(Where) should I report breakin attempts? - SSH

This is a discussion on (Where) should I report breakin attempts? - SSH ; Greetings. Most of the time my computers are behind a router/firewall that blocks port 22, but occasionally I unblock it if I'm going somewhere and need to log into my machines remotely. Whenever I do this I notice in my ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 28

Thread: (Where) should I report breakin attempts?

  1. (Where) should I report breakin attempts?

    Greetings.

    Most of the time my computers are behind a router/firewall that blocks port
    22, but occasionally I unblock it if I'm going somewhere and need to log
    into my machines remotely. Whenever I do this I notice in
    my /var/log/messages that some script kiddie is repeatedly connecting via
    ssh and trying to guess usernames. The IP changes every time so I'm not
    sure if it's just one guy using hijacked machines or different people.

    Is it worth reporting this behaviour to whatever ISP is associated with the
    IP addresses? Is there some sort of SpamCop-type service that will
    automatically file a report to the correct contact address? Or should I
    just copy and paste from /var/log/messages and send it to
    abuse@example.com, where example.com is whatever domain name nslookup
    associates with the IP address?

    Regards,
    Tristan

    --
    _
    _V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
    / |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
    (7_\\ http://www.nothingisreal.com/ >< To finish what you

  2. Re: (Where) should I report breakin attempts?

    Greetings.

    In article <2428961.p0Wranuy0x@polecat.worldsocialism.org>, Tristan Miller
    wrote:

    > Most of the time my computers are behind a router/firewall that blocks
    > port 22, but occasionally I unblock it if I'm going somewhere and need to
    > log
    > into my machines remotely. Whenever I do this I notice in
    > my /var/log/messages that some script kiddie is repeatedly connecting via
    > ssh and trying to guess usernames. The IP changes every time so I'm not
    > sure if it's just one guy using hijacked machines or different people.


    I should clarify that the IP changes each time I enable port 22 (which is
    once a day every few weeks), not every time a connection is made.

    Regards,
    Tristan

    --
    _
    _V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
    / |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
    (7_\\ http://www.nothingisreal.com/ >< To finish what you

  3. Re: (Where) should I report breakin attempts?

    On Wed, 07 Jun 2006 02:06:31 +0100, Tristan Miller wrote:

    >Greetings.
    >
    >Most of the time my computers are behind a router/firewall that blocks port
    >22, but occasionally I unblock it if I'm going somewhere and need to log
    >into my machines remotely. Whenever I do this I notice in
    >my /var/log/messages that some script kiddie is repeatedly connecting via
    >ssh and trying to guess usernames. The IP changes every time so I'm not
    >sure if it's just one guy using hijacked machines or different people.


    I run an anonymous access ftp server and observed that behaviour in the
    logs -- only once last week.
    >
    >Is it worth reporting this behaviour to whatever ISP is associated with the
    >IP addresses? Is there some sort of SpamCop-type service that will
    >automatically file a report to the correct contact address?


    Those 'automatic' black-list services cause many headaches. Any
    automatic feature simply increases network traffic for no gain.

    > Or should I
    >just copy and paste from /var/log/messages and send it to
    >abuse@example.com, where example.com is whatever domain name nslookup
    >associates with the IP address?


    Mostly useless, I trialled doing this for a while -- had success
    with one of several dozen complaints. My approach is to ban the
    offender's CIDR block (from whois) in iptables and notify the
    abuse@example.com contact and leave the ban in place until traffic
    stops. Current deny-list contains only two US based abusers'
    CIDR blocks. I don't bother blocking / reporting Asian offenders.


    Check what country that offenders sending from, You may have success
    with GB, but Asia? don't bother. Some US colo sites are setup for this
    type of script-kiddie abuse and ignore complaints too. Better idea is
    to properly secure your system.

    Perhaps iptables rules: three ssh attempts in 2 minutes? lockout
    offending src_ip for an hour, or something.

    Don't use password authentication for public access, use public key
    access. This encourages the 'bot to move onto another IP. Other
    techniques include the running public access sshd on a different
    port, and/or using 'port-knocking' or similar technique to open
    public sshd port only on demand.

    Punishment style strategies (example: tar-pitting) seem pointless,
    and may invite retribution

    Grant.
    --
    But Linux grew from humble and stupid roots.

    Linus -- lkml 24 Apr 2006

  4. Re: (Where) should I report breakin attempts?


    "Tristan Miller" wrote in message
    news:2595041.58f1QSgL4E@polecat.worldsocialism.org ...
    > Greetings.
    >
    > In article <2428961.p0Wranuy0x@polecat.worldsocialism.org>, Tristan Miller
    > wrote:
    >
    >> Most of the time my computers are behind a router/firewall that blocks
    >> port 22, but occasionally I unblock it if I'm going somewhere and need to
    >> log
    >> into my machines remotely. Whenever I do this I notice in
    >> my /var/log/messages that some script kiddie is repeatedly connecting via
    >> ssh and trying to guess usernames. The IP changes every time so I'm not
    >> sure if it's just one guy using hijacked machines or different people.

    >
    > I should clarify that the IP changes each time I enable port 22 (which is
    > once a day every few weeks), not every time a connection is made.
    >
    > Regards,
    > Tristan


    Sadly, due to the screaming people send to the abuse@example.com addresses,
    many sites simply connect it to /dev/null, especially at poorly run
    institutions from which such script kiddies operate. In my spam hunting,
    I've taken to using http://www.samspade.org to hunt for the owner of the IP
    address, their DNS registration, their upstream feeds, etc. and see if I can
    somehow find a human to notify of the problem. While DNS admins rarely like
    to receive such complaints, they are often able todirect me to a human,
    especially when I call them on the phone and explain the problem in small
    words.

    It's even better when I've gotten a corporate attorney of a company I'm
    working for to read them the riot act parts of the Telecommunications
    Privacy Act, via certified mail if necessary. One lawyer I worked with used
    to have fun doing it, and it's especially fun to climb the food chain at
    universities to talk to deans and let them rant at the systems staff about
    abuse and port scanning going on from their networks. (University networks
    are popular sources of script kiddie scans, due to high bandwidth and often
    very poorly secured machines.)

    But it's very expensive in your time to actually pursue these things: do it
    if you enjoy it, don't do it expecting to really make a big dent in such
    scans.



  5. Re: (Where) should I report breakin attempts?

    Tristan Miller writes:

    >Greetings.


    >Most of the time my computers are behind a router/firewall that blocks port
    >22, but occasionally I unblock it if I'm going somewhere and need to log
    >into my machines remotely. Whenever I do this I notice in
    >my /var/log/messages that some script kiddie is repeatedly connecting via
    >ssh and trying to guess usernames. The IP changes every time so I'm not
    >sure if it's just one guy using hijacked machines or different people.


    >Is it worth reporting this behaviour to whatever ISP is associated with the
    >IP addresses? Is there some sort of SpamCop-type service that will
    >automatically file a report to the correct contact address? Or should I
    >just copy and paste from /var/log/messages and send it to
    >abuse@example.com, where example.com is whatever domain name nslookup
    >associates with the IP address?


    Make sure your passwords are stong. And then forget about it. Those are
    hijacked machines, usually belonging to people who do not give a damn that
    they are hijacked. If you enjoy catching rain in a sieve, you might try
    sending notices to the ISPs. You will not get answers, and you will not
    decrease your attacks.



  6. Re: (Where) should I report breakin attempts?

    On 2006-06-07, Unruh wrote:

    >>Most of the time my computers are behind a router/firewall that blocks port
    >>22, but occasionally I unblock it

    >
    > Make sure your passwords are stong. And then forget about it.


    I'd say make sure you allow only keyed SSH access and no password access
    and then forget about it.

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/
    One of my other 11 computers runs Minix.

  7. Re: (Where) should I report breakin attempts?

    all mail refused writes:

    >On 2006-06-07, Unruh wrote:


    >>>Most of the time my computers are behind a router/firewall that blocks port
    >>>22, but occasionally I unblock it

    >>
    >> Make sure your passwords are stong. And then forget about it.


    >I'd say make sure you allow only keyed SSH access and no password access
    >and then forget about it.


    ?? They you have to carry your key with you and you have to try to protect
    that.



    >--
    >Elvis Notargiacomo master AT barefaced DOT cheek
    >http://www.notatla.org.uk/goen/
    > One of my other 11 computers runs Minix.


  8. Re: (Where) should I report breakin attempts?


    "Unruh" wrote in message
    news:e65r8g$68k$1@nntp.itservices.ubc.ca...
    > all mail refused writes:
    >
    >>On 2006-06-07, Unruh wrote:

    >
    >>>>Most of the time my computers are behind a router/firewall that blocks
    >>>>port
    >>>>22, but occasionally I unblock it
    >>>
    >>> Make sure your passwords are stong. And then forget about it.

    >
    >>I'd say make sure you allow only keyed SSH access and no password access
    >>and then forget about it.

    >
    > ?? They you have to carry your key with you and you have to try to protect
    > that.


    That's what memory sticks are for, and ideally a mechanism to push new
    public keys as needed to your servers.



  9. Re: (Where) should I report breakin attempts?

    Greetings.

    In article , Nico
    Kadel-Garcia wrote:
    > "Unruh" wrote in message
    > news:e65r8g$68k$1@nntp.itservices.ubc.ca...
    >> all mail refused writes:
    >>
    >>>On 2006-06-07, Unruh wrote:

    >>
    >>>>>Most of the time my computers are behind a router/firewall that blocks
    >>>>>port
    >>>>>22, but occasionally I unblock it
    >>>>
    >>>> Make sure your passwords are stong. And then forget about it.

    >>
    >>>I'd say make sure you allow only keyed SSH access and no password access
    >>>and then forget about it.

    >>
    >> ?? They you have to carry your key with you and you have to try to
    >> protect that.

    >
    > That's what memory sticks are for, and ideally a mechanism to push new
    > public keys as needed to your servers.


    I sometimes visit places which use ancient computers or dumb terminals with
    no USB or memory stick port. Cutting off password access is not an
    option.

    Regards,
    Tristan

    --
    _
    _V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
    / |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
    (7_\\ http://www.nothingisreal.com/ >< To finish what you

  10. Re: (Where) should I report breakin attempts?

    all mail refused wrote:
    > On 2006-06-07, Unruh wrote:
    >
    >
    >>>Most of the time my computers are behind a router/firewall that blocks port
    >>>22, but occasionally I unblock it

    >>
    >>Make sure your passwords are stong. And then forget about it.

    >
    >
    > I'd say make sure you allow only keyed SSH access and no password access
    > and then forget about it.
    >


    Ignoring the obvious problem of someone cracking your password, which if
    it strong will not happen, is keyed ssh actually any more secure in
    practice?

    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.

    http://witm.sourceforge.net/ (Web based Mathematica frontend)

  11. Re: (Where) should I report breakin attempts?

    Tristan Miller wrote:
    > Greetings.
    >
    > In article , Nico
    > Kadel-Garcia wrote:
    >> "Unruh" wrote in message
    >> news:e65r8g$68k$1@nntp.itservices.ubc.ca...
    >>> all mail refused writes:
    >>>
    >>>> On 2006-06-07, Unruh wrote:
    >>>
    >>>>>> Most of the time my computers are behind a router/firewall that
    >>>>>> blocks port
    >>>>>> 22, but occasionally I unblock it
    >>>>>
    >>>>> Make sure your passwords are stong. And then forget about it.
    >>>
    >>>> I'd say make sure you allow only keyed SSH access and no password
    >>>> access and then forget about it.
    >>>
    >>> ?? They you have to carry your key with you and you have to try to
    >>> protect that.

    >>
    >> That's what memory sticks are for, and ideally a mechanism to push
    >> new public keys as needed to your servers.

    >
    > I sometimes visit places which use ancient computers or dumb
    > terminals with no USB or memory stick port. Cutting off password
    > access is not an option.


    Can you set up OPIE or another similar one-time-password setup? I used to
    find it very useful in a particularly poor security environment, to force an
    additional user-specific one-time-password step before accepting their real
    password from offisite.



  12. Re: (Where) should I report breakin attempts?

    AnNico Kadel-Garcia wrote:
    > "Unruh" wrote in message
    > news:e65r8g$68k$1@nntp.itservices.ubc.ca...
    >> all mail refused writes:
    >>
    >>> On 2006-06-07, Unruh wrote:
    >>>>> Most of the time my computers are behind a router/firewall that blocks
    >>>>> port
    >>>>> 22, but occasionally I unblock it
    >>>> Make sure your passwords are stong. And then forget about it.
    >>> I'd say make sure you allow only keyed SSH access and no password access
    >>> and then forget about it.

    >> ?? They you have to carry your key with you and you have to try to protect
    >> that.

    >
    > That's what memory sticks are for, and ideally a mechanism to push new
    > public keys as needed to your servers.
    >
    >


    And if someone steals your memory stick?

  13. Re: (Where) should I report breakin attempts?

    Dave (from the UK) wrote:

    >
    > Ignoring the obvious problem of someone cracking your password, which if
    > it strong will not happen, is keyed ssh actually any more secure in
    > practice?
    >


    Yes. As long as you have protected the key with a strong passphrase that
    is.

  14. Re: (Where) should I report breakin attempts?


    "Chuck" wrote in message
    newsmFhg.11459$9c7.1259@trnddc06...
    > AnNico Kadel-Garcia wrote:
    >> "Unruh" wrote in message
    >> news:e65r8g$68k$1@nntp.itservices.ubc.ca...
    >>> all mail refused writes:
    >>>
    >>>> On 2006-06-07, Unruh wrote:
    >>>>>> Most of the time my computers are behind a router/firewall that
    >>>>>> blocks
    >>>>>> port
    >>>>>> 22, but occasionally I unblock it
    >>>>> Make sure your passwords are stong. And then forget about it.
    >>>> I'd say make sure you allow only keyed SSH access and no password
    >>>> access
    >>>> and then forget about it.
    >>> ?? They you have to carry your key with you and you have to try to
    >>> protect
    >>> that.

    >>
    >> That's what memory sticks are for, and ideally a mechanism to push new
    >> public keys as needed to your servers.
    >>
    >>

    >
    > And if someone steals your memory stick?


    That's why you have two, you keep your key encrypted, and you need a way to
    publish an updated key reliably to the servers.



  15. Re: (Where) should I report breakin attempts?

    On Wed, 07 Jun 2006, in the Usenet newsgroup comp.security.misc, in article
    <3196044.Xl0bkrAZrJ@polecat.worldsocialism.org>, Tristan Miller wrote:


    >>>>>> Most of the time my computers are behind a router/firewall that blocks
    >>>>>> port 22, but occasionally I unblock it


    >>>>> Make sure your passwords are stong. And then forget about it.


    That is one very good solution.

    >>>>I'd say make sure you allow only keyed SSH access and no password access
    >>>>and then forget about it.


    That is another.

    >>> ?? They you have to carry your key with you and you have to try to
    >>> protect that.

    >>
    >> That's what memory sticks are for, and ideally a mechanism to push new
    >> public keys as needed to your servers.


    Good point - but probably over-kill for most users.

    >I sometimes visit places which use ancient computers or dumb terminals with
    >no USB or memory stick port. Cutting off password access is not an
    >option.


    Then there are still several choices.

    There is nothing restricting you to running your SSH server on port 22. If
    you move it to some "high" port (use "ls -lt | tail | awk '{print $5}'" to
    grab example numbers) such as 6407 (anything above ~1100 to avoid port
    scanners). It's called "Security By Obscurity" and it works against the
    current crop of script kiddies and zombies.

    There is nothing restricting you from choosing "good" usernames. "Tristan"
    might be OK, but it's in books of names and words. 'ueMd4Ebs' probably
    isn't. (You can remember a non-word password, why not remember a non-word
    username? An old trick is to use the first letter of each word of a phrase.)

    You're posting from the UK - do you really need to access your system from
    every IP address in the world? 58/7, 60/7, 121/8, 122/7, 124/6, 202/7,
    210/7, 218/7 and 220/6 blocks a lot of Asia/Pacific. 188/8, 190/7 and
    200/7 knocks out a lot of Central/South America.

    You are posting using KNode, which suggests Linux (though it also works in
    *BSD). If you are using 'iptables' in Linux, do a google search for 'port
    knocking Linux'.

    Finally, there is nothing preventing you from combining these concepts,
    such that to get in, you need to first try to open a telnet/ftp/web/anything
    connection to port 38388 (which will fail, but opens access to the address
    you tried _from_) from an address range not blocked by "area" rules, then
    connect to your now accessible SSH server on port 6403 (you have one minute
    to connect), logging in as user 'ueMd4Ebs' with password 'Ttl*h1wWur'. It
    probably isn't good enough to satisfy the extreme requirements of some three
    letter agency, but you aren't required to do so (if you were, you shouldn't
    be here - talk to the agency people instead).

    Old guy

  16. Re: (Where) should I report breakin attempts?

    On Wed, 07 Jun 2006 17:22:04 +0100, "Dave (from the UK)" wrote:

    >all mail refused wrote:
    >> On 2006-06-07, Unruh wrote:
    >>
    >>
    >>>>Most of the time my computers are behind a router/firewall that blocks port
    >>>>22, but occasionally I unblock it
    >>>
    >>>Make sure your passwords are stong. And then forget about it.

    >>
    >>
    >> I'd say make sure you allow only keyed SSH access and no password access
    >> and then forget about it.
    >>

    >
    >Ignoring the obvious problem of someone cracking your password, which if
    >it strong will not happen, is keyed ssh actually any more secure in
    >practice?


    If you add some iptables rules to restrict password retry frequency,
    and, for example, lockout for an hour after say, 3 tries / minute
    would probably be okay, by virtue of reducing a particular attacker's
    window of opportunity.

    Somebody who allows dozens of attempts per minute? At least they're
    occupying an attacker that would otherwise be scanning more machines

    Grant.
    --
    But Linux grew from humble and stupid roots.

    Linus -- lkml 24 Apr 2006

  17. Re: (Where) should I report breakin attempts?

    On Wed, 07 Jun 2006 14:44:58 -0500, ibuprofin@painkiller.example.tld (Moe Trin) wrote:

    [locking out roughly by region]

    I ran a check of ssh login attempts to (closed) port 22 here since
    last September:

    ~# ls -rt /var/log/messages.*.gz |xargs zcat |grep "DPT=22 "| \
    sed 's/^.*SRC=\([0-9.]*[^ ]\).*$/\1/'|sortip|uniq|xargs -n 1 ccfind|\
    awk '{split($0,k,":");print k[3]}'|sort|uniq -c|sort -nr|head -10
    226 China
    109 Korea, South
    91 United States
    48 Taiwan
    22 Japan
    17 India
    17 Hong Kong
    11 Germany
    8 Thailand
    7 France

    > logging in as user 'ueMd4Ebs' with password 'Ttl*h1wWur'.


    Are you waiting to see that combo turn up in your logs?

    Grant.
    --
    But Linux grew from humble and stupid roots.

    Linus -- lkml 24 Apr 2006

  18. Re: (Where) should I report breakin attempts?

    >>>Make sure your passwords are stong. And then forget about it.

    >> I'd say make sure you allow only keyed SSH access and no password access
    >> and then forget about it.


    Dave (from the UK) wrote:
    >Ignoring the obvious problem of someone cracking your password, which if
    >it strong will not happen, is keyed ssh actually any more secure in
    >practice?


    Kinda, maybe. Both long PKs and decent passwords are good enough to
    withstand dictionary attacks, especially if you limit attempts per minute.
    However, public key connections are somewhat resistant to things like
    keystroke monitors.

    Say you're using portaputty from a USB dongle: a keystroke grabber might get
    your key passphrase and everything you type during your session, including
    your password if you used sudo or the root password if you used su. But
    they still don't have your key, and can't ssh in with just your (or root's)
    password).
    --
    Mark Rafn dagon@dagon.net

  19. Re: (Where) should I report breakin attempts?

    >>>>> "Dave" == Dave (from the UK) writes:

    Dave> all mail refused wrote:
    >> On 2006-06-07, Unruh wrote:
    >>>> Most of the time my computers are behind a router/firewall that
    >>>> blocks port 22, but occasionally I unblock it
    >>> Make sure your passwords are stong. And then forget about it.

    >> I'd say make sure you allow only keyed SSH access and no password
    >> access and then forget about it.
    >>


    Dave> Ignoring the obvious problem of someone cracking your password,
    Dave> which if it strong will not happen, is keyed ssh actually any
    Dave> more secure in practice?

    * It is in a sense two-factor: now you need to steal both the key file and
    the passphrase.

    * Keys are very long randomish strings, not vulnerable to guessing
    attacks.

    * SSH publickey authentication does not reveal the user's secret to a
    possibly compromised server, as password authentication does.

    --
    Richard Silverman
    res@qoxp.net


  20. Re: (Where) should I report breakin attempts?

    Greetings.

    In article <7hee82ptfamjnglu39g0f40o91fa76hfsg@4ax.com>, Grant wrote:

    > On Wed, 07 Jun 2006 14:44:58 -0500, ibuprofin@painkiller.example.tld (Moe
    > Trin) wrote:
    >
    > [locking out roughly by region]
    >
    > I ran a check of ssh login attempts to (closed) port 22 here since
    > last September:
    >
    > ~# ls -rt /var/log/messages.*.gz |xargs zcat |grep "DPT=22 "| \
    > sed 's/^.*SRC=\([0-9.]*[^ ]\).*$/\1/'|sortip|uniq|xargs -n 1 ccfind|\
    > awk '{split($0,k,":");print k[3]}'|sort|uniq -c|sort -nr|head -10
    > 226 China
    > 109 Korea, South
    > 91 United States
    > 48 Taiwan
    > 22 Japan
    > 17 India
    > 17 Hong Kong
    > 11 Germany
    > 8 Thailand
    > 7 France


    Ooh, pretty. I want to do the same thing; what are sortip and ccfind and
    where does one get them?

    Regards,
    Tristan

    --
    _
    _V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
    / |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
    (7_\\ http://www.nothingisreal.com/ >< To finish what you

+ Reply to Thread
Page 1 of 2 1 2 LastLast