Slashdot Mirror
Ask Slashdot: Where To Report Script Kiddies and Other System Attacks?
First time accepted submitter tomscott writes "So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but — knock on wood — I've never had a breach. What I am wondering: Is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?" The FBI is interested, but probably only if you've actually suffered a loss.
I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.
Well.. maybe. Or Maybe not. But Definitely not sort of.
The attackers are most likely using other infested machines.
There's nothing anyone can legally do with that information. Weak attempts at breaking in and port scanning are just background noise.
Backtrace them and report them to the cyber police!
As long as you use key-only authentication you should be fine. I wouldn't leave password-only access open to the internet. Having said that, your best bet is to slowly stall connections in order to waste the other guy's resources. Any system with pf and probably ipf have allowances for that, along with logging and blocking the most abusive IPs altogether.
"Random" attacks can be reported to DShield.org . They have a number of scripts to automatically submit firewall logs (including from Linux firewalls). See http://www.dshield.org/howto.html . Once set up, it just "runs" and DShield aggregates the data, uses it for research and reports worst offenders to ISPs and other contacts.
---- join dshield.org Distributed Intrusion Detec
I usually call the ISP or the person listed in the DNS info and talk to them directly. It seems to shock and / or surprise many ISPs into action.
Of course this won't likely help if the attacker is from the Great Motherland of Scripted Attacks, the PRC.
I think (I have no actual numbers) most of those are compromised boxes running distributed attack scripts. It makes sense to run the C&C, and let your zombies to the work that way it doesn't get tracked back to you.
That was the case I saw twice on two boxes I had - one fell to a BIND exploit, and rather than reboot, I investigated why DNS stopped working. I uncovered a IRC C&C (with over 60 clients) and went about informing people (by the IPs of the irc clients) about what had happened. Most rebooted and never noticed a thing. All were happy to hear I was letting them know what happened.
Based on that you're more likely to report innocent people whose only crime is being unpatched.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
http://www.dhs.gov/how-do-i/report-cyber-incidents
It's been years, but a few times I found the organization sending traffic and sent an email to abuse@
the domain name and had positive results.
You can look up the whois online registry information on where the traffic is coming from, and there can be additional contact information there.
Regards,
Sam
I heard she wears Army boots, so she can probably scare the crap outta the script kiddies.
Or you can figure out the ISP of the person attempting to break in. A phone call to the ISP's admin at 3AM their time with relevent details seems to be quite effective especially if it is a reoccuring problem resulting in repeat 3AM phonecalls to the opposite side of the globe.
Seriously this is an old question, and there is no answer. No one gives a shit about your logs. Chances are that more than 99% of those attempts are from some zombie PC and the user of that PC has no clue. You can spend countless hours finding it, but what would be the good, since there would just be a jillion-1 more attempts at port 22? I got a great idea, use some non-standard port for traffic that doesn't "require" a standard port. Other than that, update, patch and monitor are gunna be your key words.
Have you considered running DenyHosts on your machine? That might help filter out some repeat offenders.
I trace these on one of my production machines. When someone makes an unauthorized attempt or fails a password check after a certain number of times, my machine automatically blocks their IP and does a whois on it. Sometimes this whois will provide you with an abuse email that you can use. Unfortunately, only a small amount of attempts have an abuse email associated with them, but I've had success getting responses from the ISPs in disabling the attacking user's account.
It blocks IPs that fail authentication more than a set number of times, and can upload known violators to a global list, which can then be downloaded by other Denyhosts users. I use it and it's been great.
The answer depends on what you do hope to achieve by reporting.
If you hope the people to stop:
In case the origin is a company within you country, contacting them may you do some good. They will pull the plug on their malware infested machine. Attacker will use others.
In all other cases the only chance to have any kind of effect is to report dramatic damages to the law enforcement. Other than that, nobody cares enough ;-). Even with dramatic damages, the chances for any effect are slim to none.
IMHO: In 90+% of all cases the answer is /dev/null the economical best answer.
. . . the FBI are the ones trying to break into your system.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Regarding SSH, this topic came up a few years ago. Ive used Fail2ban, a daemon that will tell the linux firewall to drop traffic from abusive IPs trying to brute force passwords. It was a good suggestion then and I think it's still good now. It worked for me, but since I went to a pfsense based router I've opted to use it's really good built-in VPN facilities instead of exposing port 22.
It's also been mentioned that running ssh on a nonstandard port is not a bad idea. Technically not anymore secure, but it does seem to dodge 99.9% of the automated scanners looking for unsecured systems with weak passwords.
Older slashdot post:
http://ask.slashdot.org/story/10/03/06/2138221/coping-with-1-million-ssh-authentication-failures
Fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page
Pfsense
http://www.pfsense.org/
Most of the time - at least from my experience - the attacks are coming either from systems that are in foreign countries that don't give a shit about you and your system, or they are distributed attacks that would require you to contact dozens (or more) of ISPs.
The one exception I make is if it comes from an American IP address. Most American ISPs do a pretty good job of tracking who is using what IP address and can do something about it. Generally, they won't do much - and they seldom tell you what they do - but they'll at least look at it. And of course if it is from a university in the US, they'll usually track it to a college freshman who either thinks he's clever or is running a compromised windows PC.
But in general, your complaints will fall on deaf ears. Just keep checking your logs periodically to make sure nobody succeeds and that you are making the right responses to new methods. You could set up a tarpit if you like...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
you're not going to make a dent. Most reports are simply ignored, and for every attacker you see, there are thousands more who simply haven't gotten to you yet.
Make sure you have good passwords, know what ports are exposed, and run something like fail2ban.
"National Security is the chief cause of national insecurity." - Celine's First Law
I run OpenVPN on one of my OpenBSD machines on a non-standard port, it's the only way to get in through my firewall (another OpenBSD machine). Once I've made my vpn connection, I can then ssh to the other machines on the network.
To the question at hand, if you can identify the ip address that the breach originated from, plug it into Network Solutions' whois lookup and you can usually find the ISP the ip is connected to. They usually have an abuse email account listed in their whois info. If they don't have info, try plugging the ip into RIPE or APNIC's whois database and report accordingly.
Fifty watts per channel, baby cakes.
Most UNIX systems automatically subscribe to the Network Users List of Lamers. Just write up your complaint to a text file, then send the complaint to NULL, using the command 'cat $REPORT > /dev/null'
Join and contribute ssh/firewall logs to DShield or another collaboration system so that others can benefit from the information you are collecting.
http://dshield.org/howto.html
If you want to report unwanted activity against your network your ISP may be able to help. Try opening a ticket with their Abuse team.
<script>alert("I never liked JavaScript, really; it just seemed a bad idea.");</script>
Really, no government agency is going to give a red cent about some 14 year old running scripts against your machines unless you're a major contributor or hold government office.
Before I can help, I am going to need the IP address of your modem to verify your identity. You can expedite this process by providing the username for the machine you are trying to access on your LAN. Remember, no Slashdot.org support agent will ever request your password.
YOU are the only person to log in, correct? and YOU know that your ssh is set to listen on some other port. so. any packet that hits port 22 looking for a response, you block that IP for 24 hours. wheee!
If you feel this is important enough you should immediately contact the president of the united states directly to tell him about your ordeal. His Email address is president@whitehouse.gov.
Where to report script kiddies...
Their mothers. Duh.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
I get tons of these when I have SSH running on port 22. I'm quite certain no one can get in, as I accept only RSA key authentication, but the attempts sure as hell clutter up my logs.
I have never even considered trying to report them. They all come from foreign countries and compromised PCs anyway, so I'm not sure how reporting anything to anyone could ever make a scrap of difference.
It would be like reporting email spam... yeah - that totally works.
Use something like blockhosts to deny connections to addresses that have repeated unsuccessful attempts.
Use public key/private key pairs for authentication and disable password authentication completely.
Use a non-standard port for the ssh service.
Who to report them to? Unless you're actually compromised and suffer harm, there really isn't anyone who is going to look into it; seriously, reporting every potential attacker results in nothing more than a very large scale game of whack-a-mole.
Insanity is a gradual process; don't rush it.
It becomes even more complicated when the IP connecting to you belongs to a honeynet hosted by some investigatory body.
Do, or do not...there is no "try."
Try psad. I've been running it for years, in addition to selinux and iptables. It auto-drops all kinds of connection attempts based on parameters you can set, but the defaults are very reasonable. Works for all connections, not just ssh. It can report to D-Shield.org and ISC (internet storm center), and you can script attack responses with your normal shell. *very* highly recommended.
I test it from time to time with nmap and nope, it doesn't allow nmap to get anything.
http://cipherdyne.org/psad/
C|N>K
...Anonymous. Enjoy watching one group of puerile script kiddies attack another group of puerile script kiddies.
Alternate answer #1 ...nowhere. If they get in, they just did you a favor by exposing your weaknesses.
Or so goes the argument as to why Anonymous is/are heroes. Hey, what's good for banks is good for individuals, right?
Alternate answer #2 ...nowhere. Who cares? All they're going to do is copy information off of your hard drive - it's not like it actually means anything, you still have your original data.
Or so goes the argument for why piracy isn't wrong.
I didn't read all the responses but from my dealing with the FBI cyber crimes division they won't even look at it unless there's $10k USD or more in loss/damages.
What I do (when I'm bored :P ) is just take the logs, pull the source address, punch it through arin and see who owns the netblock, then file a abuse/fraud ticket through whoever owns the netblock (including providing the logs). That seems to work pretty well for us based companies. I was really impressed with the amazon cloud guys and how fast they shut down a compromised vm after I sent them the info. Regional/smaller ISP's are usually pretty good, larger ones it can be hit or miss.
Dealing with offshore addresses is more problematic, due to inconsistent controls, communications barriers etc. For addresses like that if it's not a country I'm going to be travelling to or do business with I'll just acl the whole block (sometimes the whole country) at my perimeter.
Aside from that, nonstandard ports, knocking, vpn are all good ways to deal with this kind of thing. I'm guessing you're at least not leaving all your personally critical data there, and that you do at least have some isolation.
01:36AM up 426 days, 2:46, 1 user, load average: 0.14, 0.11, 0.05
Worked well when we used it. Email to the network owner, log excerpts, etc; they found machine and fixed it. One was in Italy at some university, they were really cool, emailed us back and everything. Didn't work all the time, but you would be amazed how well a nice note to the network folks works. They don't want to pollute the net; they are much like you in that way.
andy
I still have a computer sitting on the shelf labeled "Do not touch, property of FBI" from when I reported a compromised computer to them. That was in 2004. It's still sitting on the same shelf, just like it was the day I unplugged it.
Long answer: Even if you did report them to someone, no action whatsoever will come out of it. Face it, as long as people are not responsible for their traffic (unless, of course, said traffic constitutes a copyright infringement) nothing will happen.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Attempted script kiddie attacks are automatically reported to the same place that failed sudo attempts are reported to.
I use DenyHosts to identify attackers and protect my system. Then, for any new blocked IP, I check to see if it's local to my service provider. Generally, I think the service providers will be much more reponsive to one of their customers attacking another, even if it's a compromised machine.
Automate it i run failtoban which can be nicely configured, kiddies probing the websites for php_my_admin thing get mod_spamhaus checks who if reported get no site. Html form scanners get botscout checks and also a humorous email address in the html to send drugs deals to us which does not work. Occasionally we change that just for a laugh when we see it in use.
We still report spam to spamcop.
Yes i will cancel your air travel arrangements if you put the wrong address in the airline booking system. Airlines are very happy to oblige.
That leaves just the determined idiots who well after that deserve a personal mention to their isp using a failtoban report or two the computer just happened to generate.
My linux firewall automatically creates an entry in the /etc/hosts.deny file. Usually if I'm bored and have nothing to do I use my Backtrack vm to launch an attack back. I do not do this from my home ip. I take my laptop and launch and attack from a free wifi hotspot :)
I also saw a lot of login attempts coming from China.
At first I just setup fail2ban, which works great (can either ban the IP for a set time or forever). But after having to deal with growing log files, I decided to just use a non-standard port. That helps a ton.
Why leave it at the default and hope no one finally gets in (and worry about reporting the attempts?) instead of taking more proactive actions such as changing the port number, using SSH keys if possible rather than login/password or at least something like fail2ban, etc.
The thing is, if someone *did* get in, they may be good enough to cover their tracks and you may not notice
https://www.uha1.com/14-mug.jpg
hope you remember us.....
https://www.arin.net/ is the right answer. (At least for the North American based IPs, but if they are foreign they will point you to the proper registry(APNIC for example).)
First of all, I have all other netblocks assigned to other registries(APNIC, RIPE, LACNIC, etc) blocked in my firewall since none of our sales team will be found in those countries.
When you do a search on arin for an IP(upper right), it will list the ISPs "Point of Contacts" and they are required to have at least 1. It is not always "abuse@". They also have phone numbers listed as well as contact name (which I find to be out of date usually, but the email is generally right). ISPs typically need/want log entries showing the intrusion attempt as well as your IP and the ports they were attempting to access.
I have since automated the task, of reporting and have a process that: blocks that IP in the firewall, looks up their data in arin.net, sends me an email with logs and the proper email contacts for me to review and forward. If I see that it is an ISP that my sales guys shouldn't be using(a Mexican ISP) for instance, I then block that ISP at my leisure.
If it is foreign, then I typically just block the ISP since I have little legal recourse anyway. If domestic, then I have a pre-worded followup email incase they have other users attempt soon after.
If you host any communications service (IE Email, IM, chat) and their constant bombardment is hindering that service, their intrusion could potentially fall under part 1 of http://www.law.cornell.edu/uscode/text/18/2701
where it reads "whoever intentionally accesses without authorization a facility through which an electronic communication service is provided -prevent[ing] authorized access to a wire or electronic communication".
Just my long two cents. And IANAL but it sounds like a valid threat to include in an email to an ISP... And I use it all the time...
Not that other countries agencies are any better. We had big trouble with a guy in New Zealand disrupting services, phishing accounts etc. We managed to start an investigation (or so they said) by phone but it took several hours and help from the CERT team in Australia. After a month nothing had happened, and I was there on vacation. I spent a day on the phone trying to find somebody who knew about the case, but even with the reference number they could not do anything. CERT Australia tried for a few days, and finally gave up.
We had a guy in the Netherlands who phished hundreds of accounts, and still nobody down there would pick the ball. Then he and a friend found a hole in a third party system and managed to suck out data for hundreds of (dutch) people. The web frontend was in Germany and the third party application in the US (A lot more US citizens data was also stolen). Dutch police said they won't do anything because the data was abroad. German police said they won't do anything because the guy is in the Netherlands. The FBI said they'll look into it, but never did anything despite us trying to get back to all of them countless times. We found both hackers identities and had the second guy on the phone, admitting everything and promising he'd testify... Still nobody was interested.
You have to work in a big corporation to get the authorities to do anything. They don't care if somebody phishes thousands of accounts unless it's in the news or a corporation they recognize. It's almost as if they want all the script kiddies to be able to practice in peace until they really learn how to cover up their tracks and move to juicier targets if they won't take a case when it's handed to them on a platter with clear logs and a confession. It does work a lot better when the hacker is in the same country as you and you are working with a local law enforcement agency though. I also had good experiences with the Metropolitan Police in the UK.
here's what you do...
use a few sets of ports that you will equate with the numbers 0 through 9
add a few ports that equate to dots
add a few ports that equate to execute
and a few that will equate to clear or reset
Write up simple inetd style listener rules that when a *knock* is received on a port, you write a number into a file in append mode
same for the dots (periods)
if you send a clear or reset, wipe out the file
when you send the execute, you cause your system to ssh out to your ip address with a back-channel opened to localhost on the machine you knocked on.
the ssh would be key based, the userid able to create tunneled ports, the userid locked down to key only...
so you figure out what your ip address is - look for a what's my ip address site to validate, script up your knock using the ports assigned for the numbers and dots required, then the execute knock.
I normally configure two or three sets of ports for each number, and the inetd configs are set to not respond to the knock attempts in any way aside from writing to the trigger file.
if the firewall allows scripting, you could use the trigger to write a temporary firewall rule allowing you to come in on 22 from that ip address, then after 30 seconds remove the rule.
I wrote it up a long time ago and posted it somewhere online - might have been on the openssh mailer for anyone who wanted to use it.
Still works great to this day - I've automated the knock config sequences using a random selection of the ports needed to form the address garnered via curl reading from a what's my ip address site.
Probably overkill, but I like it.
Now if we could call up "Penelope" from Criminal Minds and get a smart alec response AND file a report. Sadly the FBI probably doesn't have those girls(or guys) manning the phones.
Denyhosts is what you are looking for; it will even download a list of IP addresses spotted on other peoples computers if you want it to.
They really don't care unless you can show significant damages. For $500, they will just ignore you. For $5000 in documented damages they'll take a report and file it somewhere never to be seen again. For $50k they'll actually keep your information around in case they can use you as a part of a larger case. For $500k they may take you seriously.
Citation: my own experience calling the feds when cleaning up messes.
http://blogs.avg.com/news-threats/chatted-hacker-virus/
Fifty watts per channel, baby cakes.
Put like 1 sentence on your website that's anti-muslim and the FBI would be interested in anyone that even generates a 404 lol.
Sorry, but the answer is ..."kind of".
SANS have an incident reporting framework, but I don't think they care much -or at all- about trivial attacks like SSH bruteforcing. Nor should you do. Just set up public key authentification, turn off password-based logins and forget about it.
Oh, the beautiful gloss of greality!
Who to complain to: complain to the upstream. You have the IP address. Do a nslookup and traceroute and write to abuse@foo.com. However, if it's just the standard "checking default passwords" deal, then it's a botnet and you shouldn't bother.
Here's what you do in sshd.conf
Take sshd off port 22 and put it on a high port above 1024. I use HF radio frequencies to remember.
Port 3898 (or whatever)
Turn off password authentication. You should be using keys.
PasswordAuthentication no
Use protocol 2
Protocol 2
Turn off root login.
DenyUsers root
PermitRootLogin no
??????
Profit. You're done. Really.
If you want full paranoia mode belt-and-braces so your pants don't fall down, install fail2ban, but if you have done the above, you don't really need it.
The logs go silent and they have to do a full portscan to even find ssh. Brute force ssh bots are fire and forget. The bots move along to the next guy whose sshd is on 22.
--
BMO
Port 22 is constantly attacked, but if you listen on port 45022 or pretty much any other port, except 22, nobody will bother. Don't change this on the server, let your router do it. Every router I've seen can, .... except some Netgears.
The other thing is to use fail2ban to firewall any failed attempts after 3 tries. Further, only allow key-based logins and prevent remote root ssh access completely. These are pretty basic ideas.
10 yrs using ssh? Seems that after 6 months, you'd learn about these things. You might want to check into the ~/.ssh/config file too.
There's a wikibooks book on ssh worth skimming. https://en.wikibooks.org/wiki/Wikibooks:Collections/OpenSSH ssh is one of those simple things that goes very deep. We just need to learn a little more.
Post the IP address of the would-be attackers on 4chan and enjoy the lulz.
Every time your firewall log has a line for a connection attempt, check your systems using external consultants with rates of $300 an hour and sue.
The consequences will never be the same!
Yep. It's still funny. ... I wonder where he is today.
you do not need to care about script kiddies and such nuisances...
just ignore them - if they can get in, their actions will be logged, fix the broken service and you are done.
if they can get root privs, you failed somewhere.
Consider them like a free security/penetration check.
abuse@scriptkiddysisp.com
be professional.
be detailed.
be willing to call a lawyer and have them contact the isp if needed.
And if that all fails. goto their host. or their upstream provider.
SOMEONE will care if you yell loud enough.
that's the equivalent of asking where you report someone who ding dong ditched you house, right?
The Kruger Dunning explains most post on
Just hunt them down and kill them yourself. They grow up to create viruses and other crap they should die for. Be proactive!
We provide instructions to our users to help them setup and manage their SSH servers: https://it.wiki.usu.edu/ssh_description
We detect, document, block and report SSH portscans and SSH password guessing. We also have several SSH honeypots setup to collect lists of attack credentials. We check the honeypots to see if a USU credential has been exposed. A while ago, the FBI came by and asked about 9 IP addresses used in a hostile government sponsored attack. We were able to document that they had been detected and blocked. We were also able to provide the credentials that the attackers used.
When we first started reporting attack, the response was very poor. But now, about 1/3 of the abuse reports (to non-Chinese sources) result in confirmed, remote resolution. Now, almost all ISP's, CERTs, and large organizations are eager to receive a polite, accurate, and detailed abuse report. It is the easiest (and most common) way to learn that you have a compromised system.
As you have noticed, the hardest part is determining the proper point of contact. Most of the time, we can find one by carefully searching the whois and DNS information.
Our rational for documenting and reporting attack is given at: https://it.wiki.usu.edu/SingSingRational It includes:
USU IT Security attempts to document all attacking IPs on Singsing. This accomplishes 3 primary goals:
Lately (March 2012), at least 1/3 of the abuse reports (to non-Chinese sources) appear to result in remote resolution.
In addition, documenting/blocking/reporting has important secondary benefits:
Finally, we are convinced that reporting of compromise/attack is one of the few pathways that can lead to a more secure internet.
Miles
This happens on the internet...... get a hold of yourself. You want somewhere to report a failed login attempt?
Don't be so uptight man.... no one needs an internet police.
isc.sans.org
I watch my daily security logs from time to time, but the only remote login attempts I see are my own. I can attribute this to several layers of security:
I won't claim that it's perfect protection, but one of the best things you can do to secure a system is to shut out all access by default and then only open tiny pinholes for the specific connections you need.
I kept seeing my logs grow due to attempts on my port 22. So I just picked a nonstandard port, and voila, no more attacks.
I have currently 2 linux server out in the open, both behind the same router, in a nice cooled server room. One has its port 22 opened up, the other's ssh is reachable through some obscure port number. The first sometimes sees dozens of different ip addresses per day trying to get in, the other sees maybe one per month (or less). Also, I'm using denyhosts on both, denying all access for an ip for many weeks if they fail access in more than 3 trials. It's been working quite nicely for years now.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
They'll arrest you on account of wiretapping.
Seriously, just install fail2ban, use decent passwords, and you'll be fine. Security by obscurity is a big fail.
--- wad
I use this script on one production server we have that allows people to post webpages via sftp. http://denyhosts.sourceforge.net/ It scans the ssh log, if someone has gotten the password wrong 5 times (or even attempted to get in as root) they are banned for two weeks. Best of all, though, and more to what you were asking, it syncs these banned users with a database of banned users other folks have collected in the same way, making for some sort of registration of the idiots.