Hi everyone,

Someone has been running (what appear to be) dictionary attacks against my server using (what appear to be) spoofed IP addresses. They haven't gotten through, and they won't with dictionary attacks (all user accounts have very good passwords), but this kind of thing is annoying.

I doubt there is anything I can do about this, but I thought I'd ask the group and see if any of you have ideas about what to do about this kind of thing.

In general, what do you guys do when your logs show someone attacking your server?

In a related vein, I administer a web/email/dns server for a friend of mine and his logs are showing spammers trying to relay messages through his machine. Of course, the relays are all denied, but this consumes server resources and network bandwidth. Again, any alternatives to just letting these kinds of things happen?

Thanks in advance,

Jim

I have taken the time to construct a form letter that I post to the admin of the netblock of each IP address, which is usually reported in the whois information (do a whois <IP address> to find out). Usually I ignore the Korean and Chinese blocks, as (a) I haven't had much success from them, and (b) my somewhat bigoted opinion is that they're usually not concerned about securing their networks anyway. I'm happy to be proved wrong, though.

I take the point of view that network security is everyone's responsibility, and the Patrician's point of view that the first thing to do with a problem is to make it someone else's. While I've had very few responses, I've seen quite a few net blocks tightened up afterward (or so says nmap). As I see it, the real problem with internet security is that too few people complain; it means that the slack sysadmins out there never get educated. (Which, of course, therefore proves that I should be emailing the Korean and Chinese sysadmins most of all, whichI shall ruminate on). It only takes a minute or two, and you can always defend the time expenditure to management as defending your website.

But that's just my opinion.

Paul

Paul,

Please share with me your form letter. I'd be curious to see how you word it.

Thanks,

Jim

Jim,

Sanitized, I can share the text of a form message composed by someone I know and respect.

I agree with Paul: pursuing these in far-away places is often a no-hoper. OTOH, if you can automate the process, sending these to ROC or Katmandu can't hurt. *Definitely* worthwhile sending these to ISPs and operators closer to home. I agree that it is really a responsibility. Just like calling the cops when you witness a burglary in progress.

Jim

Example:
==================================================================
To: abuse @ foo.com
Subject: SECURITY: Network attack from xxx.xxx.xxx.xxx

Hello abuse @ foo.com.

At about Oct 14 13:56:35 2004 PDT, Pacific Time, someone attacked our network from xxx.xxx.xxx.xxx, which is (according to ARIN) under your technical and/or administrative control.

We acknowledge that the host in question may have been compromised by someone outside of your organization, in which case the system administrator for the host at xxx.xxx.xxx.xxx should be notified that their equipment is being used for unauthorized, if not criminal, purposes.

We keep our log files for up to four weeks. If you have any questions, please contact us at 999-555-1234, Mon - Fri, 8am to 5pm Pacific Time.

There may be some extracted log data below.

Please acknowledge receipt of this message. Thank you.

--
Your Name Here
Official-Sounding Title
yourbigdomain.com

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Oct 14 13:55:19 ourfirewall sshd[16702]: Did not receive identification string from xxx.xxx.xxx.xxx
[lost of other incriminating log file stuff here.....]

Good advice. Thanks to all of you for the ideas.

The mail relay attempts are a problem, too. In the case of my friends computer, he's been hammered so hard that it filled the /var partition with the mail log errors.

What a PITA. The internet used to be such a friendly place... Sigh.

Aye, I remember when you could log on from a dialup, and not get bothered by hackers till sundown. When a penny was worth one of these new fangled pounds, and you could buy $5 and still have change for a bag o' chips and scraps.

Ahhh - them were the days - all of six months ago.....

LOL! I realize that things have improved. But, with progress comes new problems. Its that "dialectic of progress" again. Too funny.