Slashdot Mirror
Dealing with Intruders?
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
Yeah cause, there's no such thing as Dynamic IP addresses.
Better advice would be to only allow login connections (eg sshd) from known IP addresses.
Other measures depends on what services you are trying to secure, but make sure you've run through the http://www.cisecurity.com/ lvl 1 benchmarks on an Internet connected machine (at the very least run the scoring tool).
US Democracy:The best person for the job (among These pre-selected choices...)
IMHO - If you're not completely sure your network is 101% secure, or you don't have several free hours a day it would be a bad idea to drop a honeypot anywhere near your network.
Think about it - it's a slap in the face to the would-be hacker.. It's like you're leading him on, then saying "Ner Ner!" when he breaks into the pot.
If your hacker is serious, he's gonna be really pissed about this.
Secure your network & keep it secure - no need to stir 'em up.
Somewhat offtopic, but how do people deal with DOS attacks? /.ers deal with situations like this?
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.
No shit..
I've received some really nasty Emails over the years from winners who just installed some firewall on their home machine, and wonder why we're sending packets to him from our port 80 to some high port on his machine. They're all demanding that we stop or they'll sue, blah, blah, blah.
I write a real friendly note back saying "sir, you were visiting a porn site at http://example.com. from which you detected the data coming back to you exactly as you requested. yada, yada, yada"
Once in a while our provider will get a new person in their abuse department, and forward those over. I kindly remind them to go back to their supervisor and ask them exactly what this traffic would mean. Then I write them a friendly letter explaining the basics of the Internet.
They are generally good about sending us only real problems, which are usually about sublet IP blocks. I either pass it on to their sales rep, or call them myself. Most customers I've delt with are very friendly about it.
We did have a federal agent show up in our office one day, about a hacking attempt from one of our networks (a sublet line). I called the sales rep, got the customer on the line, and they were already aware of it. It was an old unpatched machine, that they had taken offline a few days prior because they had already found it was broken into. They were still examining it, and offered to hold onto the drive for the investivator. I really like good customers.
Serious? Seriousness is well above my pay grade.
Damn, you must have a lot of time on your hands..
We actively block viruses at the mail server, and our logs show over 20k came towards us yesterday. Want to parse my logs and report the infected machines?
And yes, we don't send the automagic "We received a virus" notices. Those are just plain annoying considering most headers are faked.
Serious? Seriousness is well above my pay grade.
Set up tripwire to detect incomming conenctions to 139, 1433 and other ports that people shouldn't be attempting to reach.
Any attempts to open got a IPTABLES rule added against their IP
Every couple of weeks I'd clear it down and let it build up again
There would be better ways to do this, but it was mainly for basic home security and I wasn't worried about blocking whole companies (because of NAT/Proxy) because of one dick in the place. YMMV.
All those moments will be lost in time, like tears in rain.
We ran this configuration for about 3 months. The problem is the shear number of false positives by the default snort rules. If you can't spend the time trimming down the ruleset to bare minimum to cover your needs, you will be locking out end users.
/calendar, so anything containing that would get trashed.
Classic for us was one user who had multiple domains with us got blocked every time she went to view one of her pages. Turns out the snort rule was so generic it was just looking for
In the general sense, most likely you won't get a whole lot of cooperation from the ISP (gone are the days of the minions at Erol's). Stay patched, use common sense, and ignore it.
How? When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.
The attacks dropped off rapidly after a few weeks. And since shed kept notes about who she talked with, when and about what, there was very little runaround. When she started that, it took about 45 minutes per day, but by the end it was down to around 15 on average.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
At least in the UK (where I have themost experience fo computer laws), attempting to gain unauthorised access to a machine is a criminal offense under the Computer Misuse Act 1990, even conspiracy to do it is an offense. This is true whether you are a UK national or not - if you attack a machine in the UK and a report is passed to the police and the police investigation identifies you then the minute you set foot on British soil you could be arrested and prosecuted under the act (significant offenses may even result in extradition). I know several other countries have similar laws, I expect the US has as well.
Seems like me posting that link, has resulted in it exceeding its allowed bandwidth. Here's the Google Cache.
Back when I was 13 or so, one of my friends had convinced me that trying something like this would be fun. I was a bit reluctant, but I had some knowledge of Unix and networking, and it did sound like fun.
We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.
And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Example: A competitor that just happens to rank higher than you automatically drops packets from any IP that trys an invalid login.
You go through your logs and generate a list of all google's bots and then launch an "attack" against your competitor spoofing those IPs. You just stopped google from indexing their site. Move on to Yahoo and any other search engine you feel like.
Granted somebody is going to be watching the logs and start to wonder why google hasn't visited in a while, but you get the point.
No. Trying a door handle does not imply mal-intent. It's the response when a door handle actually works that matters. I'll give you an anecdote. I was arriving at a semi-nice restaurant in a somewhat out of the way area of an otherwise nice town. Parking was scarce, so I had to park on a tiny unlit side-street. Walking toward the restaurant from my car, I saw another car on the street with its dome light on. It was obvious from a reasonable distance that there was no one in the car, but there was a pocketbook left on the front seat. Being a good sumeritan, I said "that won't do -- the pocketbook will get stolen, and the dome light will drain the battery". So I tried the door handle. To my surprise, it opened. I quickly turned to dome light off, closed the door again, and walked away. Turns out this was a sting. There had been a bunch of thefts from cars in the area recently, and this being a good town, the cops had enough time to set up a honeypot to try to catch the perp. They were quite chagrined to find someone go for the bait for an entirely altruistic reason -- to prevent a stranger from becoming the dual victim of a theft and a dead battery. Maybe I took a risk by trying that door handle and attempting to do some good. But how would you know if you deign to put a boot up my arse the instant I touch the doorhandle?
Perhaps the analogy doesn't port over all that well to scans of TCP ports, but it wasn't I who began that analogy; I'm just answering it.
-----Chaz