Where to report script kiddies and other system attacks
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Where to report script kiddies and other system attacks
So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but knock on wood I've never had a breach. What I am wondering is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?
So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but knock on wood I've never had a breach. What I am wondering is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?
The problem is today you can't really chase someone down like 10, 15 years ago. Attackers you see are likely bots that just hit random IP addresses that have port 22 open, these are mostly dictionary based attack bots. Real crackers won't be using their connection but layers of connections effectively making their IP address very hard if not impossible to track down.
Forget about chasing these as you won't get very far, attackers can use TOR (onion routing) to pretty much ensure they can't be traced, VPN's (Virtual Private Network) also come to mind, they won't give any information to just anyone, and some of them don't even keep records so there is nothing to show. So any information you get from traceroute, nslookup, whois and the lot of other utilities will not help you, because you have no way to verify if the address you think is connecting to your box is a proxy for others or if it is indeed a direct attack.
What you can do however is harden your ssh config and use blacklisting
1) Generate an RSA/DSA key for SSH but don't make it password less, do not tie this key to anything else but ssh because if you loose this keyfile somehow nothing but ssh is considered compromised and they still need a password to logon.
2) Change the port number, this will reduce the amount of traffic you get for the SSH service because the bots will see that port 22 is closed.
3) Black/White lists, Create safety zones, with known computers you use to login (semi-trusted) and blacklist the ones you don't trust, if you get SSH attempts that are failing with an IP address you don't know then blacklist it.
If you are keen, you can find out which ISPs own the IPs the bots etc are coming from & let them know, but whether they'll do anything is an open question.
I've never tried reporting it, but I get the general impression most ISPs don't really care.
Apologies to anyone reading this who does work for a pro-active/reactive ISP. I'd love to hear that there are some who do do something about this sort of problem if informed.
I agree with /dev/random... change that SSH port number! Also, are you using ssh-keys? I used SSH for quite a while (always changed the port number) without ever using ssh-keys, so don't want to assume too much about your knowledge of SSH. You can securely copy the ssh-key between computers when you are "home". There are some great howtos out there (probably right here in LQ) if you need instructions.
Aside from changing the SSH port, hardening, etc...
Even at home, I have a Cisco router in front of my Firewall to block naughty IP addresses -- so my firewall doesnt even have to deal with obviously bad traffic. I even blacklist entire countries, since I will never be trying to get to my network from Australia or China or anything.
So at the end of the day they are knocking on a router that is ignoring them.
I also have a tap before the router that splits off to a ColaSoft Capsa instance so I can see what kind of attempts are being made.
Last edited by szboardstretcher; 08-31-2012 at 10:30 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.