PDA

View Full Version : reporting hacking attempt?


GunNutz
02-01-2010, 5:36 PM
Some people have been trying to hack into my linux router for the last two days. So far as I can tell, my security has logged and blocked the attempts. WHOIS lookups are mostly false and include amsterdam, chinese, and AZ addresses. Appears to be dictionary/brute force attack, trying multiple user names and generated passwords.

Any suggestions on who I can report this to?

Corbin Dallas
02-01-2010, 5:54 PM
No one really. To be honest our authorities don't have the power to enforce laws overseas. And the countries overseas that the hacks are coming from just don't care.

TroyMcClure
02-01-2010, 5:58 PM
Most of these are automated attacks. Reporting them will probably net you nothing.

Make sure all your software is up-to-date. That's probably all you can do.

shooterfpga
02-01-2010, 6:03 PM
look up how to configure a honeypot. capture their traffic and or just route it to the honeypot. then they can brute force to their hearts content and do nothing to you.

bigmike82
02-01-2010, 10:07 PM
Reporting it wouldn't do you any good.

JDay
02-02-2010, 2:50 AM
Change the SSH default port to something other than 22 and block web admin access from outside your network.

Rekrab
02-02-2010, 12:02 PM
The FBI Cyber Crimes Division handles these. I've had my own run-ins with hackers at the company I work for. You need to have a lot of proof to get anything done, and even then you're looking at a long shot. If you can prove damages, feel free to get a detective and lawyer up.

Dr Pete
02-02-2010, 1:50 PM
Most likely just bots. Since your running linux o/s I wouldn't worry too much.
Block with your f/w and forget about it.

bigmike82
02-02-2010, 2:34 PM
"Since your running linux o/s I wouldn't worry too much."
ROFL. What does that have anything to do with anything?

odysseus
02-02-2010, 2:38 PM
Damn, if you knew what most firewall logs of any represented organization on the net look like you would be aware that this is pretty common and would be dizzy trying to chase. Most likely bots sounding from what you are describing the signature. Heck, for fun just open an FTP port as a honeypot and see what happens within a day. You will see the whole world try to crack in.

Be sure that any remote management of your router is disabled from the outside.

shooterfpga
02-02-2010, 2:53 PM
exactly my point too, odysseus. its just a lot of noise that doesn't equate to much. people get too paranoid over false hits from a sensitive firewall.

GunNutz
02-02-2010, 4:54 PM
Thanks for the advice people.

These may very well be bots, but they are clearly attempts to gain access. There are the same 4 ip addresses that have begun to do this repeatedly.

My logs show password failed for user root hundreds of times followed by entries such as bad user/password for user oracle, admin, postgres, etc...

These happen about once a day, and last for about 20 minutes, starting early Saturday morning. Everything was clean for years until then.

Now sure, I get a lot of noise from the firewall software itself, but until recently not a lot of failed login attempts. I drop icmp packets so random pings go to na-na land, but nmap will still show some open ports if someone were to scan a range of ip addresses which includes mine.

Satex
02-08-2010, 12:29 PM
These may very well be bots, but they are clearly attempts to gain access. There are the same 4 ip addresses that have begun to do this repeatedly.


As others have told you, no agency cares about the hack attempts. All of my hosts are under continuous repetitive attacks. Make sure your firewall is closed to everything but the services you need. Make sure your software is up to date so that you don't have any service running with known weaknesses. If you add a new service, make sure you use a well documented and secure package. With SSH, the use of RSA keys is a must. Remember, it is up to you, and you only to ensure the security of your system(s).

choprzrul
02-08-2010, 2:22 PM
Some people have been trying to hack into my linux router for the last two days. So far as I can tell, my security has logged and blocked the attempts. WHOIS lookups are mostly false and include amsterdam, chinese, and AZ addresses. Appears to be dictionary/brute force attack, trying multiple user names and generated passwords.

Any suggestions on who I can report this to?

By "...linux router..." do you mean a box running something like DD-WRT or Tomato, or is it a firewall distro like IpCop or Untangle? In any case, think about a multi-layered defense where you have a simple NAT firewalled router at the edge of your network. Then put a UTM box in line to do closer inspection of your traffic. Put up enough layers so that the time spent to compromise isn't worth it to the hackers.

f33dback
02-12-2010, 3:03 AM
No disrespect meant here but if you want someone else to police this you will be disappointed, it's up to you to maintain your security.
Do you expect the police to protect you in your home?

Most hits are scanner hits, meaning generic scans of IP classes looking for vulnerabilities, nothing personal, keep in mind you're behind a NAT (network address translation) that acts as one layer of protection, but you might want a firewall on the internal machines that blocks incoming as well as alerts you to outgoing traffic (more important iMO) run as a limited/managed user and use the sudo command to do what ever else you need admin for.
Linux should keep you fairly safe from "malware" an actual hack attempt on your box is unlikely, you're one box in a herd.
Stay updated, learn to read logs, don't be resistant to erase and reinstall, and back up all personal information.
If you want data protection check out Truecrypt, works for Linux, Win, Mac.