-selected choices...)
Last week I managed to login as root into a machine (from a chinese domain, as usual) for which I had packets logged in my firewall's log. Then, I installed in that machine chkrootkit: lots of executables were wrong (rootkits). Then, someone logged in remotely and left in /root a "readme.txt" message warning me not to log in other's computers .... Finally I did three things:
1.- Send an e-mail to the contact-addresses retrieved from APNIC
2.- Copied my shutdown executable to that machine (the original was obviosly tricked)
3.- Remotely, executed @> shutdown -h now
Just a suggestion.
Complaining to people won't get you anywhere, unless you go to the government and claim that you believe they are terrorists. That will get you some action.
My advise is to firewall them.
Personally I also try giving them a taste of their own medicine. You'd be surprised how many Windows machines are still vulnerable to the old 'smbdie'. I set up a cron job to 'smbdie' all hackers / spammers etc every 5 minutes. But of course this is horrible advise because ( and I'm sure everyone will respond and tell you that it's very naughty to fight fire with fire, and you will most likely go blind or some bullshit. )
So yeah. Firewall them. And if you've got time, email their ISP and tell them that you've firewalled them and if you have any complaints from customers about them not being able to access your sever, that you will advise them that their ISP is harbouring hackers and that they should switch ISPs.
IMHO - If you're not completely sure your network is 101% secure, or you don't have several free hours a day it would be a bad idea to drop a honeypot anywhere near your network.
Think about it - it's a slap in the face to the would-be hacker.. It's like you're leading him on, then saying "Ner Ner!" when he breaks into the pot.
If your hacker is serious, he's gonna be really pissed about this.
Secure your network & keep it secure - no need to stir 'em up.
Somewhat offtopic, but how do people deal with DOS attacks? /.ers deal with situations like this?
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.
I agrre with the above. Also creating a honeypot will give these guys something to play with, something fun to do, which will mean they will be more likely to come back.
If they can't get anywhere, they will move on somewhere else...
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
Damn, you must have a lot of time on your hands..
We actively block viruses at the mail server, and our logs show over 20k came towards us yesterday. Want to parse my logs and report the infected machines?
And yes, we don't send the automagic "We received a virus" notices. Those are just plain annoying considering most headers are faked.
Serious? Seriousness is well above my pay grade.
Set up tripwire to detect incomming conenctions to 139, 1433 and other ports that people shouldn't be attempting to reach.
Any attempts to open got a IPTABLES rule added against their IP
Every couple of weeks I'd clear it down and let it build up again
There would be better ways to do this, but it was mainly for basic home security and I wasn't worried about blocking whole companies (because of NAT/Proxy) because of one dick in the place. YMMV.
All those moments will be lost in time, like tears in rain.
We ran this configuration for about 3 months. The problem is the shear number of false positives by the default snort rules. If you can't spend the time trimming down the ruleset to bare minimum to cover your needs, you will be locking out end users.
/calendar, so anything containing that would get trashed.
Classic for us was one user who had multiple domains with us got blocked every time she went to view one of her pages. Turns out the snort rule was so generic it was just looking for
In the general sense, most likely you won't get a whole lot of cooperation from the ISP (gone are the days of the minions at Erol's). Stay patched, use common sense, and ignore it.
How? When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.
The attacks dropped off rapidly after a few weeks. And since shed kept notes about who she talked with, when and about what, there was very little runaround. When she started that, it took about 45 minutes per day, but by the end it was down to around 15 on average.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
At least in the UK (where I have themost experience fo computer laws), attempting to gain unauthorised access to a machine is a criminal offense under the Computer Misuse Act 1990, even conspiracy to do it is an offense. This is true whether you are a UK national or not - if you attack a machine in the UK and a report is passed to the police and the police investigation identifies you then the minute you set foot on British soil you could be arrested and prosecuted under the act (significant offenses may even result in extradition). I know several other countries have similar laws, I expect the US has as well.
Seems like me posting that link, has resulted in it exceeding its allowed bandwidth. Here's the Google Cache.
Even better one would be for an intruder to take note of which DNS server your connecting to, then BOOM, quick spoofed scan and you cant get DNS. While your DNS is out and you are trying to get your connectiong working they slip inline on you and 'pretend' to be your DNS, now they can poison you really easily... of course, muggiling with the routing tables of a up stream switch and whatnot to pass themselves off as a DNS server, or hijacking the upstream DNS isnt always the easiest, but it would be a dirty way to slip into a large corp's systems if the security was set like such...
Back when I was 13 or so, one of my friends had convinced me that trying something like this would be fun. I was a bit reluctant, but I had some knowledge of Unix and networking, and it did sound like fun.
We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.
And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.
It would be nice to adopt a routing protocol extension where you could ask an upstream router to block packets meeting a given criteria (*only to yourself, of course*). This would destroy DDOS attacks, which are currently the only really unstoppable attacks in existance, say you're getting flooded by ICMP from 250 hosts, and you just tell the upstream router to block ICMP traffic from the hosts in question (or for convenience sake, altogether, whatever really) It'd pretty much leave you scot free, in fact if it was extended further, DDOS zombies might get to the point that all their outbound traffic was blocked at their closest non controlled router point, which might clue in the users as to the status of their machines.
Patent Pending!
So, you convince his ISP to issue a "You're no longer welcome here because you agreed to an AUP that forbids what you were trying to do" to him.
Unfortunately, ISPs are bogged down with requests like these, so probably not much will/can be done realistically.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Your "there's a whole lotta IPs in the world" comment is seriously asinine as well. As I mentioned, it is trivial to spoof portscans, and while there may be a whole lotta IPs in the world, once you have accidentally firewalled off the ones belogning to your DNS or your mail server, you are going to have some serious networking issues. Running out of "kernel memory" (whatever that might be) is the last of his worries.
Automated security response is a tricky business, and if you do not carefully consider all implication, you are goign to be worse off than you were, not better.
Don't take my word for it. Set up your PC this way and see how long it takes before someone uses it against you.
Pathman, Free (as in GPL) 3D Pac Man
You're right, it was portsentry. I also ran tripwire to check the integrity, but it was a while ago so my memories were fuzzy. You're wrong about the no more Slashdot and Google, the connections being firewalled were incoming, not outgoing.
All those moments will be lost in time, like tears in rain.
Agreed. But what he doesn't need is a legal "boot up the arse" that will haunt him for the rest of his life. The trick is giving him the former without the latter.
;)
Exactally. What I've tended to do is when I see an obvious script kiddie hitting my server over and over (with the same damn script like it'll work the second/third/tenth time) is hack 'em back. I realize this only works if you catch them in the act, else you may hit someone else, but my general preference is to print the following to their printer:
"Hey Cockbite: If you're going to try and hack someone, pick an admin who won't hack back"
All in all it's harmless, but hopefully gives them the hint that they're being stupid. Also I've been known to drop in a bug that lets me know their current IP address so I can print the above message randomly for a month or so. Let them explain to mom and dad WTF is going on! Way better results than ruining their life with the cops.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Why not create a honey pot that is weak enough for them to compromise it? Then you have evidence of a break in and the grounds to prosecute. Assuming you can identify the offender through the ISP you can make some serious threats with definite consequences.
If it's the same person multiple times, yes. If it's one person once, ignore it.
I know that I occasionally forget who I'm connecting into and try to login as root out of habit but then realize where I'm at. Using your example, it would be like walking towards a car in the parking lot that looks like yours and trying the handle...but just as you do realizing that it's not your car.
In 1982 or so, I was working for a pipeline engineering company.
One Saturday afternoon, I went to the office to do something on the computer (PDP 11/70). I was doing some disk work on the computer and didn't want anyone logged on accessing the disk while I did it.
Before starting, I did a "systat" (system status command) and saw someone had dialed in from outside and was logged onto a games account.
So I kicked him off, but he just dialed back in again. Every time I kicked him off, he was back in a minute.
So I modified the login utility so that if you dialed in, it would tell you to call the number in the computer room and then drop the line.
After a few minutes, he called! It sounded like a high school kid.
I told him what I was doing and suggested he wait a while before calling back.
After I finished what I was doing, I started wrote a little utility to take a snapshot of the system every six seconds and save the differences. I had a simple version working that evening and made some nice modifications to it the next couple of days.
From then on, if he had ever logged back in, we could have detected just about anything he might do. But he never did log back onto the computer again.
I never did know who the kid was, but my best guess was that it was the son of someone at the office.
Example: A competitor that just happens to rank higher than you automatically drops packets from any IP that trys an invalid login.
You go through your logs and generate a list of all google's bots and then launch an "attack" against your competitor spoofing those IPs. You just stopped google from indexing their site. Move on to Yahoo and any other search engine you feel like.
Granted somebody is going to be watching the logs and start to wonder why google hasn't visited in a while, but you get the point.
I think it would be neat to have a program that could be easily installed on a box, that would act as the firewall for the system. Traffic that a firewall would normally allow is passed normally. Traffic that would normally be dropped, such as a query to a port that is not open on the firewall, would not be dropped but instead be passed to the honeypot module of the program, and from there responded to in a way set by the user through a scripting interface.
Example: You aren't running a telnet server on your box, so normally a connection attempt to port 23 would be dropped. Here you set your honeypot controls to engage a script that you have made (or that came pre-packaged with the software) showing them a fake login prompt that looks like whatever software you wish them to think you are using. Script appropriate responses to possible actions the hacker might try, based on what software they think you have. Let them appear to login with 'admin/admin' or whatever, and show them fake file directories and whatnot. Certain often-targetted files could be spoofed so the cracker can actually 'read' them and not be tipped off. Basically have the software fuck with them for awhile before revealing that "it's all been logged you luser, the Matrix has you, disconnect before things get worse"
You could make a windows box look like anything else to mess with them, if your arsenal of scripts is deep enough. The program could come with a whole whack of pre-defined scripts, and users could create and upload new scripts to a website for others to install in their systems. And when someone installs and runs the program for the first time, they are *forced* to choose a computer name, OS, and other details, so that every out-of-the-box install of this thing doesn't look like every other one out there, making it less easy to detect.
You'd have to make the main code smart enough to not bother if the intrustion appears to be a worm, otherwise such a machine would likely get pretty bogged down. I don't know how to do any of this, I would just like to have the software.
Please? Somebody?
"Oh ho. So a kid who walks up to your car and tries the doorhandles is not guilty of anything untoward?"
No, he is not. I agree that he should be informed that it's not cool, but he doesn't need to have boot up his arse or to be called guilty of anything. Frankly, kids are curious. I've tried doorhandles before, it had nothing to do with me being up to no good. I was just curious if people really locked their cars.
"Derp de derp."
No. Trying a door handle does not imply mal-intent. It's the response when a door handle actually works that matters. I'll give you an anecdote. I was arriving at a semi-nice restaurant in a somewhat out of the way area of an otherwise nice town. Parking was scarce, so I had to park on a tiny unlit side-street. Walking toward the restaurant from my car, I saw another car on the street with its dome light on. It was obvious from a reasonable distance that there was no one in the car, but there was a pocketbook left on the front seat. Being a good sumeritan, I said "that won't do -- the pocketbook will get stolen, and the dome light will drain the battery". So I tried the door handle. To my surprise, it opened. I quickly turned to dome light off, closed the door again, and walked away. Turns out this was a sting. There had been a bunch of thefts from cars in the area recently, and this being a good town, the cops had enough time to set up a honeypot to try to catch the perp. They were quite chagrined to find someone go for the bait for an entirely altruistic reason -- to prevent a stranger from becoming the dual victim of a theft and a dead battery. Maybe I took a risk by trying that door handle and attempting to do some good. But how would you know if you deign to put a boot up my arse the instant I touch the doorhandle?
Perhaps the analogy doesn't port over all that well to scans of TCP ports, but it wasn't I who began that analogy; I'm just answering it.
-----Chaz