What can I do about breakin attempts? - Security

This is a discussion on What can I do about breakin attempts? - Security ; Some thug has repeatedly attempted to break in to my server. There's a long list of repeat login attempts, with alphabetical user names, from one particular IP address. (The jerk is at 216.155.75.230, if you're curious). What can I do ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 23

Thread: What can I do about breakin attempts?

  1. What can I do about breakin attempts?

    Some thug has repeatedly attempted to break in to my server. There's a long
    list of repeat login attempts, with alphabetical user names, from one
    particular IP address. (The jerk is at 216.155.75.230, if you're curious).
    What can I do about this?



  2. Re: What can I do about breakin attempts?

    On Fri, 24 Feb 2006 22:38:06 -0600, Chris wrote:

    > Some thug has repeatedly attempted to break in to my server. There's a long
    > list of repeat login attempts, with alphabetical user names, from one
    > particular IP address. (The jerk is at 216.155.75.230, if you're curious).
    > What can I do about this?


    Place in your firewall a rule to drop the dumbass.


    --

    Regards
    Robert

    Smile... it increases your face value!


    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  3. Re: What can I do about breakin attempts?

    On 2006-02-25, Chris wrote:
    > Some thug has repeatedly attempted to break in to my server. There's a long
    > list of repeat login attempts, with alphabetical user names,


    If you don't need remote access, close the ports, consider the idea of
    using security certificates instead of passwords, use a different port
    than the standard one (to avoid bots more than anything else), thigthen
    your firewall rules to allow only the IP you know about to access it,
    use serious passwords if you really have to use passwords and enforce a
    rotation policy, keep your system updated.

    Davide

    --
    Windows XP: Technology by NT, interface by Fisher-Price

  4. Re: What can I do about breakin attempts?

    On Fri, 24 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <43ffdc86$0$11005$9a6e19ea@news.newshosting.com>, Chris wrote:

    > Some thug has repeatedly attempted to break in to my server. There's a long
    > list of repeat login attempts, with alphabetical user names, from one
    > particular IP address. (The jerk is at 216.155.75.230, if you're curious).


    Is your newsreader so broken that you didn't see the thread "Dictionary
    attacks on port 22"?

    The IP address belongs to Telefonica del Sur S.A in Valdivia, Chile
    which is a fair sized city about 40 degrees South (450 miles/720 KM South
    of Santiago). LACNIC says there is an rwhois server at rwhois.telsur.cl
    on port 4321, but it's not answering a SYN.

    > What can I do about this?


    Why is your server accepting connections from the world? Use your firewall
    to restrict access to the limited number of addresses (or address ranges)
    where you might actually want to connect. Another tact is to move the
    server to a non-standard port. What you are seeing is probably yet another
    windoze zombie box. Lots of suggestions in that other thread.

    Old guy

  5. Re: What can I do about breakin attempts?

    Chris wrote:

    > Some thug has repeatedly attempted to break in to my server. There's a
    > long list of repeat login attempts, with alphabetical user names, from one
    > particular IP address. (The jerk is at 216.155.75.230, if you're curious).
    > What can I do about this?


    Minimally you can add him to your /etc/hosts.deny file

    sshd: 216.155.75.230

    I'm assuming it's ssh he's trying to break. Look at the DenyHosts package
    for automating this.

    Ideally - add them to your firewall for rejection.

  6. Re: What can I do about breakin attempts?

    ibuprofin@painkiller.example.tld (Moe Trin) (06-02-25 14:23:48):

    > > What can I do about this?

    >
    > Why is your server accepting connections from the world? Use your
    > firewall to restrict access to the limited number of addresses (or
    > address ranges) where you might actually want to connect. Another
    > tact is to move the server to a non-standard port. What you are seeing
    > is probably yet another windoze zombie box. Lots of suggestions in
    > that other thread.


    I don't really get why nobody here has ever heard anything about
    key-based authentication. It makes brute-force attacks practically
    impossible. You (Moe) seem to be particularly interested in
    cryptography. I expected that _you_ would be the first to recommend
    that.

    Regards.

  7. Re: What can I do about breakin attempts?

    On Sun, 26 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <20060226042451.11f5899a@kill.mine.nu>, Ertugrul Soeylemez wrote:

    >ibuprofin@painkiller.example.tld (Moe Trin) (06-02-25 14:23:48):


    >> Why is your server accepting connections from the world? Use your
    >> firewall to restrict access to the limited number of addresses (or
    >> address ranges) where you might actually want to connect. Another
    >> tact is to move the server to a non-standard port.


    >I don't really get why nobody here has ever heard anything about
    >key-based authentication. It makes brute-force attacks practically
    >impossible.


    As Larry Wall likes to say "There's more than one way to do it."

    By restricting the allowed IP addresses, and/or moving the service to
    an uncommon port number, I don't see these attempts. The bottom line
    answer is "what works for you".

    >You (Moe) seem to be particularly interested in cryptography. I
    >expected that _you_ would be the first to recommend that.


    I'm a networking guy, not a crypto student. Blocking/moving comes to my
    mind as the quickest solution. There is nothing to prevent combining
    these techniques, nor is there much in choice of one over the other.
    Actually, what I'm looking at right now is a port-knocking solution as
    an alternative to restricting the IP range, though still using random
    destination port numbers.

    Old guy

  8. Re: What can I do about breakin attempts?

    ibuprofin@painkiller.example.tld (Moe Trin) (06-02-26 18:15:40):

    > By restricting the allowed IP addresses, and/or moving the service to
    > an uncommon port number, I don't see these attempts. The bottom line
    > answer is "what works for you".
    >
    > I'm a networking guy, not a crypto student. Blocking/moving comes to
    > my mind as the quickest solution. There is nothing to prevent
    > combining these techniques, nor is there much in choice of one over
    > the other. Actually, what I'm looking at right now is a port-knocking
    > solution as an alternative to restricting the IP range, though still
    > using random destination port numbers.


    Still, isn't it much better to make brute-forcing (practically)
    impossible? If you're a network guy, then you should know that keys are
    not just more secure, but also much easier to manage/handle; one single
    key for every machine you want to connect to -- without security risks.

    However, your non-standard port approach will keep arbitrary
    script-kiddies away, but not a 'real' attacker. He will find the port,
    and he will also discover your knockd secret, if he has some good reason
    to break into your system.


    Regards.

  9. Re: What can I do about breakin attempts?

    On Mon, 27 Feb 2006 05:18:55 +0100, Ertugrul Soeylemez wrote:

    >Still, isn't it much better to make brute-forcing (practically)
    >impossible? If you're a network guy, then you should know that keys are
    >not just more secure, but also much easier to manage/handle; one single
    >key for every machine you want to connect to -- without security risks.


    Security is based possibilities, not assuming that some particular
    solution is a cure-all --> that way lie surprises
    >
    >However, your non-standard port approach will keep arbitrary
    >script-kiddies away, but not a 'real' attacker. He will find the port,
    >and he will also discover your knockd secret, if he has some good reason
    >to break into your system.


    A real attacker is not targeting a particular box, they're looking
    for the easy pickings. If port 22 doesn't respond to log on attempt,
    one may expect attacker to move onto to a softer target, not hammer
    against a brick wall, no?

    Moving the login port is easy, as is using RSA and turning off
    password authentication.

    In unlikely scenario some attacker can port scan without being noticed
    (that would need to be damned slow on my firewall), they still need
    to meet stiff opposition in the non-password login attempt.

    Grant.
    --
    .... The computer scientist, who had listened to all of this said,
    "Yes, but where do you think the chaos came from?"

  10. Re: What can I do about breakin attempts?

    In article <20060227051855.61946515@kill.mine.nu>,
    Ertugrul Soeylemez wrote:

    >Still, isn't it much better to make brute-forcing (practically)
    >impossible? If you're a network guy, then you should know that keys are
    >not just more secure, but also much easier to manage/handle; one single
    >key for every machine you want to connect to -- without security risks.


    Keys are nice but one doesn't always have the keys when not
    at home.

    --
    http://www.spinics.net/lists/crypto/

  11. Re: What can I do about breakin attempts?

    In article ,
    Ken K wrote:

    >Minimally you can add him to your /etc/hosts.deny file
    >
    >sshd: 216.155.75.230


    Better:

    iptables -A INPUT -s 216.155.75.230 -j DROP

    But personally since I don't plan any travel to that
    part of the planet I'd block the entire CIDR:

    iptables -A INPUT -s 216.155.75.230/19 -j DROP

    --
    http://yosemitecampsites.com/

  12. Re: What can I do about breakin attempts?

    ellis@no.spam said the following on 2006-02-27 17:32:
    > In article <20060227051855.61946515@kill.mine.nu>,
    > Ertugrul Soeylemez wrote:
    >
    >> Still, isn't it much better to make brute-forcing (practically)
    >> impossible? If you're a network guy, then you should know that keys are
    >> not just more secure, but also much easier to manage/handle; one single
    >> key for every machine you want to connect to -- without security risks.

    >
    > Keys are nice but one doesn't always have the keys when not
    > at home.
    >
    > --
    > http://www.spinics.net/lists/crypto/


    Then use a one-time password solution (like S/KEY for instance).

    --
    Jon Solberg (remove "nospam" from email address).

  13. Re: What can I do about breakin attempts?

    On Mon, 27 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <20060227051855.61946515@kill.mine.nu>, Ertugrul Soeylemez wrote:

    >Still, isn't it much better to make brute-forcing (practically)
    >impossible? If you're a network guy, then you should know that keys are
    >not just more secure, but also much easier to manage/handle; one single
    >key for every machine you want to connect to -- without security risks.


    First, let me state that I'm not talking about the setup at work. There is
    a Non Disclosure Agreement - and all I will say is that there is a solution
    and it is elegant.

    At home (and indeed in any situation) your first task is to identify what
    threat may exist. What is your expected usage? Do you really have a need
    to allow connections from any IP address in the world? If not, how can
    you "narrow" the range of allowed connections - perhaps to a list of trusted
    IP addresses (my system accepts connections from about 40 specific IP
    addresses).

    The concept of moving the daemon to a non-standard port would normally be
    (correctly) defined as "security through obscurity". But what threat are
    you answering? Skript kiddiez and zombies do not go looking in
    non-standard places. It's a waste of their time to do so, when there are
    millions of other "easy" targets.

    Worrying about a port scanner finding it? One solution is suggested in the
    Security-Quickstart-HOWTO - using "PortSentry" to block someone who scans.
    I dislike this technique, as it is possible to use IP spoofing to cause a
    denial of service. A tradeoff is to block the scanning address for a limited
    time (such as a few minutes). Another technique is to "white-list" certain
    addresses such that someone spoofing those addresses will not trigger a DOS.

    >However, your non-standard port approach will keep arbitrary
    >script-kiddies away, but not a 'real' attacker.


    Again, what is your threat model? The skript kiddiez and zombies are most
    of the problem people face. A "real" attacker? What do you define as a
    "real" attacker? The police, or a government agency? They don't have to
    break in - they have much more sure ways of accessing your system. Are you
    concerned of a professional cracker not with the governments? What have you
    got on the systems that a person would want to get bad enough to pay a
    professional the large amount required to compensate for his time? If there
    really is something worth those big bux, one has to ask why, and why it is
    not locked away securely.

    >He will find the port, and he will also discover your knockd secret, if he
    >has some good reason to break into your system.


    Restricting access by IP address reduces this risk. I don't know about you,
    but I don't need to access my systems from unknown hosts from an unknown
    location. That includes public kiosks. Sorry, that's to easy to abuse. A few
    years ago, I did have such a requirement, and the solution was simple - a
    one-time password. See "Practical Unix & Internet Security" from Garfinkel,
    Spafford, and Schwartz, O'Reilly & Assoc., ISBN 0-596-00323-4, 984 pgs, US$55
    http://www.ora.com/. See Chapter 19 in the third edition (chapter 8 in the
    2nd edition - ISBN 1-56592-148-8 from 1996).

    Also - do a google search for the keywords "port+knocking iptables" for
    some _really_ simple solutions. Again, combining techniques like restricted
    addresses, non-standard ports, port knocking, AS WELL AS eliminating password
    accounts, using non-common usernames - and so on, will all work together to
    raise the barrier.

    But remember two things. NOTHING YOU CAN DO will make it totally secure,
    because there is no such thing as total security - even locking the
    computer in a safe, and tossing that safe into the sea. That's called a
    fact of life. Second - don't get to cute or fancy. More than one person
    has done so, and wound up locking themselves out.

    Figure out what your threat scenario is, and guard against that. Don't try
    to prevent the impossible - or the impossible to defend.

    Old guy

  14. Re: What can I do about breakin attempts?

    On Mon, 27 Feb 2006 21:04:22 +0100, Jon Solberg wrote:
    > ellis@no.spam said the following on 2006-02-27 17:32:
    >> Ertugrul Soeylemez wrote:
    >>
    >>> Still, isn't it much better to make brute-forcing (practically)
    >>> impossible? If you're a network guy, then you should know that keys are
    >>> not just more secure, but also much easier to manage/handle;


    This is true only if there are relatively few users and/or machines to
    manage. Maybe this would help with that though (idunno):
    http://toska.sourceforge.net/

    Otherwise, or actually better to just: Kerberize it (via GSSAPI).

    >>> one single key for every machine you want to connect to --


    You're assuming there's only one admin?

    >>> without security risks.


    No. If someone gets a priv-key (for instance through a client-app exploit)
    and keylogs the passphrase, you'd never know what hit you.

    >> Keys are nice but one doesn't always have the keys when not at home.


    > Then use a one-time password solution (like S/KEY for instance).


    Indeed, or OPIE (for which there is a pam_opie module). However, i
    just recently read a paper on one-time-portnocking too:
    http://www.blackhat.com/presentation...4-worth-up.pdf

    --
    -Menno.


  15. Re: What can I do about breakin attempts?

    ibuprofin@painkiller.example.tld (Moe Trin) (06-02-27 14:16:16):

    > >Still, isn't it much better to make brute-forcing (practically)
    > >impossible? If you're a network guy, then you should know that keys
    > >are not just more secure, but also much easier to manage/handle; one
    > >single key for every machine you want to connect to -- without
    > >security risks.

    >
    > Worrying about a port scanner finding it? One solution is suggested
    > in the Security-Quickstart-HOWTO - using "PortSentry" to block someone
    > who scans. I dislike this technique, as it is possible to use IP
    > spoofing to cause a denial of service. A tradeoff is to block the
    > scanning address for a limited time (such as a few minutes). Another
    > technique is to "white-list" certain addresses such that someone
    > spoofing those addresses will not trigger a DOS.


    This all makes it _not so easy_ to find the port -- but not impossible,
    not even difficult. What I was trying to say is that as long as you
    have the ability to get to the port without authentication, the attacker
    has also. If you restrict the allowed IP addresses to a set of
    "trusted" or at least "known" addresses, then the attacker has still a
    chance to compromise one of those boxes first. Maybe he has even
    legitimate access to those systems. (This is the theory that everyone
    is a potential attacker).


    > >However, your non-standard port approach will keep arbitrary
    > >script-kiddies away, but not a 'real' attacker.

    >
    > Again, what is your threat model? The skript kiddiez and zombies are
    > most of the problem people face. A "real" attacker? What do you
    > define as a "real" attacker? The police, or a government agency? They
    > don't have to break in - they have much more sure ways of accessing
    > your system. Are you concerned of a professional cracker not with the
    > governments? What have you got on the systems that a person would
    > want to get bad enough to pay a professional the large amount required
    > to compensate for his time? If there really is something worth those
    > big bux, one has to ask why, and why it is not locked away securely.


    I always assume the worst-case-scenario. A 'real' attacker is any
    attacker with appropriate skills to break into systems. And as said, he
    might have a good reason to break into _your_ system. In my case even
    the government wouldn't get to my data, as it lays encrypted on my
    hard-disk, as long as there are no serious security flaws known about
    the encryption method I use.

    Yes, you can argue that this is "exaggerated" in my case (it's simply a
    workstation). But I have the possibility to encrypt my filesystem. So
    why shouldn't I do so? The effort is low anyway (entering a passphrase
    at boot time).


    > But remember two things. NOTHING YOU CAN DO will make it totally
    > secure, because there is no such thing as total security - even
    > locking the computer in a safe, and tossing that safe into the sea.
    > That's called a fact of life. Second - don't get to cute or
    > fancy. More than one person has done so, and wound up locking
    > themselves out.


    That's true. There is no "perfect security", but there is "ideal
    security", which you can try to approach.


    > Figure out what your threat scenario is, and guard against that. Don't
    > try to prevent the impossible - or the impossible to defend.


    I guard against everything I can guard against (and which comes into my
    mind, of course). There is no reason not to do so, as long as the
    effort required doesn't exceed a certain limit (depending on the
    scenario). Passwords are simply not as secure as encrypted keys. So
    why should I use passwords, just because nobody would possibly be
    interested in my data? Maybe some day somebody is, and maybe this guy
    is a professional.


    Regards.

  16. Re: What can I do about breakin attempts?

    Menno Duursma (06-02-28 10:43:06):

    > >>> Still, isn't it much better to make brute-forcing (practically)
    > >>> impossible? If you're a network guy, then you should know that
    > >>> keys are not just more secure, but also much easier to
    > >>> manage/handle;

    >
    > This is true only if there are relatively few users and/or machines to
    > manage. Maybe this would help with that though (idunno):
    > http://toska.sourceforge.net/


    Not necessarily. If you plan it well, then you can handle thousands of
    keys.


    > >>> one single key for every machine you want to connect to --

    >
    > You're assuming there's only one admin?


    I don't make any assumption. You can have multiple public keys in your
    authorized_keys file.


    > >>> without security risks.

    >
    > No. If someone gets a priv-key (for instance through a client-app exploit)
    > and keylogs the passphrase, you'd never know what hit you.


    That's no different for passwords.


    Regards.

  17. Re: What can I do about breakin attempts?

    Grant (06-02-27 21:13:56):

    > >Still, isn't it much better to make brute-forcing (practically)
    > >impossible? If you're a network guy, then you should know that keys
    > >are not just more secure, but also much easier to manage/handle; one
    > >single key for every machine you want to connect to -- without
    > >security risks.

    >
    > Security is based possibilities, not assuming that some particular
    > solution is a cure-all --> that way lie surprises


    True. But you can say, that one possibility is more suitable over the
    other, for a particular configuration.


    > >However, your non-standard port approach will keep arbitrary
    > >script-kiddies away, but not a 'real' attacker. He will find the
    > >port, and he will also discover your knockd secret, if he has some
    > >good reason to break into your system.

    >
    > A real attacker is not targeting a particular box, they're looking for
    > the easy pickings. If port 22 doesn't respond to log on attempt, one
    > may expect attacker to move onto to a softer target, not hammer
    > against a brick wall, no?


    But what if he has a specific target? You're talking about
    script-kiddies.


    > Moving the login port is easy, as is using RSA and turning off
    > password authentication.


    And in my opinion the latter approach is better. Even if the attacker
    finds the port, he can't brute-force. He doesn't even get to the public
    key of the legitimate user. So he hasn't even got a starting point for
    an attack (attacking the key to recover the private key, for instance).
    At least regarding SSH. There may well be other running services to
    attack.

    Moving to a non-standard port is an easy way to keep script-kiddies
    away, as I've already said. But in a fight you can't assume that your
    opponent is a child. And in some configurations you can't even move to
    another port.

  18. Re: What can I do about breakin attempts?

    On Tue, 28 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <20060228173210.0df62460@kill.mine.nu>, Ertugrul Soeylemez wrote:

    >What I was trying to say is that as long as you have the ability to get
    >to the port without authentication, the attacker has also. If you
    >restrict the allowed IP addresses to a set of "trusted" or at least
    >"known" addresses, then the attacker has still a chance to compromise
    >one of those boxes first.


    Yes, but first you have to know what my address is (the ones in these
    headers isn't even in the same /4), and what addresses I might be
    accepting connections from, and what user names I might allow. Now
    before you say they just pick an IP address at random, maybe you want
    to think through the implications above.

    >Maybe he has even legitimate access to those systems. (This is the
    >theory that everyone is a potential attacker).


    You're being a little over paranoid there.

    >I always assume the worst-case-scenario. A 'real' attacker is any
    >attacker with appropriate skills to break into systems. And as said, he
    >might have a good reason to break into _your_ system.


    A "real" attacker is a professional. He doesn't waste large amounts of
    time trying to break in to a system on the chance that there MIGHT be
    something valuable enough to repay for the hours involved.

    >In my case even the government wouldn't get to my data, as it lays
    >encrypted on my hard-disk, as long as there are no serious security
    >flaws known about the encryption method I use.


    and no one has installed a sniffer to catch your pass phrase... But
    if your data is that valuable to someone, why is it on the computer?

    Old guy

  19. Re: What can I do about breakin attempts?

    On Wed, 01 Mar 2006 13:56:22 -0600, ibuprofin@painkiller.example.tld (Moe Trin) wrote:

    >On Tue, 28 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
    ><20060228173210.0df62460@kill.mine.nu>, Ertugrul Soeylemez wrote:
    >
    >>I always assume the worst-case-scenario. A 'real' attacker is any
    >>attacker with appropriate skills to break into systems. And as said, he
    >>might have a good reason to break into _your_ system.

    >
    >A "real" attacker is a professional. He doesn't waste large amounts of
    >time trying to break in to a system on the chance that there MIGHT be
    >something valuable enough to repay for the hours involved.
    >
    >>In my case even the government wouldn't get to my data, as it lays
    >>encrypted on my hard-disk, as long as there are no serious security
    >>flaws known about the encryption method I use.

    >
    >and no one has installed a sniffer to catch your pass phrase... But
    >if your data is that valuable to someone, why is it on the computer?


    Data that valuable one starts to worry about attackers with guns
    Physical security of equipment. Hey forget the guns, a while back
    a couple people dressed like tech's just walked in and wheeled a
    customs computer out of an airport terminal during business hours

    Grant.
    --
    Living in a land down under / Where women glow and men plunder / Can't you
    hear, can't you hear the thunder? / You better run, you better take cover!
    --Men At Work

  20. Re: What can I do about breakin attempts?

    ibuprofin@painkiller.example.tld (Moe Trin) (06-03-01 13:56:22):

    > >What I was trying to say is that as long as you have the ability to
    > >get to the port without authentication, the attacker has also. If
    > >you restrict the allowed IP addresses to a set of "trusted" or at
    > >least "known" addresses, then the attacker has still a chance to
    > >compromise one of those boxes first.

    >
    > Yes, but first you have to know what my address is (the ones in these
    > headers isn't even in the same /4), and what addresses I might be
    > accepting connections from, and what user names I might allow. Now
    > before you say they just pick an IP address at random, maybe you want
    > to think through the implications above.


    Your assumption is that any attacker is some foreign guy, who just does
    this for fun. But in fact, many (if not even most) attacks against
    companies originate from some co-worker.


    > >Maybe he has even legitimate access to those systems. (This is the
    > >theory that everyone is a potential attacker).

    >
    > You're being a little over paranoid there.


    I'm just careful. I just insist on my privacy.


    > >I always assume the worst-case-scenario. A 'real' attacker is any
    > >attacker with appropriate skills to break into systems. And as said,
    > >he might have a good reason to break into _your_ system.

    >
    > A "real" attacker is a professional. He doesn't waste large amounts of
    > time trying to break in to a system on the chance that there MIGHT be
    > something valuable enough to repay for the hours involved.


    Yes, but if he _knows_ that there _is_ valuable data, then he will spend
    that time.


    > >In my case even the government wouldn't get to my data, as it lays
    > >encrypted on my hard-disk, as long as there are no serious security
    > >flaws known about the encryption method I use.

    >
    > and no one has installed a sniffer to catch your pass phrase... But
    > if your data is that valuable to someone, why is it on the computer?


    Should I write it down on paper? My data is not valuable at all, it's
    just my personal data. I'm talking about a private host. As said
    above, I'm just concerned about my privacy.


    Regards.

+ Reply to Thread
Page 1 of 2 1 2 LastLast