[SGVLUG] ssh breakins
Jeff Carlson
jeff at ultimateevil.org
Tue Aug 8 23:04:54 PDT 2006
James Neff wrote:
> Chances are these are script kiddies looking for something fun to do.
> Or, they are folks looking for an FTP site to host their Warez stuff.
Or more likely either use your computer to attack even more hosts, or to
have you join an army of zombie spam-bots.
> I wrote a script that went through and pulled out the IP addresses from
> the log files and added them to my iptables drop list. I also
> researched some of them, with the help of WHOIS from Network Solutions
> web pages, and found the ones coming from eastern Europe and Asia. I
> banned entire subnets (some */7) from ever getting to my network again.
There already exist several resources to figure out which network
authority or country is responsible for any IP range. First is
http://www.iana.org/assignments/ipv4-address-space which lists what
authority is responsible for every */8 block. Next is
http://blackholes.us which has zone files available via rsync for every
country. The supplied zone files are in formats for tcp_wrappers, a
plain text format, and a format for a particular DNS server used as a
blackhole server. I have some scripts for converting this data to BIND
format if anyone wants them.
> If you have spare time, you could call the ISP's tech support line
> (lookup on Network Soultions' WHOIS page) and threaten litigation if
> they do not police thier own network. This will only work for US based
> ISP's. I sent out a few "cease and assist" e-mails to the abuse e-mail
> address of several ISP's and one of them called me right back to
> appologize.
Just about any Unix or Linux has a whois command, so why bother using
NetSol's web page?
> I always thought it would be fun to write a script (somehow trigger it
> by the ssh dameon upon receiving a failed login attempt) that would
> automatically portscan and DoS on the offending client.
DenyHosts can trigger an extension program that receives the IP address
of the attacker as *argv[1]. You could do pretty much anything, do a
whois lookup, get the ISP name, send email to abuse@, etc. Note that
portscanning is legal, however performing a DoS attack may be regarded
as illegal.
More information about the SGVLUG
mailing list