Ask Slashdot: Where To Report Script Kiddies and Other System Attacks? 241
First time accepted submitter tomscott writes "So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but — knock on wood — I've never had a breach. What I am wondering: Is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?" The FBI is interested, but probably only if you've actually suffered a loss.
Pointless (Score:5, Insightful)
The attackers are most likely using other infested machines.
Re:Not like most linux users! (Score:5, Insightful)
And which protocol/port does your VPN listen on?
Because that's just asking for abuse...
Captcha: insults
These days, the attackers are innocent (Score:5, Insightful)
I think (I have no actual numbers) most of those are compromised boxes running distributed attack scripts. It makes sense to run the C&C, and let your zombies to the work that way it doesn't get tracked back to you.
That was the case I saw twice on two boxes I had - one fell to a BIND exploit, and rather than reboot, I investigated why DNS stopped working. I uncovered a IRC C&C (with over 60 clients) and went about informing people (by the IPs of the irc clients) about what had happened. Most rebooted and never noticed a thing. All were happy to hear I was letting them know what happened.
Based on that you're more likely to report innocent people whose only crime is being unpatched.
Re:Not like most linux users! (Score:5, Insightful)
Wouldn't you like to know...
Seriously, don't use the default port for any service you don't have to. It will drastically drop the number of attempts. Most kiddes out there seemingly don't know about more sophisticated scripts that can identify services on non default ports.
Re:Not like most linux users! (Score:4, Insightful)
Run OpenVPN on any udp port using the tls-auth option to drop unsigned packages. Use iptables to drop all other 65534 ports. Good luck finding out which port is the VPN server.
Re:Not like most linux users! (Score:5, Insightful)
Re:Not like most linux users! (Score:5, Insightful)
No, it's not at all alike because the bear is going to eat one of you: whichever one it catches first. The script isn't going to compromise one box, it's going to compromise every single one that's vulnerable to whatever exploit(s) it's using in the IP ranges it's scanning.
To put it another way, it's not the bullet with your name on it you have to worry about. It's the 20,000 or so odd rounds labelled "Occupant".
Re:Not like most linux users! (Score:3, Insightful)
In Bruce Schneier's own words [schneier.com]:
Just because security does not require something be kept secret, it doesn't mean that it is automatically smart to publicize it.
You might want to actually read and digest the first article on that page before spouting off again.
Re:Not like most linux users! (Score:4, Insightful)
This. I mean, you could argue that even passwords are, in a way, security through obscurity.
Re:Not like most linux users! (Score:5, Insightful)
No one is owned until Godwin comes out. Only Hitler would say differently.
And yes, "security through obscurity" is a layer in a sound defensive strategy. If no one knows you are there, they don't know to start trying to attack you. If anything, it shrinks the size of your logs.
Unfortunately, if an attacker is looking for you and already knows your service is there, you'd better have a more reliable defensive plan available.
Re:Not like most linux users! (Score:4, Insightful)
Nope. Defeating port knocking is easy - just knock all the ports a few times and it opens up. (Alternatively, if your knock scheme demands a specific order, I can keep you out indefinitely by knocking some wrong port continously.)
And even when it works, the obscurity is only equivalent to a few more characters in the password.
Since there are 2^16 ports, each port is equivalent to 16 bits of password entropy (depending on how long it takes to test a port versus test a password).
If it takes 3 knocks to get in (i.e. knock 2 ports, then find the open port for the service you're looking for), that's equivalent to 48 bits of password entropy, or around 8 additional alphanumeric password characters.
Lock out an IP from unlocking the port after a few unsuccessful knocks and you pretty much eliminate any chance of brute force attack. You can try to attack from different IP addresses through a botnet or spoofing, but with 48 bits of entropy and less than 32 bits of IPv4 addressess to choose from, there aren't enough IP's to brute force.
Re:Not like most linux users! (Score:4, Insightful)
Not to mention that if you do what some people do and move services like sshd to another port you may actually create a security problem.
If you've got sshd running on any port > 1024 then an attacker who can gain regular unprivileged user access to the system and is able to crash your sshd can replace it with his own sshd. If it's running on port 22 (since you should never "steal" a port under 1024) then the attacker needs root access to accomplish the same trick.
Besides, it's not particularly hard for an attacker to scan a system from multiple hosts, there's a finite number of ports for you to "hide" your services on and all it takes is a bit of patience to find your "hidden" services.
Re:Not like most linux users! (Score:4, Insightful)