This might be quite off-topic from more of my recent posts, but it is just another aspect of my life. I am the Technology Director for a company with less than 10 full time employees and a two person IT department. That means I'm also a Systems Administrator, Network Administrator, Abuse Administrator, etc.
This past week marked the anniversary of the use of a program I designed that would help me to carry out my administrative duties more easily. I used to review the LogWatch emails from my RedHat linux systems daily and would send out emails to the attacking systems' administrators and their upstream providers (ISPs). Every day I would send 5-10 emails because my systems are almost constantly under attack by script-kiddie attempts to login to my systems. They basically try common usernames and passwords to see if they can login to the machine and use it for their own dastardly purposes.
The program basically:
1) gathers attackers IP addresses from login logs
2) looks up the abuse contact information for each IP
3) puts together an abuse report email to send to the abuse contacts
4) sends the abuse report email to the abuse contacts, with a copy to my Hosting company so they can use the information to stop future attacks (although I think I do more work than their whole abuse department)
5) outputs a log of steps 1-4 and emails it to me and my tech team
This process has been working fairly well and the perl script that we have works well on our RedHat systems parsing the /var/log/secure log and automatically doing what I used to spend a half an hour a day on.
I have now began another project to block the IP address (and sometimes the IP ranges) of attackers so that they can't even attempt to hack any of my networks or machines. This is still a mostly manual process that takes me from a half hour to an hour. I look at the IP address of the people who tried to login and failed, usually the number of attempts for any particular attacker range from 10 to several hundred or even thousands of login attempts. The higher the number of attempts, the faster I want to block them, since they are taking up a small portion of my resources.
So I've modified a whois lookup script to be able to store the IP address, IP range, abuse contact, whois host (whois.apnic.net, whois.arin.net, whois.afrinic.net, whois.ripe.net, etc.), date of incident, hostname of attacked machine, and source country of the attack. Most of the attacks come from other countries. I currently don't have any websites that require someone to connect from Asia or Africa, so I just block whole ranges of foreign universities and ISPs, etc. from where I'm being attacked so that something like it won't happen again (my other script already notifies them of the attack, and if they get back to me, I may unblock them).
What I want to automate next:
1) Automatically add entries into my database of attacks from all my systems.
2) Automatically publish IPs and IP ranges to my iptables block lists to all my systems.
Here is where I ask the question: Would you like to share your hacker's IP with me?
I think a distributed network of hacking information would be beneficial to sysadmins everywhere, similar to RBLs for spam, it would be great to setup a Realtime Block List for hackers. In fact I don't see any reason why the same software that some of the other RBLs use couldn't be ported for the purpose. Maybe I'm out of it and something already exists for it. I don't know that it would though, because not near as many people are aware of the hacking problems that happen, because they don't see the evidence of it in their email box every day.
However, if we were to block attackers from being able to keep getting more compromised machines by stopping them at their source, there would be far less machines from which attackers could launch their email spam campaigns. I think this effort would reap large benefits for all corporations. (Although it might put a few sysadmins out of a job if they let the secret out.) I'm one system administrator that would be glad to pass my abuse administrator duties to an automatic program. I'm also sure that pooling our information together will reap the most benefits for everyone.
Sunday Evening Walks
-
We like to go on walks on Sunday evenings. Sometimes the whole family
comes along. Sometimes we walk around our neighborhood. Sometimes we drive
to a loca...
8 years ago
No comments:
Post a Comment