From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L8UwB-0004Ec-Cz for garchives@archives.gentoo.org; Fri, 05 Dec 2008 07:17:19 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E865CE0207; Fri, 5 Dec 2008 07:17:15 +0000 (UTC) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.147]) by pigeon.gentoo.org (Postfix) with ESMTP id 91417E0207 for ; Fri, 5 Dec 2008 07:17:15 +0000 (UTC) Received: by ey-out-1920.google.com with SMTP id 4so1720649eyk.10 for ; Thu, 04 Dec 2008 23:17:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:reply-to:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=YPgVfRthiqi17nPjhDNqpA7WTGhPDrNyOWcmKryBWWY=; b=bqauPt5075OTGJ7EFAYxsrpXEPZuiJsGvZwsPRjcTFsejZnI1HYKXD2E0E3ePbLsHg Ehir69Wx5wVlPjbfamfwFLhKM+zeujTKDBmM/I22HZG3VTwC+6RsD3qDpNz+8GxEgonQ oLl+de5Vtl4IVTOSpSDOM7ACWjuGh5XScruFI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=DGoRAPmPLJCENQPQgA1q1M4B7+yqXu45AYp7QbjZiehvMl4+8vlwhqXQhNj82CR1X7 0zSNgIhjPWF8q7tfVNjRIUxoRaaq96cv9MLXMk2rlhx/oUDJezUd8kiXnVcsfs3oOnvW j/QVB5AZyioN+/0eKwn0VO8oz+s+sf4F3FlTA= Received: by 10.210.46.4 with SMTP id t4mr17093483ebt.49.1228461435024; Thu, 04 Dec 2008 23:17:15 -0800 (PST) Received: from lappy.study (the3mountains.plus.com [212.159.46.48]) by mx.google.com with ESMTPS id q9sm1670630gve.6.2008.12.04.23.17.13 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 04 Dec 2008 23:17:14 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Curious pattern in log files from ssh... Date: Fri, 5 Dec 2008 07:16:46 +0000 User-Agent: KMail/1.9.9 References: <4936E5E3.1040606@shic.co.uk> <4936F0EA.7010000@gmail.com> <4937BF99.6050908@shic.co.uk> In-Reply-To: <4937BF99.6050908@shic.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2185472.TmQvipxzrR"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200812050717.09997.michaelkintzios@gmail.com> X-Archives-Salt: a36d0fbf-9569-45b0-84f6-adfb394858eb X-Archives-Hash: 3fc88e4ed44e6f1f6f2cfa5ab4a9840b --nextPart2185472.TmQvipxzrR Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 04 December 2008, Steve wrote: > Simon wrote: > > Since it is very unlikely that the attacker is targeting you > > specifically, changing the port number (and removing root access) will > > very likely stop the attack forever. Though, if the attacker did > > target you, then you will need some more security tools (intrusion > > detection, etc...). > > I recognise that this doesn't seem to be a targeted attack - but it is > still frustrating to find that someone has evaded my IP blocking > strategy... even though they pose only a slightly elevated risk by > having done so. (Of course, I don't permit root login - that would be > madness... and, as far as I'm aware, no-one has guessed even a valid > user name... they're all obscure!) > > The thing that strikes me is that, in evading my blocking strategy, they > clearly identified a bot-net of compromised hosts. With this in mind, > ideally, I'd like to: > > 1. Automatically detect and block all future attacks on all ports from > all hosts which are involved in this coordinated attack. These hosts > can't be trusted not to be malicious. > 2. Somehow inform the administrator of the hosts attacking me (in a > respectful way) since, I presume, they are unaware that their host is > involved in the attack. > 3. Ideally, share this kind of information so that myself and others are > better protected from bot-net attacks in future. > > It's the sort of thing I imagine has already been done - and there's no > point in re-inventing the wheel. I recall something similar whereby the attacked machines would automaticall= y=20 launch an attack on the botnet/spammer to effect a DoS. Then the spammers= =20 complained and the guys who had written the software were forced by the=20 police to recall it . . . sometimes I wonder. Anyway, I'm a bit thin on=20 details - this was all the rage about 4-5 years ago as a legit way to defen= d=20 yourself against spam. What I think is required is a script which will identify the compromised=20 machine and promptly reformat its MSWindows OS - problem solved. Of course= =20 how you keep tabs on this tool not being misused is another thing. =2D-=20 Regards, Mick --nextPart2185472.TmQvipxzrR Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEABECAAYFAkk41XUACgkQ5Fp0QerLYPdyCgCffg4mgWgdmjuYdjK5ul88QRxo yycAnRlusD4iXJlPYFVemEORYJeViuGv =RjVo -----END PGP SIGNATURE----- --nextPart2185472.TmQvipxzrR--