×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Where To Report Script Kiddies and Other System Attacks?

timothy posted about a year and a half ago | from the needs-a-good-whippin' dept.

Security 241

First time accepted submitter tomscott writes "So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but — knock on wood — I've never had a breach. What I am wondering: Is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?" The FBI is interested, but probably only if you've actually suffered a loss.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

241 comments

Not like most linux users! (3, Informative)

Bill, Shooter of Bul (629286) | about a year and a half ago | (#41181235)

I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.

Re:Not like most linux users! (5, Insightful)

Anonymous Coward | about a year and a half ago | (#41181267)

And which protocol/port does your VPN listen on?
Because that's just asking for abuse...

Captcha: insults

Re:Not like most linux users! (4, Insightful)

Bill, Shooter of Bul (629286) | about a year and a half ago | (#41181359)

Wouldn't you like to know...

Seriously, don't use the default port for any service you don't have to. It will drastically drop the number of attempts. Most kiddes out there seemingly don't know about more sophisticated scripts that can identify services on non default ports.

Re:Not like most linux users! (4, Funny)

Anonymous Coward | about a year and a half ago | (#41181453)

Yes, security through obscurity is the best method.

Re:Not like most linux users! (4, Insightful)

localman57 (1340533) | about a year and a half ago | (#41181533)

Obscurity can be a layer in layered security plan. As long as the other layers aren't compromised by it in any way, it can't do any harm, and could do some good. But the other layers need to be trusted on their own. A good safe can withstand an attack for a rated amount of time even if the theives have the blueprints of the safe. But that doesn't mean you don't guard the blueprints to the safe.

Re:Not like most linux users! (4, Funny)

Desler (1608317) | about a year and a half ago | (#41181813)

Nuh uh!!! He parroted the 'security through obscurity' soundbite and automatically wins the debate!! Just like saying 'correlation is not causation' soundbite. He fucking pwned j00!!!

On the other hand, in the real world like you mention secrecy can be a good line of defense as long as it is not the only line of defense.

Re:Not like most linux users! (4, Insightful)

tnk1 (899206) | about a year and a half ago | (#41182093)

No one is owned until Godwin comes out. Only Hitler would say differently.

And yes, "security through obscurity" is a layer in a sound defensive strategy. If no one knows you are there, they don't know to start trying to attack you. If anything, it shrinks the size of your logs.

Unfortunately, if an attacker is looking for you and already knows your service is there, you'd better have a more reliable defensive plan available.

Re:Not like most linux users! (1)

Desler (1608317) | about a year and a half ago | (#41182149)

Unfortunately, if an attacker is looking for you and already knows your service is there, you'd better have a more reliable defensive plan available.

Which is why your system should always involve defense in depth.

Re:Not like most linux users! (3, Insightful)

dmomo (256005) | about a year and a half ago | (#41181985)

This. I mean, you could argue that even passwords are, in a way, security through obscurity.

Re:Not like most linux users! (0)

Anonymous Coward | about a year and a half ago | (#41181579)

I hear ya, but every layer of security is worth something. If I had to stand in front of a flamethrower, I'd want every layer of protection I could get, no matter how flimsy.

Re:Not like most linux users! (1)

Spazmania (174582) | about a year and a half ago | (#41181911)

Security through obscurity is "necessary but not sufficient" in many real world defense-in-depth strategies. It's one layer in a strategy that is adequately secure without it but more secure with it.

In OP's case, putting ssh on a different port reduces his effective attack surface. Most attackers don't even find the port let alone send ssh protocol packets, reducing the probability of breach.

Re:Not like most linux users! (3, Insightful)

Desler (1608317) | about a year and a half ago | (#41181935)

In Bruce Schneier's own words [schneier.com]:

Just because security does not require something be kept secret, it doesn't mean that it is automatically smart to publicize it.

You might want to actually read and digest the first article on that page before spouting off again.

Re:Not like most linux users! (5, Informative)

TheLink (130905) | about a year and a half ago | (#41181531)

Most kiddes out there seemingly don't know about more sophisticated scripts that can identify services on non default ports.

I doubt they care, there are enough exploitable targets. The automated scripts scan _many_ IPs for a few ports. Having them scan more ports would take longer and slow the spread.

Despite what many say, there is some security through obscurity. It's a case of only having to outrun your neighbour and not the bear.

The other advantage is if you use an obscure port, if someone does try it and brute force etc, you can consider it more seriously - someone might actually be trying to hack you specifically.

Re:Not like most linux users! (5, Interesting)

Desler (1608317) | about a year and a half ago | (#41181749)

Most idiots just parrot the 'security through obscurity' thinking it's some compelling argument when it's really not. If the basis of your security is entirely reliant on the obscurity of your algorithms, etc. being private then it is bad. But using some level of secrecy as a first line of defense can be quite useful in preventing attacks.

Even Bruce Schneier does not take the black-and-white stance that the Internet 'experts' do. He is actually quite pragmatic about acknowledging that there is a continuum of secrecy requirements based on the system at hand, but mentions that relying too much on secrecy makes the security of the system more fragile. These Internet 'experts' need to actual read what people like Bruce say rather than just repeating stupid sound bite pieces.

Re:Not like most linux users! (0)

Jane Q. Public (1010737) | about a year and a half ago | (#41181999)

"But using some level of secrecy as a first line of defense can be quite useful in preventing casual attacks."

There, fixed that for you.

Security through obscurity is useful in preventing casual, naive attacks. Nothing more. In the same way that lock on your front door (unless you have one of a few good, expensive ones) prevents casual, naive attacks... but hardly slows a professional down.

Re:Not like most linux users! (5, Interesting)

Desler (1608317) | about a year and a half ago | (#41182117)

Duh? In this case, since he is being port scanned by what is most likely Chinese script kiddies moving the port will stop probably 99% of them. No one said such things will prevent any possible intrusion, but it's an easy and cheap way to prevent the vast majority and causes no compromising to the underlying system. For the determined people who get arou d that you layer on top other defenses such as ony allowing a certain amount of attempts before locking out/banning, only allowing retries after some certain length of time, etc. If all these fail, you still haven't compromised the underlying system but you've severely limited the amount of people who would be successful in attacking you.

Re:Not like most linux users! (4, Insightful)

SecurityGuy (217807) | about a year and a half ago | (#41181767)

Despite what many say, there is some security through obscurity. It's a case of only having to outrun your neighbour and not the bear.

No, it's not at all alike because the bear is going to eat one of you: whichever one it catches first. The script isn't going to compromise one box, it's going to compromise every single one that's vulnerable to whatever exploit(s) it's using in the IP ranges it's scanning.

To put it another way, it's not the bullet with your name on it you have to worry about. It's the 20,000 or so odd rounds labelled "Occupant".

Re:Not like most linux users! (3, Informative)

Anonymous Coward | about a year and a half ago | (#41182081)

"t's a case of only having to outrun your neighbour and not the bear."

Grizzlies alone can run up to an hour at 30MPH, no way in hell any human outrun a bear. Just needed to point that one out.

Re:Not like most linux users! (1, Informative)

Githaron (2462596) | about a year and a half ago | (#41181707)

Also, port knocking [wikipedia.org] can help defeat rudimentary scans for open ports.

Re:Not like most linux users! (3, Informative)

Spazmania (174582) | about a year and a half ago | (#41181949)

Port knocking is less useful now that many corporate environments restrict outbound tcp ports.

Re:Not like most linux users! (0)

Anonymous Coward | about a year and a half ago | (#41182017)

Nope. Defeating port knocking is easy - just knock all the ports a few times and it opens up. (Alternatively, if your knock scheme demands a specific order, I can keep you out indefinitely by knocking some wrong port continously.)

And even when it works, the obscurity is only equivalent to a few more characters in the password.

Have a nice long password for whatever services you offer - and lock out anyone who tries "too many" times with wrong passwords. Keeps the bruteforcers out easily.

And finally, don't have a policy of frequent password changes. It is the biggest security risk there is, because it becomes impossible to have long difficult passwords. That is easy if you can remember one password for many years - and hopeless if you change it every month. And no, every third month is not a "compromise" here . . .

Re:Not like most linux users! (3, Insightful)

fearlezz (594718) | about a year and a half ago | (#41181483)

Run OpenVPN on any udp port using the tls-auth option to drop unsigned packages. Use iptables to drop all other 65534 ports. Good luck finding out which port is the VPN server.

Re:Not like most linux users! (2)

Em Adespoton (792954) | about a year and a half ago | (#41181689)

And which protocol/port does your VPN listen on?
Because that's just asking for abuse...

Captcha: insults

I get the best of both worlds: my ssh tunnel listens on port 1723 :) It requires a key-based login and doesn't announce.

My firewall still logs connection attempts on port 22 however; they just don't get anywhere (I redirect port 22 to an internal computer on a port that isn't listening, so the router gets all the information, but the attacker gets zilch -- this allows me to easily set up a honeypot from time to time when I'm curious what the script kiddies/bots are really after).

Re:Not like most linux users! (0)

Anonymous Coward | about a year and a half ago | (#41181301)

Leaving your computer on and plugged in to a network connection is just asking for abuse.

Re:Not like most linux users! (1)

Anonymous Coward | about a year and a half ago | (#41181365)

I have SSH running, but it isn't on port 22. I see almost zero attack attempts

Re:Not like most linux users! (4, Informative)

Anonymous Coward | about a year and a half ago | (#41181489)

I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.

Just configure SSHD to accept only SSH Keys (no password login) and 99% of the problem is solved.

This is what I was going to post... (3, Informative)

logicassasin (318009) | about a year and a half ago | (#41181543)

I run OpenVPN on one of my OpenBSD machines on a non-standard port, it's the only way to get in through my firewall (another OpenBSD machine). Once I've made my vpn connection, I can then ssh to the other machines on the network.

To the question at hand, if you can identify the ip address that the breach originated from, plug it into Network Solutions' whois lookup and you can usually find the ISP the ip is connected to. They usually have an abuse email account listed in their whois info. If they don't have info, try plugging the ip into RIPE or APNIC's whois database and report accordingly.

Re:This is what I was going to post... (2)

guyniraxn (1579409) | about a year and a half ago | (#41181805)

I used to do this, email abuse at their isp, back when I had the time and desire to read through my firewall logs. I would often get responses thanking me for sending the relevant logs or at least informing me that they were looking in to it.

Re:Not like most linux users! (0)

Anonymous Coward | about a year and a half ago | (#41181577)

I've had no issues with port 22 being open. In order to stop the kiddies I use denyhosts.

After 5 failed attempts at guessing a user or 5 different users passwords, the IP is banned. I was banning 6-8 an hour originally, I get around 1 a day now.

Fail2ban is another alternative.

Re:Not like most linux users! (1)

skids (119237) | about a year and a half ago | (#41181919)

This can also be rigged up in iptables using an ipset/recent/etc. Works pretty well, and keeps less state.

Re:Not like most linux users! (1)

gandhi_2 (1108023) | about a year and a half ago | (#41181625)

Ok, how how about moving whatever service you are using to an obscure port, then using iptables to log all attempts at the default port.

The question remains the same, your answer isn't helpful.

Re:Not like most linux users! (3, Interesting)

MrSenile (759314) | about a year and a half ago | (#41181835)

Leaving port 22 open is just asking for abuse.

Not really, no. If you lock down SSH sufficiently, then it's pretty much bulletproof.

1. Lock down specific users@ip to be able to ssh in.
2. Enforce privilege separation and all the other paranoid protection in the sshd_config.
3. Put in some type of brute force protection like fail2ban.
4. Enforce non-dictionary passwords.


Problem solved.

Re:Not like most linux users! (1)

Desler (1608317) | about a year and a half ago | (#41181961)

Yeah but moving to another port is an easy and smple way to block most attackers without compromising the security of the system.

Re:Not like most linux users! (1)

Pieroxy (222434) | about a year and a half ago | (#41181979)

I have also disabled password based logins but for one user. You never know when you're going to need to get in without a key at hand.

This user has a 18chars password that is nowhere near containing anything in any dictionary I know of. Punctuation, digits, letters, etc.

Re:Not like most linux users! (0)

Anonymous Coward | about a year and a half ago | (#41181945)

Fail2ban takes care of this. No bruteforcing when all they get is 3 tries followed by a 5 minute pause. No need to make ssh harder for myself, having to remember an obscure port, take care it won't collide with anything else in the future...

Pointless (5, Insightful)

Hentes (2461350) | about a year and a half ago | (#41181241)

The attackers are most likely using other infested machines.

Re:Pointless (2)

fearlezz (594718) | about a year and a half ago | (#41181523)

Indeed, most attackers are. But even then, you can report them to the IP block owner, so they can fix the problem.

Unfortunately, most providers are part of the problem instead of part of the solution: they do nothing with abuse reports. At least the ones i've contacted.

From my understanding (5, Informative)

chemicaldave (1776600) | about a year and a half ago | (#41181243)

There's nothing anyone can legally do with that information. Weak attempts at breaking in and port scanning are just background noise.

The cyber police! (4, Funny)

stevegee58 (1179505) | about a year and a half ago | (#41181281)

Backtrace them and report them to the cyber police!

Re:The cyber police! (4, Funny)

GrumpySteen (1250194) | about a year and a half ago | (#41181389)

To do that, he'd have to write a GUI in Visual Basic.

Use key-based security (4, Informative)

eudaemon (320983) | about a year and a half ago | (#41181283)

As long as you use key-only authentication you should be fine. I wouldn't leave password-only access open to the internet. Having said that, your best bet is to slowly stall connections in order to waste the other guy's resources. Any system with pf and probably ipf have allowances for that, along with logging and blocking the most abusive IPs altogether.

Re:Use key-based security (0)

Anonymous Coward | about a year and a half ago | (#41181705)

That policy would have backfired if you were running Debian/Ubuntu a little while back...

Re:Use key-based security (1)

skids (119237) | about a year and a half ago | (#41182013)

It's also dangerous in that any theft of your plaintext key from one of your clients could go quite unnoticed. So then you have to password protect your key, making it no more convenient, or you just accept risk equivalent to putting your password in a text file on a networked machine named HERE_ARE_MY_PASSWORDS.txt.

Compared to just choosing a very good password, and changing it once in a while, I find that to be an inferior strategy.

Report it to DShield.org (5, Informative)

UnderAttack (311872) | about a year and a half ago | (#41181289)

"Random" attacks can be reported to DShield.org . They have a number of scripts to automatically submit firewall logs (including from Linux firewalls). See http://www.dshield.org/howto.html [dshield.org] . Once set up, it just "runs" and DShield aggregates the data, uses it for research and reports worst offenders to ISPs and other contacts.

Re:Report it to DShield.org (5, Funny)

Anonymous Coward | about a year and a half ago | (#41181635)

Well, after looking at your post, your sig, and your usename, I conclude that you likely wept with joy when you saw this particular ask slashdot. Must feel good to finally hit that perfect slot of relevance.

Look them up... (1)

RocketRabbit (830691) | about a year and a half ago | (#41181291)

I usually call the ISP or the person listed in the DNS info and talk to them directly. It seems to shock and / or surprise many ISPs into action.

Of course this won't likely help if the attacker is from the Great Motherland of Scripted Attacks, the PRC.

Re:Look them up... (2, Funny)

Anonymous Coward | about a year and a half ago | (#41181423)

Great Motherland of Scripted Attacks, the PRC.

Professional Rodeo Clowns? I know they're scary, but I never knew they were so evil. Or that they had a motherland, although it makes sense. They're clearly not of this world.

Re:Look them up... (0)

Anonymous Coward | about a year and a half ago | (#41181719)

"You were afraid of Clowns as a child weren't you?"

Re:Look them up... (1)

Whorhay (1319089) | about a year and a half ago | (#41181629)

For whatever reason I haven't seen a port scan on one of my systems in a long time. But back when I did get them occasionally I'd track down the originating ISP and send their Administrator an email with the details of the incident. I usually would get an email back within a day or two saying they were looking into it.

Re:Look them up... (1)

Em Adespoton (792954) | about a year and a half ago | (#41181755)

Most of my attacks have come from zombies in India and Korea. I'd have to break into those compromised computers to see where the next step up in the chain is... which would make me one of the bad guys. I'm also not about to phone their ISPs (useful for places on the same continent as me though, especially if they have small netblock reservations (small company).

Re:Look them up... (1)

0racle (667029) | about a year and a half ago | (#41181939)

My firewall has explicit rules to block traffic from netblocks belonging to China, Korea, a lot of the former Soviet Union countries, Turkey and known Russian Business Network IP's.

I don't get a lot of unwanted traffic.

These days, the attackers are innocent (4, Insightful)

scorp1us (235526) | about a year and a half ago | (#41181299)

I think (I have no actual numbers) most of those are compromised boxes running distributed attack scripts. It makes sense to run the C&C, and let your zombies to the work that way it doesn't get tracked back to you.

That was the case I saw twice on two boxes I had - one fell to a BIND exploit, and rather than reboot, I investigated why DNS stopped working. I uncovered a IRC C&C (with over 60 clients) and went about informing people (by the IPs of the irc clients) about what had happened. Most rebooted and never noticed a thing. All were happy to hear I was letting them know what happened.

Based on that you're more likely to report innocent people whose only crime is being unpatched.

Re:These days, the attackers are innocent (1)

TheCarp (96830) | about a year and a half ago | (#41181451)

These days? I think this has been true for quite a while. I have found similar things. Hell, one of the first tasks in my entire career was to investigate a similar incident...

We found that a professor, who was known to telnet in from international IPs while on break, had SOMEHOW had his password stolen (gee I wonder if it could have been because he used telnet even though we had ssh available? sigh...)

Someone had installed an IRC proxy, and so I got the job of running packet sniffers and watching the IRC channel for the day to collect info. It quickly became evident what I was dealing with as one of the channel members was complaining about how the internet has been ever since dad switched ISPs :)

Nothing ever came of it... but we collected logs....

Re:These days, the attackers are innocent (1)

Spy Handler (822350) | about a year and a half ago | (#41181741)

I run a web forum. Our admin control panel is constantly being bombarded with attempted logins (none of them successful so far, knock on wood)

Our logs show the attacker's IP plus the user account they tried to log in as. They are all valid forum administrator/moderator names. So the attacker isn't some random distributed script, somebody actually read the forum and gleaned our staff member names.

The attackers' IPs don't match anything in our database, so it's most likely not a disgruntled user. A lot of it comes from Russia.

Re:These days, the attackers are innocent (0)

Anonymous Coward | about a year and a half ago | (#41182119)

I run a web forum. Our admin control panel is constantly being bombarded with attempted logins (none of them successful so far, knock on wood)

Our logs show the attacker's IP plus the user account they tried to log in as. They are all valid forum administrator/moderator names. So the attacker isn't some random distributed script, somebody actually read the forum and gleaned our staff member names.

The attackers' IPs don't match anything in our database, so it's most likely not a disgruntled user. A lot of it comes from Russia.

Perhaps, but keep in mind that if you're using a standard package for your web forum and your posts are public, its pretty easy to derive what nicknames are the ones you should try.

You can report them to DHS (3, Informative)

Anonymous Coward | about a year and a half ago | (#41181311)

http://www.dhs.gov/how-do-i/report-cyber-incidents

Re:You can report them to DHS (0)

Anonymous Coward | about a year and a half ago | (#41181397)

of course then you will probably have to open your server up to DHS for "cyber-forensics" which means they get to copy your clients data and use it later for their own profiling needs (no thanks).

Re:You can report them to DHS (1)

localman57 (1340533) | about a year and a half ago | (#41181445)

http://www.dhs.gov/how-do-i/report-cyber-incidents

I wouldn't hold your breath for a response. Let's use a car analogy. Last year, my car got stolen. I filed a report with the police department. They put it in a database. Eventually, my car turned up in a parking lot missing a few parts with a high value to removal effort ratio. And they called me because the apartment manager called them. But they didn't look for the car. And they didn't look for whomever took it after it was recovered. Because they don't give a shit. Because they don't even have time to properly investigate rapes, robberies and non-fatal shootings. Same with your network attacks.

no one cares you fucking nerds (-1)

Anonymous Coward | about a year and a half ago | (#41181331)

learn to secure ur shit instead of looking for big government to bail you out!

abuse@organizationname.com (3, Informative)

Sam Nitzberg (242911) | about a year and a half ago | (#41181339)

It's been years, but a few times I found the organization sending traffic and sent an email to abuse@
the domain name and had positive results.

You can look up the whois online registry information on where the traffic is coming from, and there can be additional contact information there.

Regards,

Sam

How about your mom? (0)

macraig (621737) | about a year and a half ago | (#41181341)

I heard she wears Army boots, so she can probably scare the crap outta the script kiddies.

Re:How about your mom? (-1)

Anonymous Coward | about a year and a half ago | (#41181965)

I forgot to hit the 'post AC' option. I'm so embarassed right noe.

If you know where the breaking occured from (1)

slackware 3.6 (2524328) | about a year and a half ago | (#41181373)

Or you can figure out the ISP of the person attempting to break in. A phone call to the ISP's admin at 3AM their time with relevent details seems to be quite effective especially if it is a reoccuring problem resulting in repeat 3AM phonecalls to the opposite side of the globe.

Slashdot news for heards, stuff that flatters (1)

Anonymous Coward | about a year and a half ago | (#41181377)

Seriously this is an old question, and there is no answer. No one gives a shit about your logs. Chances are that more than 99% of those attempts are from some zombie PC and the user of that PC has no clue. You can spend countless hours finding it, but what would be the good, since there would just be a jillion-1 more attempts at port 22? I got a great idea, use some non-standard port for traffic that doesn't "require" a standard port. Other than that, update, patch and monitor are gunna be your key words.

Re:Slashdot news for heards, stuff that flatters (2)

GameboyRMH (1153867) | about a year and a half ago | (#41181885)

I run some canned attacks on the offending IP if I'm bored (and not at work). Worth a shot.

A thought (2)

d0nguy (2719177) | about a year and a half ago | (#41181385)

Have you considered running DenyHosts on your machine? That might help filter out some repeat offenders.

Re:A thought (1)

asticia (1623063) | about a year and a half ago | (#41181609)

Yes, I used to use denyhosts, it's a great way of blocking unwanted login attempts. There are databases that people share and you get your hosts.deny updated from internet. You just have to type your own password correctly :-) Or use keys.

Re:A thought (2)

GameboyRMH (1153867) | about a year and a half ago | (#41181871)

Yep easy and very effective if set up properly. A big mistake a lot of people make though is to allow a differing number of attempts for existing and nonexistent users. This makes it possible to brute-force valid usernames.

Whois (0)

Anonymous Coward | about a year and a half ago | (#41181407)

I trace these on one of my production machines. When someone makes an unauthorized attempt or fails a password check after a certain number of times, my machine automatically blocks their IP and does a whois on it. Sometimes this whois will provide you with an abuse email that you can use. Unfortunately, only a small amount of attempts have an abuse email associated with them, but I've had success getting responses from the ISPs in disabling the attacking user's account.

Use Denyhosts (0)

Anonymous Coward | about a year and a half ago | (#41181421)

It blocks IPs that fail authentication more than a set number of times, and can upload known violators to a global list, which can then be downloaded by other Denyhosts users. I use it and it's been great.

What is your goal? (2)

mseeger (40923) | about a year and a half ago | (#41181425)

The answer depends on what you do hope to achieve by reporting.

If you hope the people to stop:

In case the origin is a company within you country, contacting them may you do some good. They will pull the plug on their malware infested machine. Attacker will use others.

In all other cases the only chance to have any kind of effect is to report dramatic damages to the law enforcement. Other than that, nobody cares enough ;-). Even with dramatic damages, the chances for any effect are slim to none.

IMHO: In 90+% of all cases the answer is /dev/null the economical best answer.

Reporting to the FBI gets complicated, when . . . (5, Funny)

PolygamousRanchKid (1290638) | about a year and a half ago | (#41181479)

. . . the FBI are the ones trying to break into your system.

Re:Reporting to the FBI gets complicated, when . . (1)

Em Adespoton (792954) | about a year and a half ago | (#41181847)

It becomes even more complicated when the IP connecting to you belongs to a honeynet hosted by some investigatory body.

Re:Reporting to the FBI gets complicated, when . . (0)

Anonymous Coward | about a year and a half ago | (#41181883)

Do, or do not...there is no "try."

Block abusive IPs (1)

Anonymous Coward | about a year and a half ago | (#41181481)

Regarding SSH, this topic came up a few years ago. Ive used Fail2ban, a daemon that will tell the linux firewall to drop traffic from abusive IPs trying to brute force passwords. It was a good suggestion then and I think it's still good now. It worked for me, but since I went to a pfsense based router I've opted to use it's really good built-in VPN facilities instead of exposing port 22.

It's also been mentioned that running ssh on a nonstandard port is not a bad idea. Technically not anymore secure, but it does seem to dodge 99.9% of the automated scanners looking for unsecured systems with weak passwords.

Older slashdot post:
http://ask.slashdot.org/story/10/03/06/2138221/coping-with-1-million-ssh-authentication-failures

Fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page

Pfsense
http://www.pfsense.org/

Generally, nowhere (2)

damn_registrars (1103043) | about a year and a half ago | (#41181497)

Most of the time - at least from my experience - the attacks are coming either from systems that are in foreign countries that don't give a shit about you and your system, or they are distributed attacks that would require you to contact dozens (or more) of ISPs.

The one exception I make is if it comes from an American IP address. Most American ISPs do a pretty good job of tracking who is using what IP address and can do something about it. Generally, they won't do much - and they seldom tell you what they do - but they'll at least look at it. And of course if it is from a university in the US, they'll usually track it to a college freshman who either thinks he's clever or is running a compromised windows PC.

But in general, your complaints will fall on deaf ears. Just keep checking your logs periodically to make sure nobody succeeds and that you are making the right responses to new methods. You could set up a tarpit if you like...

Waste of time... (4, Informative)

msauve (701917) | about a year and a half ago | (#41181507)

you're not going to make a dent. Most reports are simply ignored, and for every attacker you see, there are thousands more who simply haven't gotten to you yet.

Make sure you have good passwords, know what ports are exposed, and run something like fail2ban [fail2ban.org].

/dev/null (5, Funny)

yourdog (709870) | about a year and a half ago | (#41181545)

Most UNIX systems automatically subscribe to the Network Users List of Lamers. Just write up your complaint to a text file, then send the complaint to NULL, using the command 'cat $REPORT > /dev/null'

What? What? (-1)

Anonymous Coward | about a year and a half ago | (#41181569)

I thought your system was safe and secure because it's teh Linux!!!!!111!!!!?
 
I guess that blows that theory to crap.

Share your logs with the community (2)

adriccom (44869) | about a year and a half ago | (#41181595)

Join and contribute ssh/firewall logs to DShield or another collaboration system so that others can benefit from the information you are collecting.

http://dshield.org/howto.html [dshield.org]

If you want to report unwanted activity against your network your ISP may be able to help. Try opening a ticket with their Abuse team.

Report them to your black list.. (2)

blackt0wer (2714221) | about a year and a half ago | (#41181649)

Really, no government agency is going to give a red cent about some 14 year old running scripts against your machines unless you're a major contributor or hold government office.

Re:Report them to your black list.. (0)

Anonymous Coward | about a year and a half ago | (#41181809)

just tell them these ip's are trying to send you movie downloads :)

Verification Required (0)

Anonymous Coward | about a year and a half ago | (#41181691)

Before I can help, I am going to need the IP address of your modem to verify your identity. You can expedite this process by providing the username for the machine you are trying to access on your LAN. Remember, no Slashdot.org support agent will ever request your password.

Use port 22 as a honeypot (1)

Anonymous Coward | about a year and a half ago | (#41181745)

YOU are the only person to log in, correct? and YOU know that your ssh is set to listen on some other port. so. any packet that hits port 22 looking for a response, you block that IP for 24 hours. wheee!

Re:Use port 22 as a honeypot (1)

skids (119237) | about a year and a half ago | (#41182059)

Or at least a tarpit. Everyone should do their part by making the scripts work those few extra few seconds. At the very least it will make the coders writing them learn to do asyncronous event loops, so maybe they can go get a real job.

IPv6 (1)

Anonymous Coward | about a year and a half ago | (#41181759)

If you feel this is important enough you should immediately contact the president of the united states directly to tell him about your ordeal. His Email address is president@whitehouse.gov.

Absolutely no point. (0)

Anonymous Coward | about a year and a half ago | (#41181793)

I get tons of these when I have SSH running on port 22. I'm quite certain no one can get in, as I accept only RSA key authentication, but the attempts sure as hell clutter up my logs.

I have never even considered trying to report them. They all come from foreign countries and compromised PCs anyway, so I'm not sure how reporting anything to anyone could ever make a scrap of difference.

It would be like reporting email spam... yeah - that totally works.

How to secure your system (1)

hendersj (720767) | about a year and a half ago | (#41181795)

Use something like blockhosts to deny connections to addresses that have repeated unsuccessful attempts.

Use public key/private key pairs for authentication and disable password authentication completely.

Use a non-standard port for the ssh service.

Who to report them to? Unless you're actually compromised and suffer harm, there really isn't anyone who is going to look into it; seriously, reporting every potential attacker results in nothing more than a very large scale game of whack-a-mole.

Try this (4, Informative)

inode_buddha (576844) | about a year and a half ago | (#41181967)

Try psad. I've been running it for years, in addition to selinux and iptables. It auto-drops all kinds of connection attempts based on parameters you can set, but the defaults are very reasonable. Works for all connections, not just ssh. It can report to D-Shield.org and ISC (internet storm center), and you can script attack responses with your normal shell. *very* highly recommended.

I test it from time to time with nmap and nope, it doesn't allow nmap to get anything.

http://cipherdyne.org/psad/ [cipherdyne.org]

Report to... (1)

kiwimate (458274) | about a year and a half ago | (#41181997)

...Anonymous. Enjoy watching one group of puerile script kiddies attack another group of puerile script kiddies.

Alternate answer #1 ...nowhere. If they get in, they just did you a favor by exposing your weaknesses.

Or so goes the argument as to why Anonymous is/are heroes. Hey, what's good for banks is good for individuals, right?

Alternate answer #2 ...nowhere. Who cares? All they're going to do is copy information off of your hard drive - it's not like it actually means anything, you still have your original data.

Or so goes the argument for why piracy isn't wrong.

Standard abuse reports work ok. (1)

Psyko (69453) | about a year and a half ago | (#41182033)

I didn't read all the responses but from my dealing with the FBI cyber crimes division they won't even look at it unless there's $10k USD or more in loss/damages.

What I do (when I'm bored :P ) is just take the logs, pull the source address, punch it through arin and see who owns the netblock, then file a abuse/fraud ticket through whoever owns the netblock (including providing the logs). That seems to work pretty well for us based companies. I was really impressed with the amazon cloud guys and how fast they shut down a compromised vm after I sent them the info. Regional/smaller ISP's are usually pretty good, larger ones it can be hit or miss.

Dealing with offshore addresses is more problematic, due to inconsistent controls, communications barriers etc. For addresses like that if it's not a country I'm going to be travelling to or do business with I'll just acl the whole block (sometimes the whole country) at my perimeter.

Aside from that, nonstandard ports, knocking, vpn are all good ways to deal with this kind of thing. I'm guessing you're at least not leaving all your personally critical data there, and that you do at least have some isolation.

Email to the netblock owner (2)

router (28432) | about a year and a half ago | (#41182089)

Worked well when we used it. Email to the network owner, log excerpts, etc; they found machine and fixed it. One was in Italy at some university, they were really cool, emailed us back and everything. Didn't work all the time, but you would be amazed how well a nice note to the network folks works. They don't want to pollute the net; they are much like you in that way.

andy

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...