Ask Slashdot: Where To Report Script Kiddies and Other System Attacks? 241
First time accepted submitter tomscott writes "So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but — knock on wood — I've never had a breach. What I am wondering: Is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?" The FBI is interested, but probably only if you've actually suffered a loss.
Re:Not like most linux users! (Score:5, Interesting)
Most idiots just parrot the 'security through obscurity' thinking it's some compelling argument when it's really not. If the basis of your security is entirely reliant on the obscurity of your algorithms, etc. being private then it is bad. But using some level of secrecy as a first line of defense can be quite useful in preventing attacks.
Even Bruce Schneier does not take the black-and-white stance that the Internet 'experts' do. He is actually quite pragmatic about acknowledging that there is a continuum of secrecy requirements based on the system at hand, but mentions that relying too much on secrecy makes the security of the system more fragile. These Internet 'experts' need to actual read what people like Bruce say rather than just repeating stupid sound bite pieces.
Re:Not like most linux users! (Score:4, Interesting)
Leaving port 22 open is just asking for abuse.
Not really, no. If you lock down SSH sufficiently, then it's pretty much bulletproof.
1. Lock down specific users@ip to be able to ssh in.
2. Enforce privilege separation and all the other paranoid protection in the sshd_config.
3. Put in some type of brute force protection like fail2ban.
4. Enforce non-dictionary passwords.
Problem solved.
Re:Not like most linux users! (Score:5, Interesting)
Duh? In this case, since he is being port scanned by what is most likely Chinese script kiddies moving the port will stop probably 99% of them. No one said such things will prevent any possible intrusion, but it's an easy and cheap way to prevent the vast majority and causes no compromising to the underlying system. For the determined people who get arou d that you layer on top other defenses such as ony allowing a certain amount of attempts before locking out/banning, only allowing retries after some certain length of time, etc. If all these fail, you still haven't compromised the underlying system but you've severely limited the amount of people who would be successful in attacking you.
Re:From my understanding (Score:2, Interesting)
I emailed someone from project honeypot about this same thing. They said they would setup a service where people could submit unauthorized login attempts automatically. (right now my honeypot just emails the result of logwatch --service sshd to an account)
It it useful information. I've used it to contact some providers (e.g. aws, linode, etc.) about the machines making unauthorized attempts. Usually it's from a server hosting a website that hasn't been updated in years.