LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Where to report script kiddies and other system attacks (http://www.linuxquestions.org/questions/linux-security-4/where-to-report-script-kiddies-and-other-system-attacks-4175424791/)

TSCollins 08-30-2012 10:44 AM

Where to report script kiddies and other system attacks
 
So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but knock on wood I've never had a breach. What I am wondering is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?

/dev/random 08-30-2012 11:43 AM

Quote:

Originally Posted by TSCollins (Post 4768375)
So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but knock on wood I've never had a breach. What I am wondering is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?

The problem is today you can't really chase someone down like 10, 15 years ago. Attackers you see are likely bots that just hit random IP addresses that have port 22 open, these are mostly dictionary based attack bots. Real crackers won't be using their connection but layers of connections effectively making their IP address very hard if not impossible to track down.

Forget about chasing these as you won't get very far, attackers can use TOR (onion routing) to pretty much ensure they can't be traced, VPN's (Virtual Private Network) also come to mind, they won't give any information to just anyone, and some of them don't even keep records so there is nothing to show. So any information you get from traceroute, nslookup, whois and the lot of other utilities will not help you, because you have no way to verify if the address you think is connecting to your box is a proxy for others or if it is indeed a direct attack.

What you can do however is harden your ssh config and use blacklisting

1) Generate an RSA/DSA key for SSH but don't make it password less, do not tie this key to anything else but ssh because if you loose this keyfile somehow nothing but ssh is considered compromised and they still need a password to logon.

2) Change the port number, this will reduce the amount of traffic you get for the SSH service because the bots will see that port 22 is closed.

3) Black/White lists, Create safety zones, with known computers you use to login (semi-trusted) and blacklist the ones you don't trust, if you get SSH attempts that are failing with an IP address you don't know then blacklist it.

chrism01 08-30-2012 08:09 PM

All of the above ...

If you are keen, you can find out which ISPs own the IPs the bots etc are coming from & let them know, but whether they'll do anything is an open question.
I've never tried reporting it, but I get the general impression most ISPs don't really care.
Apologies to anyone reading this who does work for a pro-active/reactive ISP. I'd love to hear that there are some who do do something about this sort of problem if informed.

dcparris 08-31-2012 09:12 AM

I agree with /dev/random... change that SSH port number! Also, are you using ssh-keys? I used SSH for quite a while (always changed the port number) without ever using ssh-keys, so don't want to assume too much about your knowledge of SSH. You can securely copy the ssh-key between computers when you are "home". There are some great howtos out there (probably right here in LQ) if you need instructions.

unSpawn 08-31-2012 10:05 AM

Indeed there's no reason to have to rehash all the SSH stuff, see slash point to the sticky thread instead: http://www.linuxquestions.org/questi...tempts-340366/

szboardstretcher 08-31-2012 10:29 AM

Aside from changing the SSH port, hardening, etc...

Even at home, I have a Cisco router in front of my Firewall to block naughty IP addresses -- so my firewall doesnt even have to deal with obviously bad traffic. I even blacklist entire countries, since I will never be trying to get to my network from Australia or China or anything.

So at the end of the day they are knocking on a router that is ignoring them.

I also have a tap before the router that splits off to a ColaSoft Capsa instance so I can see what kind of attempts are being made.


All times are GMT -5. The time now is 07:18 PM.