[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] Re: WARNING: Break-in attempts

From: "B. James Phillippe" <bryan terran org>
To: Shaun Hedges <shedges shaw wave ca>
Cc: linux-security redhat com
Subject: [linux-security] Re: WARNING: Break-in attempts
Date: Sat, 20 Jun 1998 12:59:01 -0700 (PDT)

On Thu, 18 Jun 1998, Shaun Hedges wrote:

> It is nice being paranoid, but what that person did is *not* illegal and would
> not hold and water in a court of law.
> 
> He caused no loss of money, no denial of service, nothing.

No, being paranoid is not nice.  Being paranoid sucks, however, it's a
necessary foundation to having good security policies.  Warning against
intrusion with the threat of legal recourse is also a prudent measure of
warding off low-class tech criminals.

> How can you deduce that the attacks were made by root user?  ident is easily
> spoofable.

Because the user was logged into his system as root and several of the
attacks originated on well-known ports.  Well-known ports can only be
opened by priviledged processes (priviledged meens root).

> How do you know that inu.net was not infacted 0wned first and he was using
> that host for some sort of diversion mechanism?

Who could?  Who cares?  The only relevant information is that a dialup-host
was probing a critical system.  If attacks were originating from additional
hosts, I'd be suspicious of them, too.

> How do you know that he is not reading your e:mail right now and laughing at
> you because he knows nothing happened?

There are several types of crackers in this world.  Most of them are "little
guys".  "Little guys" are newbies.  They've just downloaded Satan or LRK
and are playing with it.  They have prebuilt copies of nestea, bonk,
teardrop, et al.  They don't know what it does, just how to run it.  These
novices are by far one of the greatest threats simply because of the number
of other novices (innocent ones) available to be prayed on.  Launching an
awkward, ill-planned and easily identifyable attack against those of us
that are not novices, is not a laughing matter.

> There are so many variables in situations like this you have to take into
> effect, and it seems that you haven't.

This amusing comment doesn't need a response. ;)

> It is nice being paranoid, but really.  What this person did is not illegal,
> and you should just forget about it.  This happens to me everyday, if I really
> wanted to threaten them then I would send email to their admins, but there is
> no use.
>
> They would rather have people doing bad stuff and paying  money, than have no
> money at all.

Some of them would.  Most of them however realize that time spent handling
complaints and repairing damage done to their systems due to retribution is
more than the amount they make on a single user.  But in any case, those of
us who are concerned about security appreciate (at least) the following
guidelines:

1.) Log all suspicious behavior.
2.) Investigage/monitor logs.
3.) Respond to the authoritative figures regarding all suspicious activity.

-bp
--
B. James Phillippe <bryan terran org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan

References:
- [linux-security] Re: WARNING: Break-in attempts
  - From: Shaun Hedges

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]