Slashdot Mirror
Ask Slashdot: Where To Report Script Kiddies and Other System Attacks?
First time accepted submitter tomscott writes "So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but — knock on wood — I've never had a breach. What I am wondering: Is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?" The FBI is interested, but probably only if you've actually suffered a loss.
I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.
Well.. maybe. Or Maybe not. But Definitely not sort of.
The attackers are most likely using other infested machines.
There's nothing anyone can legally do with that information. Weak attempts at breaking in and port scanning are just background noise.
Backtrace them and report them to the cyber police!
As long as you use key-only authentication you should be fine. I wouldn't leave password-only access open to the internet. Having said that, your best bet is to slowly stall connections in order to waste the other guy's resources. Any system with pf and probably ipf have allowances for that, along with logging and blocking the most abusive IPs altogether.
"Random" attacks can be reported to DShield.org . They have a number of scripts to automatically submit firewall logs (including from Linux firewalls). See http://www.dshield.org/howto.html . Once set up, it just "runs" and DShield aggregates the data, uses it for research and reports worst offenders to ISPs and other contacts.
---- join dshield.org Distributed Intrusion Detec
I think (I have no actual numbers) most of those are compromised boxes running distributed attack scripts. It makes sense to run the C&C, and let your zombies to the work that way it doesn't get tracked back to you.
That was the case I saw twice on two boxes I had - one fell to a BIND exploit, and rather than reboot, I investigated why DNS stopped working. I uncovered a IRC C&C (with over 60 clients) and went about informing people (by the IPs of the irc clients) about what had happened. Most rebooted and never noticed a thing. All were happy to hear I was letting them know what happened.
Based on that you're more likely to report innocent people whose only crime is being unpatched.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
http://www.dhs.gov/how-do-i/report-cyber-incidents
It's been years, but a few times I found the organization sending traffic and sent an email to abuse@
the domain name and had positive results.
You can look up the whois online registry information on where the traffic is coming from, and there can be additional contact information there.
Regards,
Sam
Have you considered running DenyHosts on your machine? That might help filter out some repeat offenders.
Great Motherland of Scripted Attacks, the PRC.
Professional Rodeo Clowns? I know they're scary, but I never knew they were so evil. Or that they had a motherland, although it makes sense. They're clearly not of this world.
The answer depends on what you do hope to achieve by reporting.
If you hope the people to stop:
In case the origin is a company within you country, contacting them may you do some good. They will pull the plug on their malware infested machine. Attacker will use others.
In all other cases the only chance to have any kind of effect is to report dramatic damages to the law enforcement. Other than that, nobody cares enough ;-). Even with dramatic damages, the chances for any effect are slim to none.
IMHO: In 90+% of all cases the answer is /dev/null the economical best answer.
. . . the FBI are the ones trying to break into your system.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Most of the time - at least from my experience - the attacks are coming either from systems that are in foreign countries that don't give a shit about you and your system, or they are distributed attacks that would require you to contact dozens (or more) of ISPs.
The one exception I make is if it comes from an American IP address. Most American ISPs do a pretty good job of tracking who is using what IP address and can do something about it. Generally, they won't do much - and they seldom tell you what they do - but they'll at least look at it. And of course if it is from a university in the US, they'll usually track it to a college freshman who either thinks he's clever or is running a compromised windows PC.
But in general, your complaints will fall on deaf ears. Just keep checking your logs periodically to make sure nobody succeeds and that you are making the right responses to new methods. You could set up a tarpit if you like...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
you're not going to make a dent. Most reports are simply ignored, and for every attacker you see, there are thousands more who simply haven't gotten to you yet.
Make sure you have good passwords, know what ports are exposed, and run something like fail2ban.
"National Security is the chief cause of national insecurity." - Celine's First Law
I run OpenVPN on one of my OpenBSD machines on a non-standard port, it's the only way to get in through my firewall (another OpenBSD machine). Once I've made my vpn connection, I can then ssh to the other machines on the network.
To the question at hand, if you can identify the ip address that the breach originated from, plug it into Network Solutions' whois lookup and you can usually find the ISP the ip is connected to. They usually have an abuse email account listed in their whois info. If they don't have info, try plugging the ip into RIPE or APNIC's whois database and report accordingly.
Fifty watts per channel, baby cakes.
Most UNIX systems automatically subscribe to the Network Users List of Lamers. Just write up your complaint to a text file, then send the complaint to NULL, using the command 'cat $REPORT > /dev/null'
Join and contribute ssh/firewall logs to DShield or another collaboration system so that others can benefit from the information you are collecting.
http://dshield.org/howto.html
If you want to report unwanted activity against your network your ISP may be able to help. Try opening a ticket with their Abuse team.
<script>alert("I never liked JavaScript, really; it just seemed a bad idea.");</script>
Really, no government agency is going to give a red cent about some 14 year old running scripts against your machines unless you're a major contributor or hold government office.
Where to report script kiddies...
Their mothers. Duh.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
I run some canned attacks on the offending IP if I'm bored (and not at work). Worth a shot.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Try psad. I've been running it for years, in addition to selinux and iptables. It auto-drops all kinds of connection attempts based on parameters you can set, but the defaults are very reasonable. Works for all connections, not just ssh. It can report to D-Shield.org and ISC (internet storm center), and you can script attack responses with your normal shell. *very* highly recommended.
I test it from time to time with nmap and nope, it doesn't allow nmap to get anything.
http://cipherdyne.org/psad/
C|N>K
Worked well when we used it. Email to the network owner, log excerpts, etc; they found machine and fixed it. One was in Italy at some university, they were really cool, emailed us back and everything. Didn't work all the time, but you would be amazed how well a nice note to the network folks works. They don't want to pollute the net; they are much like you in that way.
andy
Long answer: Even if you did report them to someone, no action whatsoever will come out of it. Face it, as long as people are not responsible for their traffic (unless, of course, said traffic constitutes a copyright infringement) nothing will happen.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Not that other countries agencies are any better. We had big trouble with a guy in New Zealand disrupting services, phishing accounts etc. We managed to start an investigation (or so they said) by phone but it took several hours and help from the CERT team in Australia. After a month nothing had happened, and I was there on vacation. I spent a day on the phone trying to find somebody who knew about the case, but even with the reference number they could not do anything. CERT Australia tried for a few days, and finally gave up.
We had a guy in the Netherlands who phished hundreds of accounts, and still nobody down there would pick the ball. Then he and a friend found a hole in a third party system and managed to suck out data for hundreds of (dutch) people. The web frontend was in Germany and the third party application in the US (A lot more US citizens data was also stolen). Dutch police said they won't do anything because the data was abroad. German police said they won't do anything because the guy is in the Netherlands. The FBI said they'll look into it, but never did anything despite us trying to get back to all of them countless times. We found both hackers identities and had the second guy on the phone, admitting everything and promising he'd testify... Still nobody was interested.
You have to work in a big corporation to get the authorities to do anything. They don't care if somebody phishes thousands of accounts unless it's in the news or a corporation they recognize. It's almost as if they want all the script kiddies to be able to practice in peace until they really learn how to cover up their tracks and move to juicier targets if they won't take a case when it's handed to them on a platter with clear logs and a confession. It does work a lot better when the hacker is in the same country as you and you are working with a local law enforcement agency though. I also had good experiences with the Metropolitan Police in the UK.
They really don't care unless you can show significant damages. For $500, they will just ignore you. For $5000 in documented damages they'll take a report and file it somewhere never to be seen again. For $50k they'll actually keep your information around in case they can use you as a part of a larger case. For $500k they may take you seriously.
Citation: my own experience calling the feds when cleaning up messes.
Who to complain to: complain to the upstream. You have the IP address. Do a nslookup and traceroute and write to abuse@foo.com. However, if it's just the standard "checking default passwords" deal, then it's a botnet and you shouldn't bother.
Here's what you do in sshd.conf
Take sshd off port 22 and put it on a high port above 1024. I use HF radio frequencies to remember.
Port 3898 (or whatever)
Turn off password authentication. You should be using keys.
PasswordAuthentication no
Use protocol 2
Protocol 2
Turn off root login.
DenyUsers root
PermitRootLogin no
??????
Profit. You're done. Really.
If you want full paranoia mode belt-and-braces so your pants don't fall down, install fail2ban, but if you have done the above, you don't really need it.
The logs go silent and they have to do a full portscan to even find ssh. Brute force ssh bots are fire and forget. The bots move along to the next guy whose sshd is on 22.
--
BMO
you do not need to care about script kiddies and such nuisances...
just ignore them - if they can get in, their actions will be logged, fix the broken service and you are done.
if they can get root privs, you failed somewhere.
Consider them like a free security/penetration check.
that's the equivalent of asking where you report someone who ding dong ditched you house, right?
The Kruger Dunning explains most post on
We provide instructions to our users to help them setup and manage their SSH servers: https://it.wiki.usu.edu/ssh_description
We detect, document, block and report SSH portscans and SSH password guessing. We also have several SSH honeypots setup to collect lists of attack credentials. We check the honeypots to see if a USU credential has been exposed. A while ago, the FBI came by and asked about 9 IP addresses used in a hostile government sponsored attack. We were able to document that they had been detected and blocked. We were also able to provide the credentials that the attackers used.
When we first started reporting attack, the response was very poor. But now, about 1/3 of the abuse reports (to non-Chinese sources) result in confirmed, remote resolution. Now, almost all ISP's, CERTs, and large organizations are eager to receive a polite, accurate, and detailed abuse report. It is the easiest (and most common) way to learn that you have a compromised system.
As you have noticed, the hardest part is determining the proper point of contact. Most of the time, we can find one by carefully searching the whois and DNS information.
Our rational for documenting and reporting attack is given at: https://it.wiki.usu.edu/SingSingRational It includes:
USU IT Security attempts to document all attacking IPs on Singsing. This accomplishes 3 primary goals:
Lately (March 2012), at least 1/3 of the abuse reports (to non-Chinese sources) appear to result in remote resolution.
In addition, documenting/blocking/reporting has important secondary benefits:
Finally, we are convinced that reporting of compromise/attack is one of the few pathways that can lead to a more secure internet.
Miles