Re: Cracking attempt dilemma

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
To: plug-discuss
Subject: Re: Cracking attempt dilemma
Am 09. Dec, 2004 schwätzte June Tate so:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> der.hans wrote:
> |
> | OK. Most people aren't running services from home, or so I have the
> | impression based on ISP rules. I also run those, except s/imaps/dns/ :).
>
> Most people don't have Speakeasy.net as their ISP, either. =op


:)

> We actually chose them specifically because they allow you to do
> anything with your 'net connection -- even share it out to others. They
> have a really geek-/tech- friendly AUP and staff, too.


I know a few people who've had complaints, but I think speakeasy generally
has a good rep.

> See http://www.speakeasy.net for more info. They usually have ads on
> OSTG's ad servers and IIRC, they're still running a pretty good sale
> through Slashdot, too. It's an ADSL based service, so if you're hooked
> on cable's speed you might be a bit disappointed, but it's pretty
> reliable and the service is great.
>
> | Well, if he always comes from the same place, then you could hardcode
> | allowing him in, and use port knocking for any other external addy. That
> | way if you find yourself at a cafe with a laptop, a Net connection and a
> | hankering to work on some code you have on the home box you can get in.
>
> Now that's a great idea -- you can guess what I'll be doing tonight. =o)


And by doing so you missed the party/meeting and thereby the cheesecake...

> | If he comes from multiple IPs, maybe his ISP changes his IP on a regular
> | basis, you might still be able to do it but it gets hairy if he isn't too
> | tech aware.
>
> I /think/ that he's on a dynamic IP setup, but his IP probably doesn't
> change very often (a little bit like Cox or some other cable providers).
> A quick look into my utmp and wtmp logs can verify that.
>
> | Unfortunately, that is the way things seem to be. The cops only have so
> | many resources. Criminals and pranksters have more resources. At some
> | point a threshold sets in and you have to cross it to get attention. No
> | different for electronic stuff, except the threshold is much higher.
> |
> | Your ISP might care and might work with you.
>
> Somehow I doubt it. I didn't realize how common these kinds of attacks
> were until after I wrote that last email, so I figured it was something
> unique. Since it seems to be a kind of manually assisted malware, I
> doubt anybody would be even slightly interested in hunting it down.
> Sortof like the last rash of codered attacks we went through, except
> this time it's a few hundred people around the world doing it manually.
>
> A blacklisting I go, I guess. *shrugs*


That's one way. Setup blacklists to lock IPs out for a few days and see if
that helps.

> | speakeasy?
>
> See above. =o)
>
> | There are. I don't see anything in tcp-wrappers, but look at it because I
> | might've missed something. 'man hosts.allow' to get started there.
>
> I looked into it -- the Debian version of tcpwrappers gives a way to
> call a shell script. I think I might have a way to build a shell script
> that tracks repeated login attempts and essentially tarpit the
> connection. It won't be pretty, but it'll work. =o)


Yup.

> Thanks for the pointer.


NP.

> | Using firewall rules you can add stuff like that. Might not be too
> | difficult with iptables. I haven't done it, but I know you can write
> | reactive rules.
>
> I had no idea reactive rules could be written using iptables. Definitely
> something to look more closely into. If I figure something out, I'll let
> everybody know on the list -- could come in handy in the future, I'm
> sure. =o)


You can also shell out from iptables. Sounds scary, but is reported to
work. We had a presentation on that a few years back. Well, it was on
iptables, but they showed userland filtering as well.

Hmm, I know someone who did reactive stuff do to SPAM.

http://www.usenix.org/events/lisa02/tech/mikula.html

Looks like the full paper is there, so ignore the warning about needing a
USENIX membership :). If there's a problem let me know and I'll get you a
copy.

Note: friend no longer works at the ISP mentioned in the paper, so no one
feels obligated to say nice things about it. Hmm, I don't think any of the
paper's authors are still at the ISP.

ciao,

der.hans
-- 
#  https://www.LuftHans.com/    http://www.AZOTO.org/
#  "But you could teach these skills to a high-school student, and you could
#  probably teach them to an artist."  -- Richard Roberts
---------------------------------------------------
PLUG-discuss mailing list - 
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss