How Should One Respond to a Network Break In?

Jety asks: "I am the sole IT support for a medium sized residential real estate office. It has a network of one main server, 10 office workstations, and another 40 or so agent's personal computers. I discovered via logs that recently someone made about 50 remote login attempts to the server, guessing at passwords, but it would appear that they were not able to gain access. They did, however, leave an IP address in the logs. It turns out to be an Exchange server for another business in the same city. What is an appropriate response to this sort of failed break-in attempt? How seriously should one react? How should it be presented to management, and should you encourage them to over or under react? Should the other business, whose server was used to launch the attack, be informed? Should you try to surveil them first to learn about who is doing their tech work? With what tone should they be approached and/or accused? What would a suitable response from that company entail?"

First and foremost, cover your ass.

[TripMaster+Monkey]

Document everything in writing, discuss the situation with your superiors, and seriously consider initiating some form of legal action. If you are the first to get litigious, you stand a better chance of having the situation resolved in your favor. Unfortunate, but true.

Re:First and foremost, cover your ass.

[Saeed+al-Sahaf]

I discovered via logs that recently someone made about 50 remote login attempts to the server, guessing at passwords, but it would appear that they were not able to gain access.

If you really want to, try to find out who admins the other server, and make contact. Are they competitors, that would change a lot of things. BUT, this sort of thing happens several times a day to the servers I admin. Generally, there is nothing to be done about it, trying to notify the offending source is usually ignored. More than not (precisely always), it's Windows boxes infected with bots.

Why waste any time on this?

Simple

[rylin]

You try contacting abuse@ the other company.
If that fails, you call them up and ask for their tech-lead.

You already have your logfiles, and reasonably secured server.
What you can gain here is a partnership - or at least an exchange of favors every now and then - between your company and the remote one.

That said, if the other company isn't responsive, you firewall them to hell and get on with your daily work.

You'll want to give management a brief notice about what's happening before you do this, obviously.
After you've talked to abuse@, you tell management what happened.

Now is the time to see over your authentication schemes. Are your users logging in over SSH? With passwords instead of keys? (Hint: keys are nicer).

After this is said and done, you paypal me $90 for doing your job.
Cheers!

Just inform them

[dtfinch]

No damage was done to you, except the effort you put into investigating. They, on the other hand, will probably want to catch whoever's actively using their server to launch attacks.

It doesn't have to be the exchange server

[maddskillz]

There is a good chance the whole business uses the one IP for everything, so it could be anyone at that business (or anyone accessing an unsecured wireless network they have setup, etc) that is attacking your network

Depends

[linuxwrangler]

Frankly I'm a lot more afraid of a successful breakin that I don't discover than heaps of unsuccessful attempts that I do.

Essentially everyone who attempts to hit my ftp server with anonymous is trying to break in - the address is only known to a few people who have accounts and I can see from the logs that the other attempts are just scripted tries.

Similarly, I'm see several attempts every day to log into my machines via ssh (where an attempt may involve from a dozen to hundreds of tries to log in). Don't even get started on what I see in the http or smtp logs.

I work at a small company, too, and I could pull everyone off their jobs and still not have enough manpower to investigate each attempted breakin, locate and contact the appropriate parties, etc.

As mentioned elsewhere, most of these machines are compromised so you are really spending your time to provide unpaid antivirus support for the other party's machine. You have to pick your battles.

Depending on my workload and the probability of a positive result I'll contact someone as a courtesy. Generally my criteria is that I am able to make telephone contact with a person responsible for the machine relatively quickly.

It's called NAT

[b00m3rang]

Just because their NAT router has a port forwarded to an Exchange server doesn't mean that the Exchange server was necessarily the machine where the attack originated. It could have been that machine, or any other machine on the network.

Autobanned?

[phorm]

a) They'd have to know the IP's of the allowed machines
b) The ban would only last 3 minutes.
c) A 3 minute blockout is much better than an owned server :-)

Re:Don't overreact

[4of12]

Be careful with implementing auto blcoks on connections since systems like that can sometimes be abused to cause a denial of service.

What A Manager Would Expect

[reallocate]

My perspective is that of someone, in a past life, who hired network techs.

If this happened in my organization, I would expect three things from my network people:

1) Follow and stay within established policy; I would expect you to do what is needed to protect the security of the network short of attacking the presumed culprit. If it came to that, bring the network down. Attacking the apparent culprit puts my business at legal risk and you do not get to make that call.

2) Notify me (management) as soon as possible. Give me all the facts and answer my questions. Lay out my technical options objectively. Explain to me why our network was vulnerable and how we can remedy that. Don't try to spin me so I under or over react. It is my network and you work for me; I won't take kindly to attempts to manipulate me.

3) Then, follow my instructions.