[SGVLUG] Who is that knocking on my ports?

Mon Jan 12 17:45:08 PST 2009

On Mon, Jan 12, 2009 at 5:04 PM, Emerson, Tom (*IC)
<Tom.Emerson at wbconsultant.com> wrote:
> Those of you who run servers have probably seen this in their logs --
> "failed password for illegal user ... From <some.ip.address> port ...
> Ssh[2]", repeated in stretches, with user names ranging from "admin" to
> "zimbra", all from the same IP address -- an obvious "break-in" attempt
> [using brute force / sheer luck / whatever]
>
> I'd like to develop a script [or perhaps someone has already] to do the
> following
>
>   1) identify the ISP or suitable "owner" of the netblock containing
> the IP address
>   2) for "well known" ISP's, look up their security or "abuse" e-mail
> addresses
>   3) generate, in real time, an e-mail report of the breakin attempt --
> one e-mail per attempt :)
>
> Yes, I intend to "spam" the ISP about what their user(s) are doing.
>
> Of course, I'd want to have a threshold before this triggers -- I might
> be "in the field" and mistype my own login [it happens...] and/or for
> the general case of one or two attempts, sort of like "getting a phone
> trace", if the attack stops before my system can report it, there might
> not be too much the ISP can do about it at that particular moment.
>
> I expect responses from the ISPs along these lines
>
>  1) nothing
>  2) canned "thank you" [perhaps even one-per-message I sent originally,
> reverse spam...]
>  3) WTF?  [and/or variations on "hey, you're spamming US"]
>  4) thanks, caught him in the act! [ok, maybe I don't /really/ expect
> this one all that often...]
>  5) hmm, nice monitoring script you've got there, but seriously, if
> there is an "attack in progress", just one message would do [hey, I can
> dream, can't I?]
>
> [this might even make a nice "project" for the devsig to tackle...]
>
> Thoughts?

I also recommend against sending an email per attempt.  Else your site
could be turned into a DOS vector.  It would also slow your machine
down having to look all this info up each time.  Then YOUR ISP might
think you are spamming people.

I never see these at home since I use port knocking as well as non
standard ports.  Works so well that if I forget what my magic port
numbers are for the time period even I can't get in.  You'll never get
a prompt as the packets are silently dropped unless you are logging
stuff.  I did the presentation on simple port knocking last year I
think.  Perhaps a presentation on advanced port knocking would be
useful.

Another thing to do would be to have something that monitors your logs
and if it detects ssh attempts by an account that you would never use
remotely, then it automatically blocks that IP for a set period of
time.    A friend of mine does that for various ports.

Hmm, looks like I'm still getting about 4 or 5 probes a day at home.
It's never been at a level that has caused me much concern.  Now what
might be fun is to set up a honeypot to slow down the probes.

claude