LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 08-30-2012, 10:44 AM   #1
TSCollins
LQ Newbie
 
Registered: Apr 2004
Location: Chicago, IL for now
Distribution: Slackware
Posts: 3

Rep: Reputation: 0
Where to report script kiddies and other system attacks


So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but knock on wood I've never had a breach. What I am wondering is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?
 
Old 08-30-2012, 11:43 AM   #2
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.1, LFS-current, NetBSD 6.1.3
Posts: 116

Rep: Reputation: 38
Quote:
Originally Posted by TSCollins View Post
So I've been using using Linux for over ten years now and I'm sure like most Linux users I've got SSH running on my box and port 22 open on my cable modem so that I can access my system no matter where I am. Over the years I've seen people try to gain access to my system but knock on wood I've never had a breach. What I am wondering is there a website where I can report these attempts and even supply the details of where the break-in attempt originated from?
The problem is today you can't really chase someone down like 10, 15 years ago. Attackers you see are likely bots that just hit random IP addresses that have port 22 open, these are mostly dictionary based attack bots. Real crackers won't be using their connection but layers of connections effectively making their IP address very hard if not impossible to track down.

Forget about chasing these as you won't get very far, attackers can use TOR (onion routing) to pretty much ensure they can't be traced, VPN's (Virtual Private Network) also come to mind, they won't give any information to just anyone, and some of them don't even keep records so there is nothing to show. So any information you get from traceroute, nslookup, whois and the lot of other utilities will not help you, because you have no way to verify if the address you think is connecting to your box is a proxy for others or if it is indeed a direct attack.

What you can do however is harden your ssh config and use blacklisting

1) Generate an RSA/DSA key for SSH but don't make it password less, do not tie this key to anything else but ssh because if you loose this keyfile somehow nothing but ssh is considered compromised and they still need a password to logon.

2) Change the port number, this will reduce the amount of traffic you get for the SSH service because the bots will see that port 22 is closed.

3) Black/White lists, Create safety zones, with known computers you use to login (semi-trusted) and blacklist the ones you don't trust, if you get SSH attempts that are failing with an IP address you don't know then blacklist it.
 
2 members found this post helpful.
Old 08-30-2012, 08:09 PM   #3
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5
Posts: 16,086

Rep: Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994Reputation: 1994
All of the above ...

If you are keen, you can find out which ISPs own the IPs the bots etc are coming from & let them know, but whether they'll do anything is an open question.
I've never tried reporting it, but I get the general impression most ISPs don't really care.
Apologies to anyone reading this who does work for a pro-active/reactive ISP. I'd love to hear that there are some who do do something about this sort of problem if informed.
 
1 members found this post helpful.
Old 08-31-2012, 09:12 AM   #4
dcparris
LQ Newbie
 
Registered: Dec 2011
Location: Charlotte, NC
Distribution: Debian, Kbuntu, CentOS
Posts: 11
Blog Entries: 1

Rep: Reputation: 0
I agree with /dev/random... change that SSH port number! Also, are you using ssh-keys? I used SSH for quite a while (always changed the port number) without ever using ssh-keys, so don't want to assume too much about your knowledge of SSH. You can securely copy the ssh-key between computers when you are "home". There are some great howtos out there (probably right here in LQ) if you need instructions.
 
Old 08-31-2012, 10:05 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,521
Blog Entries: 51

Rep: Reputation: 2599Reputation: 2599Reputation: 2599Reputation: 2599Reputation: 2599Reputation: 2599Reputation: 2599Reputation: 2599Reputation: 2599Reputation: 2599Reputation: 2599
Indeed there's no reason to have to rehash all the SSH stuff, see slash point to the sticky thread instead: http://www.linuxquestions.org/questi...tempts-340366/
 
Old 08-31-2012, 10:29 AM   #6
szboardstretcher
Senior Member
 
Registered: Aug 2006
Distribution: Arch 2014.02.01
Posts: 2,316
Blog Entries: 1

Rep: Reputation: 741Reputation: 741Reputation: 741Reputation: 741Reputation: 741Reputation: 741Reputation: 741
Aside from changing the SSH port, hardening, etc...

Even at home, I have a Cisco router in front of my Firewall to block naughty IP addresses -- so my firewall doesnt even have to deal with obviously bad traffic. I even blacklist entire countries, since I will never be trying to get to my network from Australia or China or anything.

So at the end of the day they are knocking on a router that is ignoring them.

I also have a tap before the router that splits off to a ColaSoft Capsa instance so I can see what kind of attempts are being made.

Last edited by szboardstretcher; 08-31-2012 at 10:30 AM.
 
  


Reply

Tags
network, security, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Script Kiddies and 403, 404 errors baldur2630 Linux - Security 2 01-08-2012 05:33 PM
LXer: How to squash seven lesser-known system attacks LXer Syndicated Linux News 0 08-07-2008 02:10 AM
Script kiddies keep hitting my apache server user1442 Slackware 7 10-27-2005 12:02 PM
System Attacks Docs enigma82 Linux - Security 2 11-02-2004 08:26 AM
iptables and firewalls and script kiddies, oh my! murray_linux Slackware 3 11-12-2003 06:26 PM


All times are GMT -5. The time now is 02:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration