| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
Received mail from: Michael Jurney, Dave McFerren, Sean Ryan, Brian
Coyle, Paul Farely, Martin Schmitt, Mick Morgan, D. Stimits and Amandeep.
Michael Jurney's reply was excellent and put my problem into perspective
and I must of tweaked Sean Ryan's interest to a point that he's
"thinking" about writing a script to address to issue.
There were two lines of thought on the problem.
1. A list of sites and resources to check into. I list those here:
dshield.org
www.mynetwatchman.com
isc.incidents.org
www.first.org/team-info
snort
portsentry
www.geektools.com
2. The second line of thought outlined a plan of work.
Not much you can do about it. The ISP's can only try to do
something about those IP's they control, and trying to go upstream and
work with other sys admins would require time and effort on everyone's
part which would most probably lead us to a dead end. SAVE YOUR REQUEST
for the upstream admin's help until you are being actively attacked, then
call in your favors. CERT is solving bigger problems, but orgs like
dshield, incidents, and first would be more appropriate.
Michael Jurney used a nice phrase categorizing this type of probe
as "background radiation" on the internet as a result of compromised
machines that are still out there with no one caring for them (e.g. home
machines with dynamic IP addresses).
Proactively watch your logs and update iptables with IP addresses
that come from probing machines. This can be automated with a script
that periodically scans the logs (/var/log/httpd/error_log and
/var/log/httpd/access_log) and update iptables. That was the approach I
used while monitoring the probes. Iptables seems to handle this well, I
am over 1600 blocked IP's right now.
Write an additional script to automatically look up ("host" and
"whois") the ISP responsible for the compromised machine and inform them
of the issue ( just a friendly notification, they may want to pursue an
investigation for their own reasons). I am going to do this and if I get
an interested party that would like to go further upstream I will work
with them, but only if they are willing (I don't want to pester those
that I might need help from in the future)
Organizations that may care or offer help were: dshield.org and
FIRST at www.first.org/team-info (Mick Morgan says the people at FIRST
are all dedicated to helping you solve this type of problem).
Len Laulainen
(952) 567-4211
len@euler.com
----------------------------------------------------------------
-------------------------------------------------------
Here is the original request for help to put the answer into perspective:
This question does not have has much to do with Linux as it has to do
with supporting and defending a Linux server. I have a non-production
server that I have been systematically probed through port 80 over the
last 5 weeks. It has been an interesting experience in seeing how the
probe is being done. After collecting my diagnostics from "ethereal" and
my access and error logs I approached my ISP provider. There response
was non-supportive (They could care less about drilling back to the
originating machine). I did send the same logs to CERT as part of the
notification on active problems.
My problem is now what? The probes continue and I have identified over
1600 compromised machines. Does anyone know of a group that provides
support/programs/tools to drill back to the originating source of these
probes?
My next step right now would be to "host" and" whois" the compromised
machines IP's to identify an administrator and work with them - Is there
a more automated approach?
_______________________________________________
LinuxManagers mailing list - http://www.linuxmanagers.org
submissions: LinuxManagers@linuxmanagers.org
subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers
[Home] [Kernel List] [Linux SCSI] [Video 4 Linux] [Linux Admin] [Yosemite News] [Motherboards]