Ask Slashdot: Where To Report Script Kiddies and Other System Attacks? 241
First time accepted submitter tomscott writes "So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but — knock on wood — I've never had a breach. What I am wondering: Is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?" The FBI is interested, but probably only if you've actually suffered a loss.
Not like most linux users! (Score:3, Informative)
I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.
From my understanding (Score:5, Informative)
Use key-based security (Score:5, Informative)
Report it to DShield.org (Score:5, Informative)
"Random" attacks can be reported to DShield.org . They have a number of scripts to automatically submit firewall logs (including from Linux firewalls). See http://www.dshield.org/howto.html [dshield.org] . Once set up, it just "runs" and DShield aggregates the data, uses it for research and reports worst offenders to ISPs and other contacts.
You can report them to DHS (Score:3, Informative)
http://www.dhs.gov/how-do-i/report-cyber-incidents
abuse@organizationname.com (Score:4, Informative)
It's been years, but a few times I found the organization sending traffic and sent an email to abuse@
the domain name and had positive results.
You can look up the whois online registry information on where the traffic is coming from, and there can be additional contact information there.
Regards,
Sam
Re:Not like most linux users! (Score:4, Informative)
I have a vpn like most sane people. Leaving port 22 open is just asking for abuse.
Just configure SSHD to accept only SSH Keys (no password login) and 99% of the problem is solved.
Waste of time... (Score:5, Informative)
Make sure you have good passwords, know what ports are exposed, and run something like fail2ban [fail2ban.org].
Re:Not like most linux users! (Score:5, Informative)
Most kiddes out there seemingly don't know about more sophisticated scripts that can identify services on non default ports.
I doubt they care, there are enough exploitable targets. The automated scripts scan _many_ IPs for a few ports. Having them scan more ports would take longer and slow the spread.
Despite what many say, there is some security through obscurity. It's a case of only having to outrun your neighbour and not the bear.
The other advantage is if you use an obscure port, if someone does try it and brute force etc, you can consider it more seriously - someone might actually be trying to hack you specifically.
This is what I was going to post... (Score:4, Informative)
I run OpenVPN on one of my OpenBSD machines on a non-standard port, it's the only way to get in through my firewall (another OpenBSD machine). Once I've made my vpn connection, I can then ssh to the other machines on the network.
To the question at hand, if you can identify the ip address that the breach originated from, plug it into Network Solutions' whois lookup and you can usually find the ISP the ip is connected to. They usually have an abuse email account listed in their whois info. If they don't have info, try plugging the ip into RIPE or APNIC's whois database and report accordingly.
Re:Not like most linux users! (Score:2, Informative)
Re:Not like most linux users! (Score:4, Informative)
Port knocking is less useful now that many corporate environments restrict outbound tcp ports.
Try this (Score:4, Informative)
Try psad. I've been running it for years, in addition to selinux and iptables. It auto-drops all kinds of connection attempts based on parameters you can set, but the defaults are very reasonable. Works for all connections, not just ssh. It can report to D-Shield.org and ISC (internet storm center), and you can script attack responses with your normal shell. *very* highly recommended.
I test it from time to time with nmap and nope, it doesn't allow nmap to get anything.
http://cipherdyne.org/psad/ [cipherdyne.org]
Re:Not like most linux users! (Score:3, Informative)
"t's a case of only having to outrun your neighbour and not the bear."
Grizzlies alone can run up to an hour at 30MPH, no way in hell any human outrun a bear. Just needed to point that one out.
Re:Not like most linux users! (Score:5, Informative)
Why?
Fail2ban will block these bots (usually, ssh bruteforce attacks are the result of worms rather than actual script kiddies manually running them) from sshing into your system after a few failed attempts.
SSH-key only access will increase security by an order of magnitude. A bruteforce against a public-key only SSH server is untenable. Their script likely doesn't even support ssh keys and will just get kicked out with a protocol mismatch error. These attempts are meant to get in via password authentication, default credentials or weak passwords.
If you have SSH on any port exposed to the internet w/o fail2ban and/or ssh-key only access, you're asking for trouble. I've seen it happen on numbers of boxes with strong passwords for users -- eventually, they get in...
Re:Not like most linux users! (Score:4, Informative)
Put something like denyhosts or fail2ban on top of that and you're even more safe.
Almost nobody cares (Score:5, Informative)
Not that other countries agencies are any better. We had big trouble with a guy in New Zealand disrupting services, phishing accounts etc. We managed to start an investigation (or so they said) by phone but it took several hours and help from the CERT team in Australia. After a month nothing had happened, and I was there on vacation. I spent a day on the phone trying to find somebody who knew about the case, but even with the reference number they could not do anything. CERT Australia tried for a few days, and finally gave up.
We had a guy in the Netherlands who phished hundreds of accounts, and still nobody down there would pick the ball. Then he and a friend found a hole in a third party system and managed to suck out data for hundreds of (dutch) people. The web frontend was in Germany and the third party application in the US (A lot more US citizens data was also stolen). Dutch police said they won't do anything because the data was abroad. German police said they won't do anything because the guy is in the Netherlands. The FBI said they'll look into it, but never did anything despite us trying to get back to all of them countless times. We found both hackers identities and had the second guy on the phone, admitting everything and promising he'd testify... Still nobody was interested.
You have to work in a big corporation to get the authorities to do anything. They don't care if somebody phishes thousands of accounts unless it's in the news or a corporation they recognize. It's almost as if they want all the script kiddies to be able to practice in peace until they really learn how to cover up their tracks and move to juicier targets if they won't take a case when it's handed to them on a platter with clear logs and a confession. It does work a lot better when the hacker is in the same country as you and you are working with a local law enforcement agency though. I also had good experiences with the Metropolitan Police in the UK.
Re:Not like most linux users! (Score:3, Informative)
Security thru absurdity is just crazy enough to work