LinuxQuestions.org - AUTH/IDENT query software, hacking hackers and probably morality

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - AUTH/IDENT query software, hacking hackers and probably morality (https://www.linuxquestions.org/questions/linux-security-4/auth-ident-query-software-hacking-hackers-and-probably-morality-299325/)

AUTH/IDENT query software, hacking hackers and probably morality

Hi,

Does anyone know of a package which will query an ident/auth server? I've only seen it built in to apps like sendmail, but I need a command line program which is reasonably easy to use.

The reason I'm after this is that my internet gateway at work obviously has some happless script munkey trying to get in with various random(ish) usernames through SSH. I found them on my logwatch, they're here...

sshd:
Authentication Failures:
root (ws246.internetdsl.tpnet.pl): 59 Time(s)
unknown (ws246.internetdsl.tpnet.pl): 42 Time(s)
adm (ws246.internetdsl.tpnet.pl): 2 Time(s)
apache (ws246.internetdsl.tpnet.pl): 1 Time(s)
mysql (ws246.internetdsl.tpnet.pl): 1 Time(s)
nobody (ws246.internetdsl.tpnet.pl): 1 Time(s)
operator (ws246.internetdsl.tpnet.pl): 1 Time(s)
Invalid Users:
Unknown Account: 42 Time(s)

There are more, it's annoying, so I did this:

nmap -T 5 -O -P0 80.55.200.246
and got this:

Interesting ports on ws246.internetdsl.tpnet.pl (80.55.200.246):
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
113/tcp open auth
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
667/tcp filtered unknown
668/tcp filtered unknown
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.27 with grsec
Uptime 20.631 days (since Wed Feb 16 07:39:22 2005)

Nmap finished: 1 IP address (1 host up) scanned in 79.327 seconds

Do you think that it's right for me to counter hack? I think I like it :)

Tom

You can probably just query it with netcat or telnet, either are about as simple as you can get.

For what it's worth, most of the machines I've seen attempting these ssh "bruteforce" attacks were themselves compromised using that very same exploit, with the owner likely unaware that anything is going on. So "counter-hacking" may just succeed in hosing some random persons system. Personally I'd recommend sending an email to the ISP of the user or to the abuse@ address. Also take a look at "SSH Login Attempts" thread at the top of the forum, where a number of solutions have been posted for dealing with these types of cracking attempts

I tried telnet (obviously on 113) and did not get any information back at all - it kicks me off after a few chars and a CR.

Take a look at the ident protocol RFC to see the syntax and how it works. It uses standard ASCII characters, so both telnet and netcat will work. What exactly are you trying to accomplish by interrogating the ident daemon on the server?

sshd:
Authentication Failures:
root (ws246.internetdsl.tpnet.pl): 59 Time(s)
unknown (ws246.internetdsl.tpnet.pl): 42 Time(s)
adm (ws246.internetdsl.tpnet.pl): 2 Time(s)
apache (ws246.internetdsl.tpnet.pl): 1 Time(s)
mysql (ws246.internetdsl.tpnet.pl): 1 Time(s)
nobody (ws246.internetdsl.tpnet.pl): 1 Time(s)
operator (ws246.internetdsl.tpnet.pl): 1 Time(s)
Invalid Users:
Unknown Account: 42 Time(s)

what firewall are you using that generates this logs please ? thank you