How Should One Respond to a Network Break In?

← Back to Stories (view on slashdot.org)

How Should One Respond to a Network Break In?

Posted by Cliff on Tuesday July 26, 2005 @07:01AM from the set-phasers-to-WHAT-cap'n dept.

Jety asks: "I am the sole IT support for a medium sized residential real estate office. It has a network of one main server, 10 office workstations, and another 40 or so agent's personal computers. I discovered via logs that recently someone made about 50 remote login attempts to the server, guessing at passwords, but it would appear that they were not able to gain access. They did, however, leave an IP address in the logs. It turns out to be an Exchange server for another business in the same city. What is an appropriate response to this sort of failed break-in attempt? How seriously should one react? How should it be presented to management, and should you encourage them to over or under react? Should the other business, whose server was used to launch the attack, be informed? Should you try to surveil them first to learn about who is doing their tech work? With what tone should they be approached and/or accused? What would a suitable response from that company entail?"

4 of 96 comments (clear)

Min score:

Reason:

Sort:

It probably isn't even them by Stone+Rhino · 2005-07-26 07:06 · Score: 5, Informative

You shouldn't start out accusatorily, because it's most likely that they're not the ones attempting the breakin. It's more likely that their box has been hijacked and is being used as a proxy to launch attacks against your computer for someone else.

After all, who uses an exchange server as their terminal to log in to other computers? If it was one of the desktops, then it would make sense that they were attacking.

--

Remember, there were no nuclear weapons before women were allowed to vote.
Don't overreact by Nos. · 2005-07-26 07:08 · Score: 4, Informative

Start off by blocking remote logins (ssh?) from anywhere except where you want to allow people to log in from. Second, I would send a polite, email to their tech contact, or if you can't find that, regular post mail to the company. Don't overreact. Their are a lot of ssh worms out there. I have one machine where I watch for these kinds of things. I see at least 3 or 4 worms hitting my box a day.
1. Re:Don't overreact by Nos. · 2005-07-26 07:36 · Score: 5, Informative
  Speaking of which, I was just chatting with a buddy who has a Brute Force rule setup in IP tables. Too many connections from a single IP within a set amount of time creates a temporary ban of that IP.
  
  Here's what he wrote to an IRC channel we were on (this is untested but should be close):
  
  iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j SSH_Brute_Force
  
  iptables -A SSH_Brute_Force -m recent --name SSH --set --rsource
  
  iptables -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 4 --name SSH --rsource -j RETURN
  
  iptables -A SSH_Brute_Force -m limit --limit 3/min -j LOG --log-prefix "SSH Brute Force Attempt: "
  
  iptables -A SSH_Brute_Force -p tcp -j REJECT
  
  Again, I haven't tried this yet, but generally speaking, 4 ssh connects within 60 seonds on eth0 will result in a 3 minute ban - I think.
Re:Call/email them by Aeiri · 2005-07-26 07:27 · Score: 4, Informative

It might be not even them due to spoofing, but most likely, it is unauthorized use of their machine.

How would you go about brute forcing a server using IP spoofing? With IP spoofing, you don't get the packets to return to you, they get returned to the server, then dropped. No complete TCP connection can be made.

Therefore, SSH would never get the packet to begin with, and even if it did, and got your full packet, it wouldn't send the "success" or "failure" to you.

That computer is obviously either compromised (most likely), or being used by authorized personnel to launch this attack (very unlikely).