Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How do I let an attacker know that I know he has attemped to enter my system? I have the attackers IP address and his DNS name. What do I do with this this information to inform the attacker that I know what he's up to?
Assuming you're 100% confident it *is* a hack attempt and not something else... Many times I see messages from people who install Windows firewall software and immediately think they're getting 20 hack attempts an hour where in reality it's P2P file sharing clients trying to attach to them because someone running a P2P server had their IP address before they did.
Anyway, assuming it really is a hack attempt keep good records. There is not much you can do but at the very least you could find out who their ISP is and email their fraud/abuse department. Go to www.arin.net and do a whois against the IP to see who owns that IP address. It might show AT&T then a smaller regional ISP then a mom-n-pop ISP. AT&T might own a contiguous block of millions of IPs, provide a 16K IP block to a large IP buying bandwidth from them who issues a couple of Class C's to a smaller ISP buying connectivity from them. Make sure you deal with the end-user ISP, the company this person actually pays. If you try upstream with AT&T(example only) or the large regional ISP you'll probably get nowhere.
Anyway, with this ISPs info surf to their site, find contact info and email all the details you can on what the person has done or has tried to do. Be very specific, include all the details you can...
When I see a systematic scan of my system, port 35, 36, 37 or someone hitting my port(s) rapidly (i.e. not some url pointing to the wrong place with 4 second timeout kind of thing),
ping -f <ip address>
You won't get a reply back because they invariably protect themselves, but it will get you noticed. It never fails to shut them up, at least for me, and I like to think it causes a minor shock to be singled out so quickly.
Occasionally, I will disable my firewall, perform a traceroute and once I get their ISP info, email the traceroute and the trace from /var/log/messages to the ISP. I have successfully gotten 3 people booted off their ISP (confirmed, that is. Usually the ISP doesn't reply, so I don't know about the rest). Usually only do this when I feel like it. I keep my system up to date, full stealth on all ports, etc.
RO.
P.S. I use firestarter because of it's available GUI showing hits in real time. I have it sticky on all desktops.
How do I let an attacker know that I know he has attemped to enter my system?
I agree with what is written above, but determining plausibility/gravity of the attack should be the best thing to start with. For example if someone probes for typical MICROS~1 stuff like TCP/1433,1434 (MsSQL, WINS), and you don't provide those services, then simply discard 'em, cuz pursuing those are a waste of time. OTOH, if there's an Apache, Sendmail or OpenSSH exploit doing the rounds, then finding out the location and remote OS can be helpfull in determining the "leetness factor" of your opponent.
In the end the decision what to pursue based on "interesting" scans (IMO) depends on what services you provide, the scan pattern, the IP range it's coming from and the remote OS.
For this I use some simple firewall tools, Snort and P0f. The firewall scripts summarize/track in/outbound traffic to help me try 'n get a fix on any probing patterns (like a single ping a few days before a specific probe), Snort helps me determine if an known exploit is used and saves tcpdumps as "evidence" (comes in handy when it's an unknown or new 'sploit) and P0f helps me determine remote OS characteristics. If I can't get a fix on the remote OS I'll try a remote Nmap. Tracking location can be done by simply resolving the hostname, but if you're paranoid you'll use Tcptraceroute, L4T (make sure your TTL ends x hops *before* the endpoint) or a remote service. If you didn't already, checking Isc.incidents.org, Bugtraq and SF for trends and new 'sploits and Dshield for activity from the IP/range will help as well.
Like mentioned before the chance your email (well-written, detailed and accompanied by tcpdumps and logs (UTC time!)) will end up in the bitbucket is usually large. In interesting cases this should not be a point and you should pursue alerting the ISP (and ISC/SANS and/or Dshield/MyWatchthingie) anyway.
RolledOat.....
"P.S. I use firestarter because of it's available GUI showing hits in real time. I have it sticky on all desktops."
How do you make it sticky on all desktops???
Sorry...I know stupid newbie question
Very easy. I have KDE, but most have this option. Right click on the top navbar for the firestarter window, select 'To Desktop-->All Desktops'. Then, do the same and select 'Always on Top'. I then put it in the upper right hand corner and can see it scrolling continually. I use dialup, so I do this everytime I connect, but it takes about 5 seconds now that I have done it a hundred times. :-)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.