Someone is attacking my server...

Posted by: TigerJimmy

Someone is attacking my server... - 14/12/2004 03:00

Hi everyone,

Someone has been running (what appear to be) dictionary attacks against my server using (what appear to be) spoofed IP addresses. They haven't gotten through, and they won't with dictionary attacks (all user accounts have very good passwords), but this kind of thing is annoying.

I doubt there is anything I can do about this, but I thought I'd ask the group and see if any of you have ideas about what to do about this kind of thing.

In general, what do you guys do when your logs show someone attacking your server?

In a related vein, I administer a web/email/dns server for a friend of mine and his logs are showing spammers trying to relay messages through his machine. Of course, the relays are all denied, but this consumes server resources and network bandwidth. Again, any alternatives to just letting these kinds of things happen?

Thanks in advance,

Jim
Posted by: canuckInOR

Re: Someone is attacking my server... - 14/12/2004 03:41

Quote:
In general, what do you guys do when your logs show someone attacking your server?

So far, nothing. In my case (on a linux server), it appears they go through a set number of ports, until they get to ssh. Then they try a set of four or five logins, none of which work. I presume they're just attempting some default passwords, but since I don't allow root access via ssh anyway, half of their attempts would fail even if they *did* know the password. I checked out a few of the various IP addresses, and they all originate in Asia somewhere -- mostly Korea and China. If it gets to be a big enough problem, you could always just configure your firewall to drop all packets from those particular subnets -- that's pretty drastic, though.
Posted by: jimhogan

Re: Someone is attacking my server... - 14/12/2004 13:44

Quote:
If it gets to be a big enough problem, you could always just configure your firewall to drop all packets from those particular subnets -- that's pretty drastic, though.

Definitely a big uptick in these earlier this year due to some new kits. The try-5-accounts-and-move-on was enough but now some of them are cycling through longer lists of accounts. Makes for bloated log files. Some discussions to be found like here.

No zero-pain solution. I've always felt that black lists are a never-ending burden. Depending on the circumstances (can you know where you'll need ssh access from?) a white list may be a better answer.
Posted by: siberia37

Re: Someone is attacking my server... - 14/12/2004 14:24

Quote:
Hi everyone,

Someone has been running (what appear to be) dictionary attacks against my server using (what appear to be) spoofed IP addresses. They haven't gotten through, and they won't with dictionary attacks (all user accounts have very good passwords), but this kind of thing is annoying.

I doubt there is anything I can do about this, but I thought I'd ask the group and see if any of you have ideas about what to do about this kind of thing.

In general, what do you guys do when your logs show someone attacking your server?



Move SSH, telnet etc.. to a non-default port or better yet lock them down to a certain subnet range where you usually login from. These kinds of attacks are common on Windows machines too- and the solution is to block the NetBIOS ports from non-Intranet addresses.
Posted by: PaulWay

Re: Someone is attacking my server... - 14/12/2004 23:23

I have taken the time to construct a form letter that I post to the admin of the netblock of each IP address, which is usually reported in the whois information (do a whois <IP address> to find out). Usually I ignore the Korean and Chinese blocks, as (a) I haven't had much success from them, and (b) my somewhat bigoted opinion is that they're usually not concerned about securing their networks anyway. I'm happy to be proved wrong, though.

I take the point of view that network security is everyone's responsibility, and the Patrician's point of view that the first thing to do with a problem is to make it someone else's. While I've had very few responses, I've seen quite a few net blocks tightened up afterward (or so says nmap). As I see it, the real problem with internet security is that too few people complain; it means that the slack sysadmins out there never get educated. (Which, of course, therefore proves that I should be emailing the Korean and Chinese sysadmins most of all, whichI shall ruminate on). It only takes a minute or two, and you can always defend the time expenditure to management as defending your website.

But that's just my opinion.

Paul
Posted by: TigerJimmy

Re: Someone is attacking my server... - 15/12/2004 03:20

Paul,

Please share with me your form letter. I'd be curious to see how you word it.

Thanks,

Jim
Posted by: jimhogan

Re: Someone is attacking my server... - 16/12/2004 01:52

Jim,

Sanitized, I can share the text of a form message composed by someone I know and respect.

I agree with Paul: pursuing these in far-away places is often a no-hoper. OTOH, if you can automate the process, sending these to ROC or Katmandu can't hurt. *Definitely* worthwhile sending these to ISPs and operators closer to home. I agree that it is really a responsibility. Just like calling the cops when you witness a burglary in progress.

Jim

Example:
==================================================================
To: abuse @ foo.com
Subject: SECURITY: Network attack from xxx.xxx.xxx.xxx

Hello abuse @ foo.com.

At about Oct 14 13:56:35 2004 PDT, Pacific Time, someone attacked our network from xxx.xxx.xxx.xxx, which is (according to ARIN) under your technical and/or administrative control.

We acknowledge that the host in question may have been compromised by someone outside of your organization, in which case the system administrator for the host at xxx.xxx.xxx.xxx should be notified that their equipment is being used for unauthorized, if not criminal, purposes.

We keep our log files for up to four weeks. If you have any questions, please contact us at 999-555-1234, Mon - Fri, 8am to 5pm Pacific Time.

There may be some extracted log data below.

Please acknowledge receipt of this message. Thank you.

--
Your Name Here
Official-Sounding Title
yourbigdomain.com

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Oct 14 13:55:19 ourfirewall sshd[16702]: Did not receive identification string from xxx.xxx.xxx.xxx
[lost of other incriminating log file stuff here.....]
Posted by: mcomb

Re: Someone is attacking my server... - 17/12/2004 20:08

Quote:
I've always felt that black lists are a never-ending burden.

I've got half a dozen netblocks blacklisted for ssh to my little home server that has drastically reduced this sort of thing for me. I also have a state limit set of 1 session per source IP for ssh. So connections after the first get blocked for a few seconds until the rule drops from the state table. That may help a lot against dictionary attacks if you can configure your firewall in a similar way. If the bad guys can only try one connection every 10 seconds they may be inclined to move on to another target.

-Mike
Posted by: TigerJimmy

Re: Someone is attacking my server... - 17/12/2004 22:04

Good advice. Thanks to all of you for the ideas.

The mail relay attempts are a problem, too. In the case of my friends computer, he's been hammered so hard that it filled the /var partition with the mail log errors.

What a PITA. The internet used to be such a friendly place... Sigh.
Posted by: schofiel

Re: Someone is attacking my server... - 17/12/2004 22:10

Aye, I remember when you could log on from a dialup, and not get bothered by hackers till sundown. When a penny was worth one of these new fangled pounds, and you could buy $5 and still have change for a bag o' chips and scraps.

Ahhh - them were the days - all of six months ago.....
Posted by: TigerJimmy

Re: Someone is attacking my server... - 17/12/2004 22:30

LOL! I realize that things have improved. But, with progress comes new problems. Its that "dialectic of progress" again. Too funny.