[lug] TCP Wrapers and Going After Bad People

Walter Pienciak walter at frii.com
Wed Sep 12 12:14:54 MDT 2001 

On Wed, 12 Sep 2001, Greg Horne wrote:

> Yo BLUG, yes. . . You CAN help Greg get the bad guys!
>
> So two people stand out in my logs as always trying to break into my
> systems.  I get e-mails daily from the servers saying . . .Tried NS1, tried
> MMS1, tried Webserver 1, etc. . .
>
> My question is this:  Have any of you tried to track some of these people
> down?  Any sucess stories to tell?  If so, what were your methods?
>
> For good measure i'll include the *evil* offenders.
>
> attempt from APoitiers-103-1-1-165.abo.wanadoo.fr unknown 193.253.254.165
> to in.ftpd at Wed Sep 12 05:30:51 PDT 2001
>
> attempt from HSE-QuebecCity-ppp3496564.sympatico.ca unknown 65.92.224.5 to
> in.ftpd at Tue Sep 11 18:57:37 PDT 2001
>
> Thanks,
>
> Greg Horne

Hi, Greg.

1)  Many security people are going to yawn if you present occasional
    attempts at FTP access as hacking that demands their attention.
    I assume there's more:  i.e., attempts on many services, so that
    the logs show a clear pattern of repeated attempts on ports they
    have no business attempting to access.

That said, you proceed by

a)  Make DAMNED sure you have NTP running on your hosts.  These connection
    attempts may be from dial-up/part-time connections, or hosts with
    multiple users, and unless your log's timestamps can be correlated
    EXACTLY to their ISP's records, you are out of luck.  So make sure
    NTP is running and synchronizing correctly NOW, and don't waste
    yuor time pursuing this until/unless they hit you again, at which point
    you'll have synchronized logs files.

b)  Do your research as to the correct contacts within the offending
    ISPs.  Look on their main website for security or abuse e-mail
    aliases.  If that fails, look to their DNS SOA records for
    a valid administrative alias within the domain.  They may deal with
    your request, forward it on correctly or incorrectly, or ignore it.
    Here's how you get an SOA record:

    thunderdome [20]% nslookup
    > set type=SOA
    > sympatico.ca
    Server:         216.17.128.1
    Address:        216.17.128.1#53

    sympatico.ca
        origin = dns1.sympatico.ca
        mail addr = dns-admin.sympatico.ca
        serial = 400109041
        refresh = 10800
        retry = 3600
        expire = 604800
        minimum = 1200
    > ^D

    That line that reads 'mail addr = dns-admin.sympatico.ca' ?
    Change the first . to an @:  dns-admin at sympatico.ca

c)  Notify the ISP, and include relevant log data.

d)  Don't expect a response, but move on.  Make sure your system
    is as secure as you can make it, because responding to attempted
    accesses is like playing Whack-a-Mole.

Walter

More information about the LUG mailing list