Linode Forum
https://forum.linode.com/

Break-In Attempts
https://forum.linode.com/viewtopic.php?f=19&t=7166		 Page 1 of 2
Author:  mikefletcher [ Fri May 27, 2011 12:49 pm ]
Post subject:  Break-In Attempts
I am a recent customer to linode.

I have a fairly constant stream of attempted break-ins to my machine. As examples 212.190.88.175/dmz2-ip175.elex.be has made several attempts via SSH to access accounts named root, admin, mysql. 61.163.4.102/hn.ly.kd.adsl is attempting to access the tomcat manager.

I have taken reasonable attempts to prevent break-ins so my question isn't about that. Mysql, tomcat are not install on the box. "admin" account does not exist, "root" account cannot be accessed via SSH.

Rather, what can I do to inform the network operators / authorities about attempts to break into my machine?
Author:  GLaDOSDan [ Fri May 27, 2011 12:53 pm ]
Post subject: 
Thousands of these 'break-in attempts' are sent automatically from (probably) stolen servers every day. I get tons of these, all of which are useless if you use public-key authentication.

tl;dr: There is no point in reporting them, and you should use public key authentication.
Author:  Obsidian [ Fri May 27, 2011 12:54 pm ]
Post subject: 
This will happen to you daily from numerous IP addresses.

You're not going to be able to keep up with the number of abuse reports you'll have to send out.


There is something worth taking a look at though to cut the attacking IP addresses off after so many tries: http://library.linode.com/security/basi ... rd-attacks

I recommend denyhosts, personally.
Author:  obs [ Fri May 27, 2011 1:03 pm ]
Post subject: 
You can report them to the abuse email for the ip, in this case abuse@be.uu.net you can get that by doing whois ipaddress

However in all my years as an admin I've only ever had one response to an abuse email I've sent.
Author:  mikefletcher [ Fri May 27, 2011 1:16 pm ]
Post subject: 
Is there a general way to identify the owner of an IP address? Some domains are kindof bogus like hn.ly.kd.adsl.

I'm thinking of something like looking up though BGB or IANA or something about who has the block of IP's.
Author:  Guspaz [ Fri May 27, 2011 1:59 pm ]
Post subject: 
Generally, the procedure is:

1) Look up the IP on http://www.iana.org/cgi-bin/whois to find out what RIR manages the IP
2) Look up the IP on the RIR's WHOIS page (IANA's whois gives you the address)

As an example, let me look up the IP of my linode, 97.107.142.x.

First, I enter the IP on the IANA whois. This tells me it's administered by ARIN, and that the whois for ARIN is http://whois.arin.net.

Next, I enter the IP on http://whois.arin.net, which tells me lots of info about this IP, such as that it's owned by Linode, the address and telephone number of Linode, their designated abuse contact, etc.
Author:  vonskippy [ Fri May 27, 2011 1:59 pm ]
Post subject: 
I'd find a new hobby - tracking down bots on the internet has a zero ROI (both in fun or profit).

Besides, if you don't take even the most minor of steps to secure your box so that you don't get hacked by script kiddies, most people (including myself) will have zero sympathy for you.
Author:  hoopycat [ Fri May 27, 2011 3:06 pm ]
Post subject: 
For looking up who is responsible for an IP, revip.info is a pretty good reference, too.
Author:  haus [ Sat May 28, 2011 8:38 pm ]
Post subject: 
As others have stated...you just have to learn to ignore these things. Complete. Waste. Of. Time. (I do want to know what the one response to obs was, though!)

I will make the suggestion that you move SSH to a different port. It reduces the attempted logins from bots by a massive amount (essentially zero). It's like hiding your front door on the side of your house. You're still responsible for locking it, but at least it's not immediately evident from the street. Anyone else caught portscanning will be blocked by your CSF/LFD installation. And of course with LFD or fail2ban you're more protected from failed logins. To say nothing of using keys rather than passwords for SSH logins, which was noted by GLaDOSDan.
Author:  mikefletcher [ Sat May 28, 2011 10:21 pm ]
Post subject: 
Thank you, I had already secured the box. How to secure the box wasn't really my question. In any case if I hadn't my machine would have been compromised days ago. I have had 2800 attempted logins in the last week. 2300 today :).

I really don't like it that someone can constantly attempt to break into other machines and nobody will do anything about it. Though I imagine Jurisdiction and Language put up some pretty big barriers. Most of the attacks so far have come from Russia (surprise :) ), China (surprise :) ), Vietman and Indonesia. Even if the operator was willing to do something I doubt we would be able to communicate.

I'm hoping for a bit of luck with the 2300 attempts today. They almost all came from a site in Montreal, and maybe I will have a bit of luck as I also Hail from Canada.

PS: I have found just invoking "whois [ip]" from Linux gives the best answers on who is responsible. Most operators will an abuse email address.
Author:  mikefletcher [ Sat May 28, 2011 10:26 pm ]
Post subject: 
Now I assume it is NOT futile to contact Linode about abuse ...

They have abuse contacts ...

RAbuseHandle: LAS12-ARIN
RAbuseName: Linode Abuse Support
RAbusePhone: +1-609-593-7103
RAbuseEmail: abuse@linode.com
RAbuseRef: http://whois.arin.net/rest/poc/LAS12-ARIN
Author:  vonskippy [ Sat May 28, 2011 10:35 pm ]
Post subject: 
You should get a mask and a cape - then you could be the superhero fighting botnets on the wild wild Internet.

Never fear!!!!!!! Bitboy is here!!!!!!!

Whooooosh, Zap!, Bammo!
Author:  haus [ Sun May 29, 2011 12:58 am ]
Post subject: 
mikefletcher wrote:
Thank you, I had already secured the box. How to secure the box wasn't really my question. In any case if I hadn't my machine would have been compromised days ago. I have had 2800 attempted logins in the last week. 2300 today :).


Well, to be fair, if you took my advice and changed the port that number would be zero. Just sayin'. I know it wasn't your question, but I considered it helpful advice, since I don't consider reporting eastern european script kiddies to be of any particular use. I suspect you will eventually be frustrated by a lack of interest on the part of people who don't care about what goes on in their own networks, let alone yours.
Author:  Stan 2.0 [ Sun May 29, 2011 3:27 am ]
Post subject: 
haus wrote:
Well, to be fair, if you took my advice and changed the port that number would be zero.


I've changed my SSH port number to 1402 and still have 10-20 break-in attempts per hour. No idea how they found out which port it is.

These break-in attempts are pretty useless because I only use public-key authentication. Still annoying, though.
Author:  graq [ Sun May 29, 2011 3:49 am ]
Post subject: 
vonskippy wrote:
You should get a mask and a cape - then you could be the superhero fighting botnets on the wild wild Internet.

Never fear!!!!!!! Bitboy is here!!!!!!!

Whooooosh, Zap!, Bammo!
Holy address lookup! Is that IPv6, Bitboy??
Page 1 of 2 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/