Ok so I just setup sshd so I can get access to my computer from school. Well while I'm at school, I have the logs up just for fun, well all of a sudden, some ip from Croata tries to get into my system. they are trying to get by trying all sorts of user names, but luckly I have sshd configure in such a way so that the only way to get in is with a key. And the only key I have uses a passphrase, so i'm pretty secure, and yes whoever it was didnt get in and finaly gave up. But my question is this. If I find someone trying to hack into my computer, is there anyway I can fight back? Is there any tool I can use that can send garbage at them to let them know, hey! I'm watching you!! Any ideas would be helpful, thanks.

oh yea i'm running slackware 10 with kernel 2.6.7
OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004

This is a very interesting question as I am going through the exact same thing. I see my hacker(s) attempting to run scripts against my username/passwords each day when I review my logfiles. The hacker(s) have been trying for months with no success, thanks be to God!
In my case, I see a new IP address each time but the fact that the script keeps getting used over and over makes me suspect it's the same individual(s).
The best I can tell you at the moment is that if you keep getting attempts from the same IP address, you may want to Sam Spade it or Google it and attempt to report abuse to the Admin through the ISP it's using. You may be ignored but there's always the chance you may get someone to send a note to your potential hacker and those attempts will end.
I hope this helps a little, but I am always open to suggestions on how to take a shot at these people before they get me. If you hear of anything else, please post.
Best!

Take a look the the thread at the top of the forums about "SSH Login Attempts". There's an automated tool in the wild that attempts a "bruteforce" attack against systems running sshd. The majority of times these attacks are being run from systems that were compromised using the same tool with the owner being completely unaware. They are fairly wide-spread with the average system seeing several per day, so if they are originating from different IPs (especially in different domains), then they are likely unrelated attacks performed with the same cracking tool. There were a number of good solutions posted in the thread, including using key-based authentication, using tcp_wrappers, or running sshd on a alternate port. Definitely make sure that you're using a decent password policy though (non-dictionary combination of numbers, letters, symbols).

Thanks for the info. And yes, sshd is setup to use keys. Any login attempt requires a key so I highly doubt anyone would be able to get in that way. And I'll see about changing the port number on my router so that internally it still directs the traffic to port 22.

Ok I check out that thread and got some useful info. But I just had a great idea, but I dont have the know how to do it. My idea is to monitor the log file or even traffic directly and when it notices several attempts from an IP to try to force its way through ssh, it blocks the IP for some time period before checking again to see if it stopped. If not block it again. What you think? Of course i'm sure it would just be easier to just change the port number, but then doing it like this would be cool, huh?

aside from using key-based authentication, using tcp_wrappers, or running sshd on a alternate port,adjust the limits of failed logins and raise the time between being able to try again.No root logins either.

yeah, i've seen several scripts that do this... like, they will automatically drop the attacker's source ip with iptables after a certain (configurable) amount of wrong logins... i believe the block's length (time) is also configurable... i know i had seen a really good and simple one linked here on LQ before, but i can't find it... it was made with nothing but BASH, i believe, and it was contributed by one of those hot security companies, if my memory is correct...

by googling i have run-into perl scripts like this one:

http://www.pettingers.org/code/SSHBlack.html

but i'm not sure if they are good or not... honestly, i feel this can be easily accomplished using nothing but bash, but i am no expert...

i was wondering if perhaps someone on this thread could recommend a nice, flexible, bash-based solution for providing automatic countermeasures to these ssh attacks??? something which i could cron to run every minute or something, i don't need anything fancy... any links or shell code ideas would be greatly appreciated... TIA...

You could run a Python script that creates a service on that port and outputs a message, however not a good idea to reply as this is a form of interaction with a service rather then a simple drop of the connection.

If you’re interested to see what data they are passing you could create a honeypot that logs all the various methods attempted to access ssh, then move your ssh port to something much higher in the non privileged port range. Then add a rule that slow down any replies to scans in this non privileged port range. (known as a simple tarpit)

If I was you I would just drop all connection from un-trusted ports to 22 and only allow trusted subnets access to the service.

Kerberus

If your are serious about fighting back..

check out the the honeynet homepage.

http://www.honeynet.org/

or if your feeling really nasty you can create a tarpit .

(However if you know that you are getting a lot of zombie traffic from random compromised machines this may not be a good solution.)

Here is the tarpit page:

http://www.hackbusters.net/LaBrea.html


Of course if you live outside of US jurisdisticion you may not have to worry about legal issues. (Depends on how well enforced your local area is.)

Thorn

what about something uber-simple that does nothing but check the logs for X amount of access denied's (from a single IP) and then adds the source IP to an iptables block chain for Y amount of time? anyone know where i can find something like that? i could swear i saw a shell script that did just that a few months ago... or maybe i'm trippin'... ;-)

This one was posted on the SANS site:

http://isc.sans.org/diary.php?date=2004-09-12

Kinda sounds similar to what you're looking for.

thanks Capt_Caveman!!

That is a good defense against a single broadband script kiddie but what about a DDoS involving multiple domains with hundreds or thousands of bots?

I just read an article recently where there are botnets for sale which can be used to launch massive DDoS attacks against specific targets.

Something to think about.

Thorn

Cheers!

You're diverging into a little bit different topic here, but you're right. Unfortunately there isn't really a good solution to dealing with raw bandwidth DoS attacks other than contacting your ISP and having them try to block the attack at an upstream router. Even that is far from a perfect solution. It's unfortunate that so many people are ignorant of why you need to secure your machine. You often here the rationale of "There's nothing on it that's worth any value, so I don't care if it is hacked". Maybe not, but the bandwidth is. Especially when all a cracker has to do is drop a flooder and an irc bot onto the system.