How to deal with SSH attackers
Submitted by ken on Wed, 2006-02-08 16:59.
General Ethics Discussion
All of the servers I manage that are exposed to the Internet seem to get frequently hammered by people trying to get in via SSH. Here's a snippet from the auth.log file on one:
Feb 3 23:25:52 gondor sshd[9238]: Did not receive identification string from 66.235.22.66
Feb 4 13:07:16 gondor sshd[16234]: Did not receive identification string from 65.222.150.10
Feb 5 04:15:22 gondor sshd[23397]: Did not receive identification string from 211.75.139.105
Feb 5 04:23:34 gondor sshd[23425]: Illegal user admin from 211.75.139.105
Feb 5 04:23:37 gondor sshd[23427]: Illegal user test from 211.75.139.105
Feb 5 04:23:40 gondor sshd[23429]: Illegal user guest from 211.75.139.105
Feb 5 04:23:43 gondor sshd[23431]: Illegal user webmaster from 211.75.139.105
What should I do and what should I not do to these attackers? (Remember, this is an ethics discussion, not a technical discussion.)
Rattling the doorknob
Submitted by tintagel on Thu, 2006-02-09 11:41.
My understanding of the law on this (IANAL) is that it is legal to rattle the doorknob, but not to pass over the threshold. The comparable/analogous ethics question is: Should you wander around the neighborhood rattling doorknobs and checking windows to see if any are unlocked?
If you find someone rattling your doorknob do you have a right to interrogate them as to who they are and what they are doing? Similarly, do you have the ethical responsibility to do so?
In broad terms, I think the answer is yes. We should be able to counter-scan specific targets to gain knowledge of who they are and what they might be up to. This falls within the duty to protect. What we cannot do is counter-attack.
This, of course, leaves an awful lot of gray area. Some scanning methods (most of the more useful ones) include automated testing for exploit vulnerability, which essentially means trying the exploit with an inert payload. That's a bit like finding the door unlocked and instead of stealing something, leaving a Post-It note that says "Your door was unlocked." It may be ethically sound, but it is legally dubious (which presents its own ethical problems) and may only be defensible if you can prove intent. Unfortunately, both in the real world and even more so in the digital world, it is incredibly difficult to establish intent until it is too late. With the state of current law related to digital intrusion your actions are assumed to imply malicious intent.
Now the ethics question is: given the duty to protect, can we justify actions which may create legal exposure? Probably not. Tread lightly.
Rattling the doorknob - Get off my doorstep!
Submitted by Geoff on Tue, 2006-02-28 03:29.
Can we justify actions which may create a legal exposure... Of course we can! That is what we do! If we take the stance that we can not slow down, tear down or otherwise prevent the use of our dedicated resources then we are in a great deal of trouble. While doorknob rattling may NOT be illegal, the theft and misuse of private assets most certainly is! And scanning my corporate webserver for open ports (other than 80) is wasting my resources. Not to mention the time and effort it takes to monitor those reconnaissance attacks and determine the proper course of action. I'll take this up a technical notch and include active response (TCP resets) as an example of a response to malicious activity that could be deemed retaliatory but is more self defense than anything. The argument has been made that sending resets to tear down a connection is a form of counter attack. I do not believe that tearing down a connection that should never have been made in the 1st place should be considered offensive.
To answer the question... I shun the IP for 30 mins to my network and report them to incidents.org. If it is a repeat offender the shun become permanent. However, I am not running a business out of my house so I don’t mind losing a few IP’s :)
Thank again for the invite I had a lot of fun at the meeting! I look forward to the next one!
Geoff
On Topic Article at Security Focus
Security Focus have a recent article analyzing SSH attacks using a HoneyNet.
From the article:
Malicious SSH login attempts have been appearing in some administrators' logs for several years. This article revisits the use of honeypots to analyze malicious SSH login attempts and see what can be learned about this activity. The article then offers recommendations on how to secure one's system against these attacks.