LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-03-2006, 05:02 AM   #1
coolb
Member
 
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222

Rep: Reputation: 30
ssh brute force attempts


What could I do to press charges against some fscker that tryed to brute force his way into my sshd(which btw dosent use password to auth)

Here is a netstat output, when the attack was happening...

tcp 0 0 me.:ssh andrejko.ics.upjs:46093 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:46926 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:47241 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:46507 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:46823 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:46406 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:46305 TIME_WAIT
tcp 0 0 localhost:38854 localhost:smtp TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:46719 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:47134 TIME_WAIT
tcp 0 132 me.:ssh laptop:1041 ESTABLISHED
tcp 0 0 me.:ssh andrejko.ics.upjs:47033 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:46196 TIME_WAIT
tcp 0 0 me.:ssh andrejko.ics.upjs:47351 ESTABLISHED
tcp 0 0 me.:ssh andrejko.ics.upjs:46615 TIME_WAIT

I have gathered quite alot of info about andrejko.ics.upjs(whois lookups, portscans etc). Where should I send this info so that it can cause trouble for andrejko.ics.upjs

btw: me is my host...
Any help would be great

Last edited by unSpawn; 06-03-2006 at 06:32 AM. Reason: //moderator.note: title edit, body edit.
 
Old 06-03-2006, 06:24 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,822
Blog Entries: 54

Rep: Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992
What could I do to press charges against someone that tryed to brute force his way into my sshd
"Pressing charges"? Realistically speaking, not a thing unless it's been a succesful breach of security causing considerable damages. Even then it has to be covered by Law where you live AFAIK.


There's three realistic steps you can take:
- make sure you read the LQSEC sticky thread "Failed SSH login attempts" and pick a defense mechanism that is appropriate for your system(s) (and note solely moving ssh to another port is *not* a realistic way),
- optionally report to Dshield (this helps correllating info with and for others),
- optionally report to the offenders' ISP,
- and since you're dealing with a univ, prolly the IT dept as well.
Note you should not expect any response.


As moderator I would like to add that, even though cursing is not uncommon, I would like to ask you to please refrain from cursing in thread titles and posts. It does nothing for you or your thread, and frankly, looking at the "problem" it's not even severe enough to warrant cursing: probing is common these days. So deal with it.

Last edited by unSpawn; 06-03-2006 at 06:32 AM. Reason: //Have keybd, can't type.
 
Old 06-03-2006, 06:33 PM   #3
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Quote:
Originally Posted by coolb
What could I do to press charges against some fscker that tryed to brute force his way into my sshd(which btw dosent use password to auth)
Where should I send this info so that it can cause trouble for andrejko.ics.upjs
When the sshd attacks first started to really be noticed, I had a 12-minute bruteforce attempt from someone who probably knew a bit what he was doing (eg, he tried realistic usernames with multiple guesses against each). It really ticked me off, but they/he/she didnt' get anywhere. I did however take those pages and pages of failed login attempts and reported it to his ISP. They mailed me back some time later saying they terminated this guy's account, and if need be again to contact them. You won't always get a confirmation, but rest assured if the ISP is decent, and you report the situation calmly and respectfully, something will likely happen against the offender concerning his Internet connection/account.

As for law enforcement getting involved, the only time I can remember seeing that is when Microsoft throws money at the problem.
 
Old 06-04-2006, 04:54 AM   #4
coolb
Member
 
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by jayjwa
When the sshd attacks first started to really be noticed, I had a 12-minute bruteforce attempt from someone who probably knew a bit what he was doing (eg, he tried realistic usernames with multiple guesses against each). It really ticked me off, but they/he/she didnt' get anywhere. I did however take those pages and pages of failed login attempts and reported it to his ISP. They mailed me back some time later saying they terminated this guy's account, and if need be again to contact them. You won't always get a confirmation, but rest assured if the ISP is decent, and you report the situation calmly and respectfully, something will likely happen against the offender concerning his Internet connection/account.

As for law enforcement getting involved, the only time I can remember seeing that is when Microsoft throws money at the problem.
I did whois lookups and found the "abuse contact" email address, and emailed them a complaint...

it's beening 24hrs and no reply, what could I do now?
 
Old 06-04-2006, 05:53 AM   #5
cs-cam
Senior Member
 
Registered: May 2004
Location: Australia
Distribution: Gentoo
Posts: 3,544
Blog Entries: 4

Rep: Reputation: 56
unSpawn gave you a few suggestions, have you done all of those yet?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Brute Force SSH Login Preventer... matsko Linux - Security 5 04-19-2006 10:02 AM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 10:00 PM
ssh brute force, how do they work? galle Linux - Security 3 03-10-2006 07:58 AM
Port Scanning and ssh2 brute force attempts Fedora Core 4 hazmatt20 Linux - Security 12 02-05-2006 10:09 PM
SSH brute force.... compromised? heri0n Linux - Security 15 11-21-2004 06:51 PM


All times are GMT -5. The time now is 07:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration