Re: Cracking attempt dilemma

Top Page
This message is part of the following thread:
M+--++-+\the complete thread tree sorted by date
MM..MM.MMJonathan Claxton at <-
MM+\.M\June Tate at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
To: plug-discuss
Subject: Re: Cracking attempt dilemma
Am 07. Dec, 2004 schwätzte June Tate so:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey folks,
>
> I've been a bit of a long time lurker on this list, but I've recently
> come up with a bit of a problem. Somebody, somewhere out on the 'net is
> attempting to crack into my home server -- unfortunately, they seem to
> be either using a few hundred zombie boxen on the 'net or spoofing their
> IP addresses because each attack is coming from a completely different IP.
>
> The first time I noticed, I noticed a bunch of "Illegal user" error
> messages in /var/log/auth.log. At first I didn't think much of it, but
> since I've worked on the iptables firewall, I've noticed an almost
> constant stream of incoming packets to random ports on my box, too.

Having a firewall is a good thing :). Make sure you're locking out
everything that doesn't need to be. Most people probably only need to
allow incoming TCP traffic on port 22. Drop everything else.

If you're getting lots of traffic to SSH, which seems to be the case, then
maybe you can either lock it down to only a few IPs that you might come
from and/or setup a port knocking daemon.

knockd - Small port-knock daemon
Homepage: http://www.zeroflux.org/knock/

> At first I thought he must have just found my box via an IP subnet scan
> or something, but when I recently changed ISPs and IP addresses, he
> followed via my domain name.

Could be the person is working off a list of domain names.

> My question is this: how can I track down this guy, blacklist, or
> prevent him from breaching my defenses? Also, what should I do about
> reporting him to the authorities? Who do should I contact about this?

A co-worker has been going through this on people who've been DoSsing her.
She claims to know who it is and have proof of it. The attacker's mom
apparently works at his ISP, so the ISP hasn't done anything despite
repeated attempts.

If someone is attacking you from another country our gov't won't care
unless you're losing lots of money. Lots of money from their perspective,
not from ours.

> I've tried looking up his various IPs in the whois databases to no avail
> - -- they list him as coming from Tokyo, Taiwan, South Africa, San
> Diego, etc.
>
> My server is running Debian Linux, for reference.

Ah, another good move ;-).

You are getting security updates, right?

That is not the complete answer, but it is part of a balance breakfast.

ciao, 

der.hans
-- 
#  https://www.LuftHans.com/    http://www.AZOTO.org/
#  I'm not anti-social, I'm pro-individual. - der.hans
---------------------------------------------------
PLUG-discuss mailing list - 
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Cracking attempt dilemmaAnn: East Side Meeting tomorrow->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)