script kiddies or something worse? how can i tell

Hi, i'm fairly new to this admin stuff, and have a newbie question,...

i get regularly (but not bombarded) with an obviously script based
access attempts to sshd and ftp, sendmail. I just slap them on the
hosts.deny list and that's the last i hear from them. (i had to move
the sshd port of the main server, it was probed so often).

What i want to know is ...
are these just kids playing about, or spammers trying to break in.
Should i go to a newsgroup trumpeting the ipaddresses?

How can you tell when it's an attack worth 'sharing'?

the script probes usually sshd, and sometimes sendmail or ftp

root
admin
nobody
test
user
guest

kevin@mtel.co.uk (kevin) wrote in news:6675f17.0410260140.254e7797
@posting.google.com:

> the script probes usually sshd, and sometimes sendmail or ftp

First off, I hope that everyone has basic protections in place. No
obviously open doors inviting entry. Anything you installed "just to play
with" and never got around to changing the defaults? Left it running?

If you have basic protections up then any "drive-by probings" can
probably be ignored. They are like a homeless person testing the doors of
all the downtown buildings to see if they are locked. Half the time the
kiddies dont know what to do if they find one. They announce it to a
hacker group like its an entrance fee or something (most of the hacker
newsgroups just report it back to the owner of the machine).

Its the return visits you need to alert on. The more than usual
attention. Someone has seen something (or you have done something to
them) which makes multiple efforts using different methods over periods
of days worthwhile. And yes I still think that those are worth reporting
but you need to make it clear that you arent one of those people who
report every tap on their doors. Mention right off the bat that its a
clear effort over a period of days by a specific individual. Give clear
logs to that effect. And clear things they can check for in their logs to
quickly pin it down. Often the account will get deleted.

If you get a response which makes you think you have that person himself
playing as admin, or an irate response about rights or anonymity or they
dont keep logs, then send the original email and the response emails to
THEIR providor (usually can be done based on a traceroute)

Gandalf Parker

kevin wrote:
> Hi, i'm fairly new to this admin stuff, and have a newbie question,...
>
> i get regularly (but not bombarded) with an obviously script based
> access attempts to sshd and ftp, sendmail. I just slap them on the
> hosts.deny list and that's the last i hear from them. (i had to move
> the sshd port of the main server, it was probed so often).

I've had the same problem, but I had to leave ssh open for various
users. I could have blocked ALL ssh and then allowed them one at a time,
but I would rather not, and it would be a hassle for the users as well.
ANYWAY - I found that most of these are Asian ip blocks, so I blocked
all ssh from that continent ( found the ip blocks at www.apnic.net ).
That significantly reduced the number of hits. Having said that now, I
don't beleive that those "bots", I call them, are a significant issue.
Keep in mind that these are dumb programs, and not someone specifically
targeting your machine. HOWEVER - also know that someone had to sit
down and set that script loose in order for it to what it's doing, so in
that respect, it IS personal.

I am not really too worried about it, however, I can't take the chance
and I need to treat it like an active hostile attack.

As the system admin, you need to evaluate the risk.



>
> What i want to know is ...
> are these just kids playing about, or spammers trying to break in.
> Should i go to a newsgroup trumpeting the ipaddresses?
>
> How can you tell when it's an attack worth 'sharing'?
>
> the script probes usually sshd, and sometimes sendmail or ftp
>
> root
> admin
> nobody
> test
> user
> guest

In article <6675f17.0410260140.254e7797@posting.google.com> , kevin wrote:

>i get regularly (but not bombarded) with an obviously script based
>access attempts to sshd and ftp, sendmail.

Don't we all.

>I just slap them on the hosts.deny list and that's the last i hear from
>them.

man 5 hosts_access

In /etc/hosts.allow, you should have those services and IP address
[range[s]] that you wish to allow to connect to those services that
use tcp_wrappers or libwrap (not all do).

In /etc/hosts.deny you have a single line

ALL: ALL

The principle of tcp_wrappers/libwrap is that services permitted to
addresses in /etc/hosts.allow are allowed. If not in /etc/hosts.allow,
then look in /etc/hosts.deny to see if the service should be denied. If
not in /etc/hosts.allow and not in /etc/hosts.deny then allow the
connection by default.

>(i had to move the sshd port of the main server, it was probed so often).

If your firewall was not allowing them in - don't worry about it.

>What i want to know is ...
>are these just kids playing about, or spammers trying to break in.

Both and zombie PCs looking for easy pickings.

>Should i go to a newsgroup trumpeting the ipaddresses?

[compton ~]$ zgrep net-abuse ../valid.newsgroups.10.15.04.gz
news.admin.net-abuse.blocklisting Discussion of ip-based blocklisting.
(Moderated)
news.admin.net-abuse.bulletins Bulletins of action about net abuse.
(Moderated)
news.admin.net-abuse.email Discussion of abuse of email systems.
news.admin.net-abuse.misc Network facility abuse, including spamming.
news.admin.net-abuse.policy Discussion of net abuse policy. (Moderated)
news.admin.net-abuse.sightings Sightings of net abuse. (Moderated)
news.admin.net-abuse.usenet Discussion of abuse of the Usenet system.
[compton ~]$

Probably not worth the effort.

>How can you tell when it's an attack worth 'sharing'?

When they succeed in getting in.

>the script probes usually sshd, and sometimes sendmail or ftp

Briefly:

1. Keep your systems up to date.
2. Monitor the security mailing list/website/newsgroup of your distribution
3. Monitor Bugtraq [1]
4. See that your firewall/setup has only the needed ports open to those
addresses you want to allow.
5. Don't fall for the hoaxes like the FakeRedHat crap noted yesterday

Old guy

[1] Bugtraq is a mailing list covering security problems. List-Subscribe:
<mailto:bugtraq-subscribe@securityfocus.com>. Check your news server and
see if it carries one of the mirror newsgroups, SUCH AS connectnet.bugtraq
dfi.lists.bugtraq hanse-ml.bugtraq list.bugtraq mailing.unix.bugtraq
mgate.bugtraq or muc.lists.bugtraq. There MAY be others.

Old guy

thanks.

It's so *nice* to get a helpful answer instead of rudeness about my
ignorance.

I will look at this firewall, and inverting the allow/deny wrapper
thing. I guess the only port that would be difficult to nail down
would be 80 for the web service.

I'll also look at this port knocking. This sounds useful.

thanks again.

kev.

On 2004-10-26, Huge <huge@ukmisc.org.uk> wrote:

> Once upon a time, the 'net was run by Syadmins With Clue, and reporting
> these people to their ISP (or more often, college) resulted in
> appropriate LARTing.
>
> These days, no-one gives a shit.
>
> I stopped bothering a long time ago.


Not totally true. I've had a good deal of attacks on sshd. One of the worst
was a brute-force of over 12 minutes long. Pissed, I reported it. I got back a
mail some days later from the admin of the network in question saying he had
terminated the guy's account. Other times the owners knew nothing of their own
compromise and thanked me for at least letting them know. So, sometimes it
does works. Of course, others I think their abuse address is connected to
/dev/null. I keep it short and polite, only including the relevent logs in the
mail. Chinanet and Kornet, .kr, .jp- don't both: never any reply. I started
dropping all traffic from those netblocks in those places were I had received
an attack from. For the iptables log prefix, I write a short note what the
block was for. You should see my firewall logs; they look like a blow-by-blow
sports commentary now.

--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

On 2004-11-12, jayjwa wrote:
> mail. Chinanet and Kornet, .kr, .jp- don't both: never any reply. I started
> dropping all traffic from those netblocks in those places were I had received
> an attack from. For the iptables log prefix, I write a short note what the
> block was for. You should see my firewall logs; they look like a blow-by-blow
> sports commentary now.

Could you post the iptables rules you use to block the asian nets? Thx

--
Brian Hall
Linux Consultant
http://pcisys.net/~brihall

In article <slrncp9t21.6gd.brihall@news.pcisys.net>, Brian Hall wrote:

>On 2004-11-12, jayjwa wrote:
>> mail. Chinanet and Kornet, .kr, .jp- don't both: never any reply. I started
>> dropping all traffic from those netblocks in those places were I had
>> received an attack from.

>Could you post the iptables rules you use to block the asian nets? Thx

Some people block 58.0.0.0/7, 60.0.0.0/7, 202.0.0.0/7, 210.0.0.0/7,
218.0.0.0/7 and 220.0.0.0/6 which blocks a LOT of Asia/Pacific (likely
including places you may not want to block), but not all. Just looking
at China, I find:

[compton ~]$ zgrep -c CN IP.ADDR/stats/[ALR]*.gz
IP.ADDR/stats/APNIC.gz:752
IP.ADDR/stats/ARIN.gz:3
IP.ADDR/stats/LACNIC.gz:0
IP.ADDR/stats/RIPE.gz:0
[compton ~]$ zgrep CN IP.ADDR/stats/ARIN.gz
CN 192.124.154.0 255.255.255.0 assigned
CN 192.188.170.0 255.255.255.0 assigned
CN 192.83.122.0 255.255.255.0 assigned
[compton ~]$

But APNIC is also handing out addresses in a lot of other blocks

[compton ~]$ zgrep CN IP.ADDR/stats/APNIC.gz | grep -v ' 5[89]'| grep -v
' 6[01]' | grep -v ' 2[012]'
CN 134.196.0.0 255.255.0.0 allocated
CN 159.226.0.0 255.255.0.0 allocated
CN 161.207.0.0 255.255.0.0 allocated
CN 162.105.0.0 255.255.0.0 allocated
CN 166.111.0.0 255.255.0.0 allocated
CN 167.139.0.0 255.255.0.0 allocated
CN 168.160.0.0 255.255.0.0 allocated
CN 198.17.7.0 255.255.255.0 allocated
[compton ~]$ zgrep -v ' 5[89]' IP.ADDR/stats/APNIC.gz | grep -v ' 6[01]' |
grep -v ' 2[012]' | wc -l
891
[compton ~]$

(Those source files are derived from data files downloaded from ARIN, APNIC,
LACNIC and RIPE this month.) Other countries are similar. Korea has about
300 blocks, as does India, Singapore about 280, Taiwan about 225, Indonesia
about 200, the Philippines about 170, Malaysia about 100... and then there
is Japan with about 1000, New Zealand with 700, and Australia with roughly
4100. Blocking by country is not going to be easy.

Also, you can't use country codes in names (example, blocking *.cn or *.kr),
because a significant number of hosts have names with three letter TLDs
like .com, and .edu, AND a significant number of registrants violate RFCs by
not having properly configured DNS servers to resolve IP addresses to names.
Of course, blocking IPs that don't resolve may not be bad idea either.

Old guy

On 2004-11-12, Brian Hall <brihall@nowhere.org> wrote:
> On 2004-11-12, jayjwa wrote:
>> mail. Chinanet and Kornet, .kr, .jp- don't both: never any reply. I started
>> dropping all traffic from those netblocks in those places were I had received
>> an attack from. For the iptables log prefix, I write a short note what the
>> block was for. You should see my firewall logs; they look like a blow-by-blow
>> sports commentary now.
>
> Could you post the iptables rules you use to block the asian nets? Thx

They're not complete, just the ones that have sent malicious traffic, or
spammed, but you can find full lists at http://www.blackholes.us/

--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++