Question about file permissions
in [Suse]
|
From: Vahis on 18 Apr 2010 23:19 On 2010-04-18, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >>>> Say a machine attempts like ten times and a script sends mail to their >>>> abuse mail address. >>> >>> OK, the sending. >> >> And blocking. Both automagic. > > OK, I will send a mail to abuse at elisa.fi to block 88.112.24.179 I meant that the script would block the address in my machine like blockhosts does and then send mail to the provider of that IP. > Need a log proof? I thought they did so last time I sent some provider (years ago) an email to see what happens. I attached a log excerpt as proof. I never asked them to do anything, I just made them aware of an address(es) abusing by brute force attacks. > Apr 18 11:10:18 penne sshd[32277]: Invalid user update from 88.112.24.179 > > See how that is not going to work. ;-) So exactly what did you try? > >>> http://bubba.org/wiki/index.php/SSH_Log_Action_Script >>> This is written in perl, but it should work. At least partly. >> >> There are risks with log readers like blockhosts: >> http://www.ossec.net/main/attacking-log-analysis-tools > > Sure there is. However the sample given will not cause a real issue: > Apr 18 21:28:40 penne sshd[32018]: \ > Invalid user myfakeuser from 10.1.1.1 port 123 ssh2 from 127.0.0.1 > > So if you look at only the IP adress after the from, then you have an > issue. If you look at the last item, then there is no issue. > > I also tried the blockhosts one and I did not get the expected behaviour > as the latest version already has the patch worked in. They talk about > 2.0.3 I have version 2.4 > > So at least with BlockHosts the URL is out of date. From the examples > that page is from 2007. OK. >> Since strong passwords is my mantra I haven't installed blockhosts on >> main machine anyway. (or did I forget, gee... lemme think...) > > Strong passwords is about security. BlockHosts is not about security. > Also I was not talking about whatever blockhosts does, but about > contacting the people to do something about it. That's what I meant with expandind from what it does now to also send mail. > >>>What are you going to do with an adress like >>> a88-112-24-179.elisa-laajakaista.fi? >> >> You can easily get the IP from it I guess. It's in it. Well hidden :) >> That's a virtual machine. With blockhosts. > > Yeah, but what if I send an email to the provider and that provider > automagically blocks that IP? That is why I think automatic blocking is > a bad thing. I wasn't talking about that. I meant: Automatic blocking _in my machine_ like blockhosts does: yes. Automatic email to ISP with a log attached: yes What they do is up to them. >>> Although that might not be very usefull. Looking at my own domain and my >>> own IP, I would never get the email myself. >> >> I guess it's the ISP that is supposed to get the mail. > > Well, yes and no. There are several options: > 1) You mail the user of the IP adress and let them solve the mistake > themselves Where do you send mail if you only have an IP, no email address? > 2) Mail the provider and let them handle everything I did that. > 3) Send them both an email See 1. > > The reson I am hesitand is because there are many providers out there > who themselves have absolutely no clue as to what they are doing. There > are disadvantages with all of them. > The IP adress user ignoring you is an obvious one. However mailing the > provider might result in several things. > 1) The customer gets cut off without warning. I believe education is > better then punishment. > 2) They cut of the wrong user, because they do not understand what UTC > stands for. > 3) Nothing happens, while the IP user would gladly be helping > >> I've heard of honeypots and tarpits as well. >> Somehow the latter sounds more fun, haven't looked into them though :) > > The latter is just slowing down everything. Basically used in SMTP. It > occupies the attacking server. > So it seems, I googled. -- http://waxborg.servepics.com openSUSE 11.3 Milestone 5 (x86_64) 2.6.34-rc3-3-default 05:56am up 1 day 10:38, 6 users, load average: 0.25, 0.13, 0.04
From: Vahis on 19 Apr 2010 02:33 On 2010-04-19, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >> I meant that the script would block the address in my machine like >> blockhosts does and then send mail to the provider of that IP. > > OK. Then I misunderstood. I was not talking about BlockHosts anymore. > >>> Strong passwords is about security. BlockHosts is not about security. >>> Also I was not talking about whatever blockhosts does, but about >>> contacting the people to do something about it. >> >> That's what I meant with expandind from what it does now to also send >> mail. > > I would be against it with how BlockHost works. But by all means, addapt > it and also cotact the maker and see what he has to say about it. As a non-skilled user I'd think of a script that first would grep the addresses: devlab:~ # grep 'Invalid user' /var/log/messages |awk '{ip_array[$10]++;} END{for(ip_address in ip_array){print "FROM ",ip_address," there has been",ip_array[ip_address],"attempts"}}' I could see maybe: FROM 80.246.114.198 there has been 1828 attempts FROM 79.188.159.100 there has been 1587 attempts Then finding their ISP's abuse mail addresses by maybe whois. Then sending them mail like: FYI: FROM 80.246.114.198 there have been 1828 attempts to crack my server which has IP address 88.112.24.179. Vahis -- http://waxborg.servepics.com openSUSE 11.3 Milestone 5 (x86_64) 2.6.34-rc3-3-default 09:16am up 1 day 13:58, 6 users, load average: 0.00, 0.02, 0.00
From: Vahis on 20 Apr 2010 14:38 On 2010-04-20, Moe Trin <ibuprofin(a)painkiller.example.tld.invalid> wrote: > On Mon, 19 Apr 2010, in the Usenet newsgroup alt.os.linux.suse, in article ><20100419091656(a)usenet.waxborg.local>, Vahis wrote: > >>As a non-skilled user I'd think of a script that first would grep the >>addresses: > >>devlab:~ # grep 'Invalid user' /var/log/messages |awk >>'{ip_array[$10]++;} END{for(ip_address in ip_array){print "FROM >>",ip_address," there has been",ip_array[ip_address],"attempts"}}' > >>I could see maybe: > >>FROM 80.246.114.198 there has been 1828 attempts >>FROM 79.188.159.100 there has been 1587 attempts > > 'bots. The second one is tpnet.pl who is notorious for ignoring abuse > complaints. They're almost as useless as verizon.net or swbell. > > you won't find as much traffic as there used to be ~5 years ago. Most > abuse-desk positions have been eliminated by the bean counters as > non-profitable. Sad, but true. I got an awesome result by running this: zgrep "Invalid user" /var/log/messages* | awk '{print $8}' | sort | uniq -c | sort -nr | less It's amazing. Especially the number of Finnish first names and even a few Finnish family names quite a number of times were stunning. The top 5 is quite predictable though: 444 test 398 oracle 284 nagios 214 user 200 guest Vahis -- http://waxborg.servepics.com openSUSE 11.3 Milestone 5 (x86_64) 2.6.34-rc3-3-default 21:27pm up 3 days 2:09, 11 users, load average: 0.09, 0.09, 0.02
From: Vahis on 19 Apr 2010 13:36 On 2010-04-19, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >> As a non-skilled user I'd think of a script that first would grep the >> addresses: >> >> devlab:~ # grep 'Invalid user' /var/log/messages |awk >> '{ip_array[$10]++;} END{for(ip_address in ip_array){print "FROM >> ",ip_address," there has been",ip_array[ip_address],"attempts"}}' > > The ip_array[$10]++; makes it vurlnerable to the false logfile stuff you > warned me for earlier. ;-) I'm not going to try to do anything, anyway. Too much work for nothing. <snip> > I would even add the lines from the logfile (perhaps as an attachment), > and I see that as a usefull thing. I did exactly that some time ago. Manually. I probably won't bother anymore. <snip> > > So now those will be blocked as well. At least that is what I hope. Will > see what happens in a few days. I will just let them try. I'm sure there will be no harm, sshd is secure AFAIK. I'm running blockhosts on this virtual machine and current #---- BlockHosts Additions ALL: 212.14.228.46 : deny ALL: 61.151.246.140 : deny ALL: 59.39.66.30 : deny ALL: 61.233.76.135 : deny ALL: 68.71.49.2 : deny #---- BlockHosts Additions have only those at the moment. My main machine is at a non-standard port and nobody has tried anything in maybe a year. Vahis -- http://waxborg.servepics.com openSUSE 11.3 Milestone 5 (x86_64) 2.6.34-rc3-3-default 20:26pm up 2 days 1:08, 8 users, load average: 0.07, 0.03, 0.01
From: Moe Trin on 19 Apr 2010 23:36
On Mon, 19 Apr 2010, in the Usenet newsgroup alt.os.linux.suse, in article <20100419091656(a)usenet.waxborg.local>, Vahis wrote: >As a non-skilled user I'd think of a script that first would grep the >addresses: >devlab:~ # grep 'Invalid user' /var/log/messages |awk >'{ip_array[$10]++;} END{for(ip_address in ip_array){print "FROM >",ip_address," there has been",ip_array[ip_address],"attempts"}}' >I could see maybe: >FROM 80.246.114.198 there has been 1828 attempts >FROM 79.188.159.100 there has been 1587 attempts 'bots. The second one is tpnet.pl who is notorious for ignoring abuse complaints. They're almost as useless as verizon.net or swbell. >Then finding their ISP's abuse mail addresses by maybe whois. There _used_to_be_ a 'whois.abuse.net' that listed abuse@ addresses for many domains. I don't know how well it works any more. >Then sending them mail like: > >FYI: >FROM 80.246.114.198 there have been 1828 attempts to crack my server >which has IP address 88.112.24.179. If you are lucky, you may get a response from an ignore-bot server at the ISP, and little else. If you look in the Usenet newsgroups in the 'news.admin.net-abuse.* newsgroups [compton ~]$ zgrep net-abuse big.8.list.04.15.10.gz news.admin.net-abuse.blocklisting Discussion of ip-based blocklisting. (Moderated) news.admin.net-abuse.bulletins Bulletins of action about net abuse. (Moderated) news.admin.net-abuse.email Discussion of abuse of email systems. news.admin.net-abuse.misc Network facility abuse, including spamming. news.admin.net-abuse.policy Discussion of net abuse policy. (Moderated) news.admin.net-abuse.sightings Sightings of net abuse. (Moderated) news.admin.net-abuse.usenet Discussion of abuse of the Usenet system. [compton ~]$ you won't find as much traffic as there used to be ~5 years ago. Most abuse-desk positions have been eliminated by the bean counters as non-profitable. Sad, but true. Old guy |