Ask Slashdot: Where To Report Script Kiddies and Other System Attacks?

← Back to Stories (view on slashdot.org)

Ask Slashdot: Where To Report Script Kiddies and Other System Attacks?

Posted by timothy on Thursday August 30, 2012 @06:39AM from the needs-a-good-whippin' dept.

First time accepted submitter tomscott writes "So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but — knock on wood — I've never had a breach. What I am wondering: Is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?" The FBI is interested, but probably only if you've actually suffered a loss.

39 of 241 comments (clear)

Min score:

Reason:

Sort:

Not like most linux users! by Bill,+Shooter+of+Bul · 2012-08-30 06:42 · Score: 3, Informative

I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.

--
Well.. maybe. Or Maybe not. But Definitely not sort of.
1. Re:Not like most linux users! by Anonymous Coward · 2012-08-30 06:44 · Score: 5, Insightful
  
  And which protocol/port does your VPN listen on?
  Because that's just asking for abuse...
  Captcha: insults
2. Re:Not like most linux users! by Bill,+Shooter+of+Bul · 2012-08-30 06:50 · Score: 4, Insightful
  
  Wouldn't you like to know...
  Seriously, don't use the default port for any service you don't have to. It will drastically drop the number of attempts. Most kiddes out there seemingly don't know about more sophisticated scripts that can identify services on non default ports.
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
3. Re:Not like most linux users! by Anonymous Coward · 2012-08-30 06:56 · Score: 4, Funny
  
  Yes, security through obscurity is the best method.
4. Re:Not like most linux users! by fearlezz · 2012-08-30 06:58 · Score: 3, Insightful
  
  Run OpenVPN on any udp port using the tls-auth option to drop unsigned packages. Use iptables to drop all other 65534 ports. Good luck finding out which port is the VPN server.
  
  --
  .sig: No such file or directory
5. Re:Not like most linux users! by Anonymous Coward · 2012-08-30 06:58 · Score: 4, Informative
  
  I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.
  Just configure SSHD to accept only SSH Keys (no password login) and 99% of the problem is solved.
6. Re:Not like most linux users! by TheLink · 2012-08-30 07:01 · Score: 5, Informative
  
  Most kiddes out there seemingly don't know about more sophisticated scripts that can identify services on non default ports.
  I doubt they care, there are enough exploitable targets. The automated scripts scan _many_ IPs for a few ports. Having them scan more ports would take longer and slow the spread.
  Despite what many say, there is some security through obscurity. It's a case of only having to outrun your neighbour and not the bear.
  The other advantage is if you use an obscure port, if someone does try it and brute force etc, you can consider it more seriously - someone might actually be trying to hack you specifically.
  --
  
  Too many replies beneath your current threshold
7. Re:Not like most linux users! by localman57 · 2012-08-30 07:01 · Score: 4, Insightful
  
  Obscurity can be a layer in layered security plan. As long as the other layers aren't compromised by it in any way, it can't do any harm, and could do some good. But the other layers need to be trusted on their own. A good safe can withstand an attack for a rated amount of time even if the theives have the blueprints of the safe. But that doesn't mean you don't guard the blueprints to the safe.
8. Re:Not like most linux users! by Desler · 2012-08-30 07:15 · Score: 5, Interesting
  
  Most idiots just parrot the 'security through obscurity' thinking it's some compelling argument when it's really not. If the basis of your security is entirely reliant on the obscurity of your algorithms, etc. being private then it is bad. But using some level of secrecy as a first line of defense can be quite useful in preventing attacks.
  Even Bruce Schneier does not take the black-and-white stance that the Internet 'experts' do. He is actually quite pragmatic about acknowledging that there is a continuum of secrecy requirements based on the system at hand, but mentions that relying too much on secrecy makes the security of the system more fragile. These Internet 'experts' need to actual read what people like Bruce say rather than just repeating stupid sound bite pieces.
9. Re:Not like most linux users! by SecurityGuy · 2012-08-30 07:16 · Score: 4, Insightful
  
  Despite what many say, there is some security through obscurity. It's a case of only having to outrun your neighbour and not the bear.
  No, it's not at all alike because the bear is going to eat one of you: whichever one it catches first. The script isn't going to compromise one box, it's going to compromise every single one that's vulnerable to whatever exploit(s) it's using in the IP ranges it's scanning.
  To put it another way, it's not the bullet with your name on it you have to worry about. It's the 20,000 or so odd rounds labelled "Occupant".
10. Re:Not like most linux users! by Desler · 2012-08-30 07:19 · Score: 4, Funny
  
  Nuh uh!!! He parroted the 'security through obscurity' soundbite and automatically wins the debate!! Just like saying 'correlation is not causation' soundbite. He fucking pwned j00!!!
  On the other hand, in the real world like you mention secrecy can be a good line of defense as long as it is not the only line of defense.
11. Re:Not like most linux users! by MrSenile · 2012-08-30 07:20 · Score: 3, Interesting
  
  Leaving port 22 open is just asking for abuse.
  Not really, no. If you lock down SSH sufficiently, then it's pretty much bulletproof.
  
  1. Lock down specific users@ip to be able to ssh in.
  2. Enforce privilege separation and all the other paranoid protection in the sshd_config.
  3. Put in some type of brute force protection like fail2ban.
  4. Enforce non-dictionary passwords.
  
  Problem solved.
12. Re:Not like most linux users! by Desler · 2012-08-30 07:28 · Score: 3, Insightful
  
  In Bruce Schneier's own words:
  
  Just because security does not require something be kept secret, it doesn't mean that it is automatically smart to publicize it.
  You might want to actually read and digest the first article on that page before spouting off again.
13. Re:Not like most linux users! by Spazmania · 2012-08-30 07:29 · Score: 3, Informative
  
  Port knocking is less useful now that many corporate environments restrict outbound tcp ports.
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
14. Re:Not like most linux users! by dmomo · 2012-08-30 07:32 · Score: 3, Insightful
  
  This. I mean, you could argue that even passwords are, in a way, security through obscurity.
15. Re:Not like most linux users! by Anonymous Coward · 2012-08-30 07:38 · Score: 3, Informative
  
  "t's a case of only having to outrun your neighbour and not the bear."
  Grizzlies alone can run up to an hour at 30MPH, no way in hell any human outrun a bear. Just needed to point that one out.
16. Re:Not like most linux users! by tnk1 · 2012-08-30 07:38 · Score: 4, Insightful
  
  No one is owned until Godwin comes out. Only Hitler would say differently.
  And yes, "security through obscurity" is a layer in a sound defensive strategy. If no one knows you are there, they don't know to start trying to attack you. If anything, it shrinks the size of your logs.
  Unfortunately, if an attacker is looking for you and already knows your service is there, you'd better have a more reliable defensive plan available.
17. Re:Not like most linux users! by Desler · 2012-08-30 07:40 · Score: 5, Interesting
  
  Duh? In this case, since he is being port scanned by what is most likely Chinese script kiddies moving the port will stop probably 99% of them. No one said such things will prevent any possible intrusion, but it's an easy and cheap way to prevent the vast majority and causes no compromising to the underlying system. For the determined people who get arou d that you layer on top other defenses such as ony allowing a certain amount of attempts before locking out/banning, only allowing retries after some certain length of time, etc. If all these fail, you still haven't compromised the underlying system but you've severely limited the amount of people who would be successful in attacking you.
18. Re:Not like most linux users! by Midnight_Falcon · 2012-08-30 07:46 · Score: 4, Informative
  
  fail2ban + SSH-key only access FTW
  Why?
  Fail2ban will block these bots (usually, ssh bruteforce attacks are the result of worms rather than actual script kiddies manually running them) from sshing into your system after a few failed attempts.
  SSH-key only access will increase security by an order of magnitude. A bruteforce against a public-key only SSH server is untenable. Their script likely doesn't even support ssh keys and will just get kicked out with a protocol mismatch error. These attempts are meant to get in via password authentication, default credentials or weak passwords.
  If you have SSH on any port exposed to the internet w/o fail2ban and/or ssh-key only access, you're asking for trouble. I've seen it happen on numbers of boxes with strong passwords for users -- eventually, they get in...
19. Re:Not like most linux users! by X0563511 · 2012-08-30 07:56 · Score: 3, Informative
  
  Put something like denyhosts or fail2ban on top of that and you're even more safe.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
20. Re:Not like most linux users! by hawguy · 2012-08-30 12:52 · Score: 3, Insightful
  
  Nope. Defeating port knocking is easy - just knock all the ports a few times and it opens up. (Alternatively, if your knock scheme demands a specific order, I can keep you out indefinitely by knocking some wrong port continously.)
  And even when it works, the obscurity is only equivalent to a few more characters in the password.
  Since there are 2^16 ports, each port is equivalent to 16 bits of password entropy (depending on how long it takes to test a port versus test a password).
  If it takes 3 knocks to get in (i.e. knock 2 ports, then find the open port for the service you're looking for), that's equivalent to 48 bits of password entropy, or around 8 additional alphanumeric password characters.
  Lock out an IP from unlocking the port after a few unsuccessful knocks and you pretty much eliminate any chance of brute force attack. You can try to attack from different IP addresses through a botnet or spoofing, but with 48 bits of entropy and less than 32 bits of IPv4 addressess to choose from, there aren't enough IP's to brute force.
21. Re:Not like most linux users! by mikael_j · 2012-08-30 17:35 · Score: 3, Insightful
  
  Not to mention that if you do what some people do and move services like sshd to another port you may actually create a security problem.
  If you've got sshd running on any port > 1024 then an attacker who can gain regular unprivileged user access to the system and is able to crash your sshd can replace it with his own sshd. If it's running on port 22 (since you should never "steal" a port under 1024) then the attacker needs root access to accomplish the same trick.
  Besides, it's not particularly hard for an attacker to scan a system from multiple hosts, there's a finite number of ports for you to "hide" your services on and all it takes is a bit of patience to find your "hidden" services.
  
  --
  Greylisting is to SMTP as NAT is to IPv4
22. Re:Not like most linux users! by drkstr1 · 2012-08-30 19:00 · Score: 3, Insightful
  
  Yea, no kidding. Relying on a port number to tell you what protocol is running on it is like relying on a file extension to tell you the file type.
  
  --
  Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
Pointless by Hentes · 2012-08-30 06:43 · Score: 5, Insightful

The attackers are most likely using other infested machines.
From my understanding by chemicaldave · 2012-08-30 06:43 · Score: 5, Informative

There's nothing anyone can legally do with that information. Weak attempts at breaking in and port scanning are just background noise.
The cyber police! by stevegee58 · 2012-08-30 06:45 · Score: 4, Funny

Backtrace them and report them to the cyber police!
1. Re:The cyber police! by GrumpySteen · 2012-08-30 06:51 · Score: 4, Funny
  
  To do that, he'd have to write a GUI in Visual Basic.
Use key-based security by eudaemon · 2012-08-30 06:46 · Score: 4, Informative

As long as you use key-only authentication you should be fine. I wouldn't leave password-only access open to the internet. Having said that, your best bet is to slowly stall connections in order to waste the other guy's resources. Any system with pf and probably ipf have allowances for that, along with logging and blocking the most abusive IPs altogether.
Report it to DShield.org by UnderAttack · 2012-08-30 06:46 · Score: 5, Informative

"Random" attacks can be reported to DShield.org . They have a number of scripts to automatically submit firewall logs (including from Linux firewalls). See http://www.dshield.org/howto.html . Once set up, it just "runs" and DShield aggregates the data, uses it for research and reports worst offenders to ISPs and other contacts.

--
---- join dshield.org Distributed Intrusion Detec
1. Re:Report it to DShield.org by Anonymous Coward · 2012-08-30 07:08 · Score: 5, Funny
  
  Well, after looking at your post, your sig, and your usename, I conclude that you likely wept with joy when you saw this particular ask slashdot. Must feel good to finally hit that perfect slot of relevance.
These days, the attackers are innocent by scorp1us · 2012-08-30 06:46 · Score: 4, Insightful

I think (I have no actual numbers) most of those are compromised boxes running distributed attack scripts. It makes sense to run the C&C, and let your zombies to the work that way it doesn't get tracked back to you.
That was the case I saw twice on two boxes I had - one fell to a BIND exploit, and rather than reboot, I investigated why DNS stopped working. I uncovered a IRC C&C (with over 60 clients) and went about informing people (by the IPs of the irc clients) about what had happened. Most rebooted and never noticed a thing. All were happy to hear I was letting them know what happened.
Based on that you're more likely to report innocent people whose only crime is being unpatched.

--
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
You can report them to DHS by Anonymous Coward · 2012-08-30 06:47 · Score: 3, Informative

http://www.dhs.gov/how-do-i/report-cyber-incidents
abuse@organizationname.com by Sam+Nitzberg · 2012-08-30 06:48 · Score: 3, Informative

It's been years, but a few times I found the organization sending traffic and sent an email to abuse@
the domain name and had positive results.
You can look up the whois online registry information on where the traffic is coming from, and there can be additional contact information there.
Regards,
Sam
Reporting to the FBI gets complicated, when . . . by PolygamousRanchKid+ · 2012-08-30 06:57 · Score: 5, Funny

. . . the FBI are the ones trying to break into your system.

--
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Waste of time... by msauve · 2012-08-30 06:59 · Score: 4, Informative

you're not going to make a dent. Most reports are simply ignored, and for every attacker you see, there are thousands more who simply haven't gotten to you yet.

Make sure you have good passwords, know what ports are exposed, and run something like fail2ban.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
This is what I was going to post... by logicassasin · 2012-08-30 07:02 · Score: 3, Informative

I run OpenVPN on one of my OpenBSD machines on a non-standard port, it's the only way to get in through my firewall (another OpenBSD machine). Once I've made my vpn connection, I can then ssh to the other machines on the network.
To the question at hand, if you can identify the ip address that the breach originated from, plug it into Network Solutions' whois lookup and you can usually find the ISP the ip is connected to. They usually have an abuse email account listed in their whois info. If they don't have info, try plugging the ip into RIPE or APNIC's whois database and report accordingly.

--
Fifty watts per channel, baby cakes.
/dev/null by yourdog · 2012-08-30 07:02 · Score: 5, Funny

Most UNIX systems automatically subscribe to the Network Users List of Lamers. Just write up your complaint to a text file, then send the complaint to NULL, using the command 'cat $REPORT > /dev/null'
Try this by inode_buddha · 2012-08-30 07:29 · Score: 4, Informative

Try psad. I've been running it for years, in addition to selinux and iptables. It auto-drops all kinds of connection attempts based on parameters you can set, but the defaults are very reasonable. Works for all connections, not just ssh. It can report to D-Shield.org and ISC (internet storm center), and you can script attack responses with your normal shell. *very* highly recommended.
I test it from time to time with nmap and nope, it doesn't allow nmap to get anything.
http://cipherdyne.org/psad/

--
C|N>K
Almost nobody cares by dropadrop · 2012-08-30 08:37 · Score: 4, Informative

The FBI don't care. We've had cases where somebody has phished hundreds of accounts and we've had clear logs to show how they have been profiting from it financially, but can't manage to get them to do anything. A few years ago we did have a contact there who did something, but he was moved to some other agency...
Not that other countries agencies are any better. We had big trouble with a guy in New Zealand disrupting services, phishing accounts etc. We managed to start an investigation (or so they said) by phone but it took several hours and help from the CERT team in Australia. After a month nothing had happened, and I was there on vacation. I spent a day on the phone trying to find somebody who knew about the case, but even with the reference number they could not do anything. CERT Australia tried for a few days, and finally gave up.
We had a guy in the Netherlands who phished hundreds of accounts, and still nobody down there would pick the ball. Then he and a friend found a hole in a third party system and managed to suck out data for hundreds of (dutch) people. The web frontend was in Germany and the third party application in the US (A lot more US citizens data was also stolen). Dutch police said they won't do anything because the data was abroad. German police said they won't do anything because the guy is in the Netherlands. The FBI said they'll look into it, but never did anything despite us trying to get back to all of them countless times. We found both hackers identities and had the second guy on the phone, admitting everything and promising he'd testify... Still nobody was interested.
You have to work in a big corporation to get the authorities to do anything. They don't care if somebody phishes thousands of accounts unless it's in the news or a corporation they recognize. It's almost as if they want all the script kiddies to be able to practice in peace until they really learn how to cover up their tracks and move to juicier targets if they won't take a case when it's handed to them on a platter with clear logs and a confession. It does work a lot better when the hacker is in the same country as you and you are working with a local law enforcement agency though. I also had good experiences with the Metropolitan Police in the UK.