[SGVLUG] Who is that knocking on my ports?

Jeremy Leader jleader at alumni.caltech.edu
Mon Jan 12 17:19:21 PST 2009


I'd strongly recommend against sending one e-mail per attempt.  At best, 
you'll just get spam filtered (and possibly blacklisted); at worst, 
you'll piss off the people you're trying to persuade to look into the 
cracking attempt.

-- 
Jeremy Leader
jleader at alumni.caltech.edu

Emerson, Tom (*IC) wrote:
> Those of you who run servers have probably seen this in their logs --
> "failed password for illegal user ... From <some.ip.address> port ...
> Ssh[2]", repeated in stretches, with user names ranging from "admin" to
> "zimbra", all from the same IP address -- an obvious "break-in" attempt
> [using brute force / sheer luck / whatever]
> 
> I'd like to develop a script [or perhaps someone has already] to do the
> following 
> 
>    1) identify the ISP or suitable "owner" of the netblock containing
> the IP address
>    2) for "well known" ISP's, look up their security or "abuse" e-mail
> addresses
>    3) generate, in real time, an e-mail report of the breakin attempt --
> one e-mail per attempt :)
> 
> Yes, I intend to "spam" the ISP about what their user(s) are doing.
> 
> Of course, I'd want to have a threshold before this triggers -- I might
> be "in the field" and mistype my own login [it happens...] and/or for
> the general case of one or two attempts, sort of like "getting a phone
> trace", if the attack stops before my system can report it, there might
> not be too much the ISP can do about it at that particular moment.
> 
> I expect responses from the ISPs along these lines
> 
>   1) nothing
>   2) canned "thank you" [perhaps even one-per-message I sent originally,
> reverse spam...]
>   3) WTF?  [and/or variations on "hey, you're spamming US"]
>   4) thanks, caught him in the act! [ok, maybe I don't /really/ expect
> this one all that often...]
>   5) hmm, nice monitoring script you've got there, but seriously, if
> there is an "attack in progress", just one message would do [hey, I can
> dream, can't I?]
> 
> [this might even make a nice "project" for the devsig to tackle...]
> 
> Thoughts?



More information about the SGVLUG mailing list