Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Where To Report Script Kiddies and Other System Attacks?

Posted by timothy on from the needs-a-good-whippin' dept.

First time accepted submitter tomscott writes "So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but — knock on wood — I've never had a breach. What I am wondering: Is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?" The FBI is interested, but probably only if you've actually suffered a loss.

18 of 241 comments (clear)

  1. Not like most linux users! by Bill,+Shooter+of+Bul · · Score: 3, Informative

    I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
    1. Re:Not like most linux users! by Anonymous Coward · · Score: 4, Informative

      I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.

      Just configure SSHD to accept only SSH Keys (no password login) and 99% of the problem is solved.

    2. Re:Not like most linux users! by TheLink · · Score: 5, Informative

      Most kiddes out there seemingly don't know about more sophisticated scripts that can identify services on non default ports.

      I doubt they care, there are enough exploitable targets. The automated scripts scan _many_ IPs for a few ports. Having them scan more ports would take longer and slow the spread.

      Despite what many say, there is some security through obscurity. It's a case of only having to outrun your neighbour and not the bear.

      The other advantage is if you use an obscure port, if someone does try it and brute force etc, you can consider it more seriously - someone might actually be trying to hack you specifically.

      --
    3. Re:Not like most linux users! by Githaron · · Score: 1, Informative

      Also, port knocking can help defeat rudimentary scans for open ports.

    4. Re:Not like most linux users! by Spazmania · · Score: 3, Informative

      Port knocking is less useful now that many corporate environments restrict outbound tcp ports.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    5. Re:Not like most linux users! by Anonymous Coward · · Score: 3, Informative

      "t's a case of only having to outrun your neighbour and not the bear."

      Grizzlies alone can run up to an hour at 30MPH, no way in hell any human outrun a bear. Just needed to point that one out.

    6. Re:Not like most linux users! by Midnight_Falcon · · Score: 4, Informative
      fail2ban + SSH-key only access FTW

      Why?

      Fail2ban will block these bots (usually, ssh bruteforce attacks are the result of worms rather than actual script kiddies manually running them) from sshing into your system after a few failed attempts.
      SSH-key only access will increase security by an order of magnitude. A bruteforce against a public-key only SSH server is untenable. Their script likely doesn't even support ssh keys and will just get kicked out with a protocol mismatch error. These attempts are meant to get in via password authentication, default credentials or weak passwords.

      If you have SSH on any port exposed to the internet w/o fail2ban and/or ssh-key only access, you're asking for trouble. I've seen it happen on numbers of boxes with strong passwords for users -- eventually, they get in...

    7. Re:Not like most linux users! by X0563511 · · Score: 3, Informative

      Put something like denyhosts or fail2ban on top of that and you're even more safe.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    8. Re:Not like most linux users! by JustOK · · Score: 2, Informative

      Security thru absurdity is just crazy enough to work

      --
      rewriting history since 2109
  2. From my understanding by chemicaldave · · Score: 5, Informative

    There's nothing anyone can legally do with that information. Weak attempts at breaking in and port scanning are just background noise.

  3. Use key-based security by eudaemon · · Score: 4, Informative

    As long as you use key-only authentication you should be fine. I wouldn't leave password-only access open to the internet. Having said that, your best bet is to slowly stall connections in order to waste the other guy's resources. Any system with pf and probably ipf have allowances for that, along with logging and blocking the most abusive IPs altogether.

  4. Report it to DShield.org by UnderAttack · · Score: 5, Informative

    "Random" attacks can be reported to DShield.org . They have a number of scripts to automatically submit firewall logs (including from Linux firewalls). See http://www.dshield.org/howto.html . Once set up, it just "runs" and DShield aggregates the data, uses it for research and reports worst offenders to ISPs and other contacts.

    --
    ---- join dshield.org Distributed Intrusion Detec
  5. You can report them to DHS by Anonymous Coward · · Score: 3, Informative

    http://www.dhs.gov/how-do-i/report-cyber-incidents

  6. abuse@organizationname.com by Sam+Nitzberg · · Score: 3, Informative

    It's been years, but a few times I found the organization sending traffic and sent an email to abuse@
    the domain name and had positive results.

    You can look up the whois online registry information on where the traffic is coming from, and there can be additional contact information there.

    Regards,

    Sam

  7. Waste of time... by msauve · · Score: 4, Informative

    you're not going to make a dent. Most reports are simply ignored, and for every attacker you see, there are thousands more who simply haven't gotten to you yet.

    Make sure you have good passwords, know what ports are exposed, and run something like fail2ban.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  8. This is what I was going to post... by logicassasin · · Score: 3, Informative

    I run OpenVPN on one of my OpenBSD machines on a non-standard port, it's the only way to get in through my firewall (another OpenBSD machine). Once I've made my vpn connection, I can then ssh to the other machines on the network.

    To the question at hand, if you can identify the ip address that the breach originated from, plug it into Network Solutions' whois lookup and you can usually find the ISP the ip is connected to. They usually have an abuse email account listed in their whois info. If they don't have info, try plugging the ip into RIPE or APNIC's whois database and report accordingly.

    --
    Fifty watts per channel, baby cakes.
  9. Try this by inode_buddha · · Score: 4, Informative

    Try psad. I've been running it for years, in addition to selinux and iptables. It auto-drops all kinds of connection attempts based on parameters you can set, but the defaults are very reasonable. Works for all connections, not just ssh. It can report to D-Shield.org and ISC (internet storm center), and you can script attack responses with your normal shell. *very* highly recommended.

    I test it from time to time with nmap and nope, it doesn't allow nmap to get anything.

    http://cipherdyne.org/psad/

    --
    C|N>K
  10. Almost nobody cares by dropadrop · · Score: 4, Informative
    The FBI don't care. We've had cases where somebody has phished hundreds of accounts and we've had clear logs to show how they have been profiting from it financially, but can't manage to get them to do anything. A few years ago we did have a contact there who did something, but he was moved to some other agency...

    Not that other countries agencies are any better. We had big trouble with a guy in New Zealand disrupting services, phishing accounts etc. We managed to start an investigation (or so they said) by phone but it took several hours and help from the CERT team in Australia. After a month nothing had happened, and I was there on vacation. I spent a day on the phone trying to find somebody who knew about the case, but even with the reference number they could not do anything. CERT Australia tried for a few days, and finally gave up.

    We had a guy in the Netherlands who phished hundreds of accounts, and still nobody down there would pick the ball. Then he and a friend found a hole in a third party system and managed to suck out data for hundreds of (dutch) people. The web frontend was in Germany and the third party application in the US (A lot more US citizens data was also stolen). Dutch police said they won't do anything because the data was abroad. German police said they won't do anything because the guy is in the Netherlands. The FBI said they'll look into it, but never did anything despite us trying to get back to all of them countless times. We found both hackers identities and had the second guy on the phone, admitting everything and promising he'd testify... Still nobody was interested.

    You have to work in a big corporation to get the authorities to do anything. They don't care if somebody phishes thousands of accounts unless it's in the news or a corporation they recognize. It's almost as if they want all the script kiddies to be able to practice in peace until they really learn how to cover up their tracks and move to juicier targets if they won't take a case when it's handed to them on a platter with clear logs and a confession. It does work a lot better when the hacker is in the same country as you and you are working with a local law enforcement agency though. I also had good experiences with the Metropolitan Police in the UK.