(Where) should I report breakin attempts?

Greetings.

Most of the time my computers are behind a router/firewall that blocks port
22, but occasionally I unblock it if I'm going somewhere and need to log
into my machines remotely. Whenever I do this I notice in
my /var/log/messages that some script kiddie is repeatedly connecting via
ssh and trying to guess usernames. The IP changes every time so I'm not
sure if it's just one guy using hijacked machines or different people.

Is it worth reporting this behaviour to whatever ISP is associated with the
IP addresses? Is there some sort of SpamCop-type service that will
automatically file a report to the correct contact address? Or should I
just copy and paste from /var/log/messages and send it to
abuse@example.com, where example.com is whatever domain name nslookup
associates with the IP address?

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you

Re: (Where) should I report breakin attempts?

Greetings.

In article <2428961.p0Wranuy0x@polecat.worldsocialism.org>, Tristan Miller
wrote:

> Most of the time my computers are behind a router/firewall that blocks
> port 22, but occasionally I unblock it if I'm going somewhere and need to
> log
> into my machines remotely. Whenever I do this I notice in
> my /var/log/messages that some script kiddie is repeatedly connecting via
> ssh and trying to guess usernames. The IP changes every time so I'm not
> sure if it's just one guy using hijacked machines or different people.

I should clarify that the IP changes each time I enable port 22 (which is
once a day every few weeks), not every time a connection is made.

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you

Re: (Where) should I report breakin attempts?

"Tristan Miller" wrote in message
news:2595041.58f1QSgL4E@polecat.worldsocialism.org...
> Greetings.
>
> In article <2428961.p0Wranuy0x@polecat.worldsocialism.org>, Tristan Miller
> wrote:
>
>> Most of the time my computers are behind a router/firewall that blocks
>> port 22, but occasionally I unblock it if I'm going somewhere and need to
>> log
>> into my machines remotely. Whenever I do this I notice in
>> my /var/log/messages that some script kiddie is repeatedly connecting via
>> ssh and trying to guess usernames. The IP changes every time so I'm not
>> sure if it's just one guy using hijacked machines or different people.
>
> I should clarify that the IP changes each time I enable port 22 (which is
> once a day every few weeks), not every time a connection is made.
>
> Regards,
> Tristan

Sadly, due to the screaming people send to the abuse@example.com addresses,
many sites simply connect it to /dev/null, especially at poorly run
institutions from which such script kiddies operate. In my spam hunting,
I've taken to using http://www.samspade.org to hunt for the owner of the IP
address, their DNS registration, their upstream feeds, etc. and see if I can
somehow find a human to notify of the problem. While DNS admins rarely like
to receive such complaints, they are often able todirect me to a human,
especially when I call them on the phone and explain the problem in small
words.

It's even better when I've gotten a corporate attorney of a company I'm
working for to read them the riot act parts of the Telecommunications
Privacy Act, via certified mail if necessary. One lawyer I worked with used
to have fun doing it, and it's especially fun to climb the food chain at
universities to talk to deans and let them rant at the systems staff about
abuse and port scanning going on from their networks. (University networks
are popular sources of script kiddie scans, due to high bandwidth and often
very poorly secured machines.)

But it's very expensive in your time to actually pursue these things: do it
if you enjoy it, don't do it expecting to really make a big dent in such
scans.

Re: (Where) should I report breakin attempts?

Tristan Miller writes:

>Greetings.

>Most of the time my computers are behind a router/firewall that blocks port
>22, but occasionally I unblock it if I'm going somewhere and need to log
>into my machines remotely. Whenever I do this I notice in
>my /var/log/messages that some script kiddie is repeatedly connecting via
>ssh and trying to guess usernames. The IP changes every time so I'm not
>sure if it's just one guy using hijacked machines or different people.

>Is it worth reporting this behaviour to whatever ISP is associated with the
>IP addresses? Is there some sort of SpamCop-type service that will
>automatically file a report to the correct contact address? Or should I
>just copy and paste from /var/log/messages and send it to
>abuse@example.com, where example.com is whatever domain name nslookup
>associates with the IP address?

Make sure your passwords are stong. And then forget about it. Those are
hijacked machines, usually belonging to people who do not give a damn that
they are hijacked. If you enjoy catching rain in a sieve, you might try
sending notices to the ISPs. You will not get answers, and you will not
decrease your attacks.

Re: (Where) should I report breakin attempts?

Post removed (X-No-Archive: yes)

Re: (Where) should I report breakin attempts?

all mail refused writes:

>On 2006-06-07, Unruh wrote:

>>>Most of the time my computers are behind a router/firewall that blocks port
>>>22, but occasionally I unblock it
>>
>> Make sure your passwords are stong. And then forget about it.

>I'd say make sure you allow only keyed SSH access and no password access
>and then forget about it.

?? They you have to carry your key with you and you have to try to protect
that.



>--
>Elvis Notargiacomo master AT barefaced DOT cheek
>http://www.notatla.org.uk/goen/
> One of my other 11 computers runs Minix.

Re: (Where) should I report breakin attempts?

"Unruh" wrote in message
news:e65r8g$68k$1@nntp.itservices.ubc.ca...
> all mail refused writes:
>
>>On 2006-06-07, Unruh wrote:
>
>>>>Most of the time my computers are behind a router/firewall that blocks
>>>>port
>>>>22, but occasionally I unblock it
>>>
>>> Make sure your passwords are stong. And then forget about it.
>
>>I'd say make sure you allow only keyed SSH access and no password access
>>and then forget about it.
>
> ?? They you have to carry your key with you and you have to try to protect
> that.

That's what memory sticks are for, and ideally a mechanism to push new
public keys as needed to your servers.

Re: (Where) should I report breakin attempts?

Greetings.

In article , Nico
Kadel-Garcia wrote:
> "Unruh" wrote in message
> news:e65r8g$68k$1@nntp.itservices.ubc.ca...
>> all mail refused writes:
>>
>>>On 2006-06-07, Unruh wrote:
>>
>>>>>Most of the time my computers are behind a router/firewall that blocks
>>>>>port
>>>>>22, but occasionally I unblock it
>>>>
>>>> Make sure your passwords are stong. And then forget about it.
>>
>>>I'd say make sure you allow only keyed SSH access and no password access
>>>and then forget about it.
>>
>> ?? They you have to carry your key with you and you have to try to
>> protect that.
>
> That's what memory sticks are for, and ideally a mechanism to push new
> public keys as needed to your servers.

I sometimes visit places which use ancient computers or dumb terminals with
no USB or memory stick port. Cutting off password access is not an
option.

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you

Re: (Where) should I report breakin attempts?

Tristan Miller wrote:
> Greetings.
>
> In article , Nico
> Kadel-Garcia wrote:
>> "Unruh" wrote in message
>> news:e65r8g$68k$1@nntp.itservices.ubc.ca...
>>> all mail refused writes:
>>>
>>>> On 2006-06-07, Unruh wrote:
>>>
>>>>>> Most of the time my computers are behind a router/firewall that
>>>>>> blocks port
>>>>>> 22, but occasionally I unblock it
>>>>>
>>>>> Make sure your passwords are stong. And then forget about it.
>>>
>>>> I'd say make sure you allow only keyed SSH access and no password
>>>> access and then forget about it.
>>>
>>> ?? They you have to carry your key with you and you have to try to
>>> protect that.
>>
>> That's what memory sticks are for, and ideally a mechanism to push
>> new public keys as needed to your servers.
>
> I sometimes visit places which use ancient computers or dumb
> terminals with no USB or memory stick port. Cutting off password
> access is not an option.

Can you set up OPIE or another similar one-time-password setup? I used to
find it very useful in a particularly poor security environment, to force an
additional user-specific one-time-password step before accepting their real
password from offisite.

Re: (Where) should I report breakin attempts?

all mail refused wrote:
> On 2006-06-07, Unruh wrote:
>
>
>>>Most of the time my computers are behind a router/firewall that blocks port
>>>22, but occasionally I unblock it
>>
>>Make sure your passwords are stong. And then forget about it.
>
>
> I'd say make sure you allow only keyed SSH access and no password access
> and then forget about it.
>

Ignoring the obvious problem of someone cracking your password, which if
it strong will not happen, is keyed ssh actually any more secure in
practice?

--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

http://witm.sourceforge.net/ (Web based Mathematica frontend)

Re: (Where) should I report breakin attempts?

AnNico Kadel-Garcia wrote:
> "Unruh" wrote in message
> news:e65r8g$68k$1@nntp.itservices.ubc.ca...
>> all mail refused writes:
>>
>>> On 2006-06-07, Unruh wrote:
>>>>> Most of the time my computers are behind a router/firewall that blocks
>>>>> port
>>>>> 22, but occasionally I unblock it
>>>> Make sure your passwords are stong. And then forget about it.
>>> I'd say make sure you allow only keyed SSH access and no password access
>>> and then forget about it.
>> ?? They you have to carry your key with you and you have to try to protect
>> that.
>
> That's what memory sticks are for, and ideally a mechanism to push new
> public keys as needed to your servers.
>
>

And if someone steals your memory stick?

Re: (Where) should I report breakin attempts?

Dave (from the UK) wrote:

>
> Ignoring the obvious problem of someone cracking your password, which if
> it strong will not happen, is keyed ssh actually any more secure in
> practice?
>

Yes. As long as you have protected the key with a strong passphrase that
is.

Re: (Where) should I report breakin attempts?

"Chuck" wrote in message
news:omFhg.11459$9c7.1259@trnddc06...
> AnNico Kadel-Garcia wrote:
>> "Unruh" wrote in message
>> news:e65r8g$68k$1@nntp.itservices.ubc.ca...
>>> all mail refused writes:
>>>
>>>> On 2006-06-07, Unruh wrote:
>>>>>> Most of the time my computers are behind a router/firewall that
>>>>>> blocks
>>>>>> port
>>>>>> 22, but occasionally I unblock it
>>>>> Make sure your passwords are stong. And then forget about it.
>>>> I'd say make sure you allow only keyed SSH access and no password
>>>> access
>>>> and then forget about it.
>>> ?? They you have to carry your key with you and you have to try to
>>> protect
>>> that.
>>
>> That's what memory sticks are for, and ideally a mechanism to push new
>> public keys as needed to your servers.
>>
>>
>
> And if someone steals your memory stick?

That's why you have two, you keep your key encrypted, and you need a way to
publish an updated key reliably to the servers.

Re: (Where) should I report breakin attempts?

On Wed, 07 Jun 2006, in the Usenet newsgroup comp.security.misc, in article
<3196044.Xl0bkrAZrJ@polecat.worldsocialism.org>, Tristan Miller wrote:


>>>>>> Most of the time my computers are behind a router/firewall that blocks
>>>>>> port 22, but occasionally I unblock it

>>>>> Make sure your passwords are stong. And then forget about it.

That is one very good solution.

>>>>I'd say make sure you allow only keyed SSH access and no password access
>>>>and then forget about it.

That is another.

>>> ?? They you have to carry your key with you and you have to try to
>>> protect that.
>>
>> That's what memory sticks are for, and ideally a mechanism to push new
>> public keys as needed to your servers.

Good point - but probably over-kill for most users.

>I sometimes visit places which use ancient computers or dumb terminals with
>no USB or memory stick port. Cutting off password access is not an
>option.

Then there are still several choices.

There is nothing restricting you to running your SSH server on port 22. If
you move it to some "high" port (use "ls -lt | tail | awk '{print $5}'" to
grab example numbers) such as 6407 (anything above ~1100 to avoid port
scanners). It's called "Security By Obscurity" and it works against the
current crop of script kiddies and zombies.

There is nothing restricting you from choosing "good" usernames. "Tristan"
might be OK, but it's in books of names and words. 'ueMd4Ebs' probably
isn't. (You can remember a non-word password, why not remember a non-word
username? An old trick is to use the first letter of each word of a phrase.)

You're posting from the UK - do you really need to access your system from
every IP address in the world? 58/7, 60/7, 121/8, 122/7, 124/6, 202/7,
210/7, 218/7 and 220/6 blocks a lot of Asia/Pacific. 188/8, 190/7 and
200/7 knocks out a lot of Central/South America.

You are posting using KNode, which suggests Linux (though it also works in
*BSD). If you are using 'iptables' in Linux, do a google search for 'port
knocking Linux'.

Finally, there is nothing preventing you from combining these concepts,
such that to get in, you need to first try to open a telnet/ftp/web/anything
connection to port 38388 (which will fail, but opens access to the address
you tried _from_) from an address range not blocked by "area" rules, then
connect to your now accessible SSH server on port 6403 (you have one minute
to connect), logging in as user 'ueMd4Ebs' with password 'Ttl*h1wWur'. It
probably isn't good enough to satisfy the extreme requirements of some three
letter agency, but you aren't required to do so (if you were, you shouldn't
be here - talk to the agency people instead).

Old guy

Re: (Where) should I report breakin attempts?

>>>Make sure your passwords are stong. And then forget about it.

>> I'd say make sure you allow only keyed SSH access and no password access
>> and then forget about it.

Dave (from the UK) wrote:
>Ignoring the obvious problem of someone cracking your password, which if
>it strong will not happen, is keyed ssh actually any more secure in
>practice?

Kinda, maybe. Both long PKs and decent passwords are good enough to
withstand dictionary attacks, especially if you limit attempts per minute.
However, public key connections are somewhat resistant to things like
keystroke monitors.

Say you're using portaputty from a USB dongle: a keystroke grabber might get
your key passphrase and everything you type during your session, including
your password if you used sudo or the root password if you used su. But
they still don't have your key, and can't ssh in with just your (or root's)
password).
--
Mark Rafn dagon@dagon.net

Re: (Where) should I report breakin attempts?

Greetings.

In article , Nico
Kadel-Garcia wrote:
>> I sometimes visit places which use ancient computers or dumb
>> terminals with no USB or memory stick port. Cutting off password
>> access is not an option.
>
> Can you set up OPIE or another similar one-time-password setup? I used to
> find it very useful in a particularly poor security environment, to force
> an additional user-specific one-time-password step before accepting their
> real password from offisite.

I don't think it's worth the trouble. My machine is a single-user system
(just me) and my password is a long string of random characters.

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you

Re: (Where) should I report breakin attempts?

>>>>> "Dave" == Dave (from the UK) writes:

Dave> all mail refused wrote:
>> On 2006-06-07, Unruh wrote:
>>>> Most of the time my computers are behind a router/firewall that
>>>> blocks port 22, but occasionally I unblock it
>>> Make sure your passwords are stong. And then forget about it.
>> I'd say make sure you allow only keyed SSH access and no password
>> access and then forget about it.
>>

Dave> Ignoring the obvious problem of someone cracking your password,
Dave> which if it strong will not happen, is keyed ssh actually any
Dave> more secure in practice?

* It is in a sense two-factor: now you need to steal both the key file and
the passphrase.

* Keys are very long randomish strings, not vulnerable to guessing
attacks.

* SSH publickey authentication does not reveal the user's secret to a
possibly compromised server, as password authentication does.

--
Richard Silverman
res@qoxp.net

Re: (Where) should I report breakin attempts?

dagon@dagon.net (Mark Rafn) writes:

>>>>Make sure your passwords are stong. And then forget about it.

>>> I'd say make sure you allow only keyed SSH access and no password access
>>> and then forget about it.

>Dave (from the UK) wrote:
>>Ignoring the obvious problem of someone cracking your password, which if
>>it strong will not happen, is keyed ssh actually any more secure in
>>practice?

>Kinda, maybe. Both long PKs and decent passwords are good enough to
>withstand dictionary attacks, especially if you limit attempts per minute.
>However, public key connections are somewhat resistant to things like
>keystroke monitors.

>Say you're using portaputty from a USB dongle: a keystroke grabber might get
>your key passphrase and everything you type during your session, including
>your password if you used sudo or the root password if you used su. But
>they still don't have your key, and can't ssh in with just your (or root's)
>password).

Look, if you have a keystroke monitor, then whoever installed it can
install a rogue ssh as well, and capture everything, including your private
key.
Sure they can ssh in with just your or root's password, sinc ethey also
have your private key, and teh password that protects it.

>--
>Mark Rafn dagon@dagon.net

Re: (Where) should I report breakin attempts?

In comp.security.misc Mark Rafn wrote:
> Say you're using portaputty from a USB dongle: a keystroke grabber might get
> your key passphrase and everything you type during your session, including
> your password if you used sudo or the root password if you used su.

This is why your system has to be reliable. Booting from a trusted RO
media and encrypting your hard disk helps here. Then only hardware based
attacks are left.

Yours,
VB.
--
"If you want to play with a piece of windows software that makes you
click all over the place, there's always minesweeper."

Kyle Stedman about "Personal Firewalls" in c.s.f

Re: (Where) should I report breakin attempts?

"Unruh" wrote in message
news:e68hob$5h6$1@nntp.itservices.ubc.ca...

> Look, if you have a keystroke monitor, then whoever installed it can
> install a rogue ssh as well, and capture everything, including your
> private
> key.
> Sure they can ssh in with just your or root's password, sinc ethey also
> have your private key, and teh password that protects it.

They *can*, but it seems less likely. I've never seen a report of someone
successfully doing that.

Re: (Where) should I report breakin attempts?

>
>>>> I'd say make sure you allow only keyed SSH access and no password access
>>>> and then forget about it.
>
>>Dave (from the UK) wrote:
>>>Ignoring the obvious problem of someone cracking your password, which if
>>>it strong will not happen, is keyed ssh actually any more secure in
>>>practice?

>dagon@dagon.net (Mark Rafn) writes:
>>Kinda, maybe. Both long PKs and decent passwords are good enough to
>>withstand dictionary attacks, especially if you limit attempts per minute.
>>However, public key connections are somewhat resistant to things like
>>keystroke monitors.

Unruh wrote:
>Look, if you have a keystroke monitor, then whoever installed it can
>install a rogue ssh as well, and capture everything, including your private
>key.

It's theoretically possible for anything to happen if you're running on a
compromised machine. HOWEVER, I assert that there exist many more systems
with a simple non-specific keylogger than there are systems with the much
greater sophistication needed to trick you into thinking you're running your
build of ssh off the dongle when you're really running the hacked version.

That's the "kinda, maybe" part. I think it does make a class of attacks
harder, and I assert that it's a class which is not uncommon in the wild. It
does NOT close any theoretical attacks that I know of.
--
Mark Rafn dagon@dagon.net

Re: (Where) should I report breakin attempts?

On Wed, 07 Jun 2006 02:06:31 +0100, Tristan Miller wrote:

> Greetings.
>
> Most of the time my computers are behind a router/firewall that blocks port
> 22, but occasionally I unblock it if I'm going somewhere and need to log
> into my machines remotely. Whenever I do this I notice in
> my /var/log/messages that some script kiddie is repeatedly connecting via
> ssh and trying to guess usernames. The IP changes every time so I'm not
> sure if it's just one guy using hijacked machines or different people.

I see as you have a few options;

1. Use Key-login
2. Use a different port
3. Use IPTABLES to block all connections after x number of failed
connections.

It would be best to use all 3 of these options and then you would really
be securing your system.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Re: (Where) should I report breakin attempts?

Robert wrote:
> On Wed, 07 Jun 2006 02:06:31 +0100, Tristan Miller wrote:
>
>> Greetings.
>>
>> Most of the time my computers are behind a router/firewall that blocks port
>> 22, but occasionally I unblock it if I'm going somewhere and need to log
>> into my machines remotely. Whenever I do this I notice in
>> my /var/log/messages that some script kiddie is repeatedly connecting via
>> ssh and trying to guess usernames. The IP changes every time so I'm not
>> sure if it's just one guy using hijacked machines or different people.
>
> I see as you have a few options;
>
> 1. Use Key-login
> 2. Use a different port
> 3. Use IPTABLES to block all connections after x number of failed
> connections.
>
> It would be best to use all 3 of these options and then you would really
> be securing your system.
>
>

FYI I am running my ssh server on a nonstandard port (way up high), and
set the only authentication method allowed to be PubkeyAuthentication.
In 6 months with this config, not one break in attempt has been detected.

Re: (Where) should I report breakin attempts?

>> 3. Use IPTABLES to block all connections after x number of failed connections.

not advisable, its setting yourself up for denial of service.

john