Do you care about WHOIS contact information?

Thu Jul 23 07:56:53 PDT 2009

David,

Just run SSH on a different port, for example, 23.  Use an alias on your
client to un-complicate your life.  The scans will COMPLETELY stop, and
besides, there is nobody at the other end anyway.  It's all automated
drive-by scanning, and the netblock admins don't care.  Your automatic
reporting idea is cool, but ultimately it's output is just so much spam.

Or use port knocking.  You really should do that (or at least listen on a
non-standard port) anyway, because SSH isn't the most secure thing in the
world.  Unless you're building OpenSSH from source immediately after every
security update, you're vulnerable to worse attacks than just random
password-guessing.  Limiting your authentication methods to public key won't
save you if the attack exploits an SSH bug.

Remember, there are no stupid perps.  Just a million compromised PCs running
scripts.  It's the non-stupid perps that should you need to worry about. :)

-----Original Message-----
From: owner-baylisa at baylisa.org [mailto:owner-baylisa at baylisa.org] On Behalf
Of David Wolfskill
Sent: Thursday, July 23, 2009 6:33 AM
To: baylisa at baylisa.org
Subject: Do you care about WHOIS contact information?

Under normal circumstances, I'm in the habit of perusing certain logfiles on
my home network (which I admit isn't "Large") every morning, looking for
certain forms of anomalous activity.

One of those forms that has proved fairly common over the years is a
sequence of attempts to login via my SSH server.

While I'm aware of strategies such as port-shifting and the like, I don't do
that.  For one thing, it complicates my life more than necessary; for
another, my SSH server is actually one of the better-protected services, as
I only permit public key authentication via SSH.

So if the stupid perps want to wear themselves out & advertise their
activities by banging their heads against my SSH server, well, that's just
fine by me.

Of course, that doesn't stop me from noticing -- or reporting -- their
activities.

This is all the more so because I have my packet filter configured to log
all 22/TCP SYN packets; the SSH server already logs all attempts to connect
to it.

So when I notice a burst of activity, I do a WHOIS query and provide the
allegedly responsible party for the netblock in question an appropriate
excerpt from each of the logfiles in question, together with a
slightly-customized (for the occasion) bit of boilerplate text explaining
why I'm writing and what the significance of certain bits of the logfile
extracts is, concluding with an offer to provide additional information on
request.  The whole thing is deliberately phrased to be non-confrontational
and non-accusatory -- e.g., it starts with:

| Below, please find log entries corresponding to several unauthorized 
| attempts to access my SSH server.  I have no reason to believe that 
| any of my systems were harmed or compromised, but the activity was 
| certainly not welcome, and I'm notifying you of it in case the 
| information helps a current or future investigation you may make.

Fundamentally, I believe there is much value in treating others as I'd like
to be treated.  And if stuff like that originated from a network for which I
have responsiblity, I'd really like to know.

Anyhow, I often get auto-responses; I also sometimes get a more personal
note of thanks from the other admins (e.g., when they find out that they had
a compromised host they didn't know about on their network), so I believe
it's a useful exercise in general.

Sometimes, though, my notification message gets bounced -- e.g., with an
equivalent of "no such mailbox" for each of the addresses on the recipient
list.

Over the years, I've developed an approach for addressing (no pun
intended) this situation, but before I explain that, I'd like to do a
reality check and ask y'all what you (would) do about it.

:-)

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Nathan W  Lindstrom.vcf
Type: text/x-vcard
Size: 4029 bytes
Desc: not available
URL: <http://www.baylisa.org/pipermail/baylisa/attachments/20090723/c7a14df5/attachment.vcf>