Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I run an FTP server out of my apartment for private use and of course, I get all kinds of brute force attempts from the world at large. I know I can simply block these attacks and report them, but thats boring. How could I go about getting any information on who the attacker really is? What methods does law enforcement use to figure these things out? Not that I would actually use it to prosecute...more of a boredom thing.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Getting a real name can be hard, except if you ask the internet service provider for it (they won't tell you, but law enforcement can ask for the data).
What you can do is to use the IP address with an "ip locator" to find the approximate region, where the attacker comes from (or wants you to believe so). Another possibility is to do a reverse DNS lookup on the ip address. The names can tell you something. In some cases you can find out from what network the attack cames from (e.g. dailup, university network, country, ...).
You can also use traceroute or nmap to get more information on the attacker. Also try ping with option -t. Using this technique you will eventually find out the country/network the attack originates.
Except in lucky cases you will not get much information with this methods (especially not the address/name). For this you need the help of the isp.
What you can do is to use the IP address with an "ip locator" to find the approximate region, where the attacker comes from (or wants you to believe so). Another possibility is to do a reverse DNS lookup on the ip address. The names can tell you something. In some cases you can find out from what network the attack cames from (e.g. dailup, university network, country, ...).
And that gets you what? The chances that anybody other than a complete noob skiddie would use their own computer for an attack has got to be close to nil. In most cases, you're just going to find another compromised machine.
In general trying to track the bad guys is pretty much a waste of time. Law enforcement can figure it out because they can compel cooperation from the ISPs and the owners of compromised machines.
In most cases professional attackers will use at least one, if not a chain of proxies to pass the request through - so chasing the IP is usually fruitless as far as catching the culprit. Abuse reports to the IP owner vary in effectiveness, but for each proxy you shut down, there a billions waiting in the wings. Chasing offenders becomes the task for a 'busy fool' and it's just going to get you hot under the color with how powerless you are.
It makes better sense to spend time on good security practice. Thinks like rate controlling connections, Limiting the number of log-in attempts, strong passwords, ACL's that limit access to certain IP's, firewall hosts from places you don't want to connect (China, Brazil etc) and grow to accept people will always try the door. You just need to make sure you have it locked :-)
From time to time you'll find kiddies who are not using proxies come to you playing with nmap, hydra and metasploit etc. This is where a call/mail to the ISP does reap rewards. In the UK SKY & BT are very effective at terminating such users and I'm sure there are US suppliers who are equally aggressive at dealing with it.
You can also use traceroute or nmap to get more information on the attacker.
Be careful here. Some ISPs are savvy enough to know when an nmap scan is being conducted and many ISP have such tools/activity listed as 'do not use'. Better to check your AUP/ToS for your particular ISP first than find yourself shut down because you thought nmap was a benign tool.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.