[Info-vax] intrusion detection

Michael Moroney moroney at world.std.spaamtrap.com
Fri Mar 13 12:24:36 EDT 2009 

joukj <joukj at hrem.nano.tudelft.nl> writes:

>Bill Gunshannon wrote:
>> In article <49ba3625$0$6682$703f8584 at textnews.kpn.nl>,
>> 	joukj <joukj at hrem.nano.tudelft.nl> writes:
>>> Hi All,
>>>
>>> Today I get the following at the command SHOW INTRUSION:
>>>
>>> Intrusion       Type       Count        Expiration         Source
>>> ---------       ----       -----        ----------         ------
>>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.85 
>>> IUPOP3::79.121.128.74:eileen
>>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.86 
>>> IUPOP3::79.121.128.74:elaine
>>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.87 

>>> The attack seems to come from one Ip-adress using different usernames to 
>>>   get access to the pop-server. Should the detection system not block 
>>> the whole access from this host and not per user? As it is configured 
>>> now they can keep trying to get in (and waist bandwith because the will 
>>> not succeed)

These are "zombie" computers trying to make more "zombies".

Check your LGI$ SYSGEN parameters (I believe they're dynamic).  In
particular, there's one that determines whether attacks against two
different usernames as treated as two unrelated breakin attempts or one 
attempt.  You want to consider it one attempt.  From this:

>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.85
>> IUPOP3::79.121.128.74:eileen
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.86
>> IUPOP3::79.121.128.74:elaine

it appears the attempt to break into "eileen" is treated as a different
breakin as the attempt against "elaine".

Check the ones that determine how many SUSPECTs are allowed before being
considered an INTRUDER, plus the times involved.

>I know. Also the abuse was already reported to "computer-authorities" in 
>my university in order to "stop" the abuse.
>My question was more "principle" for the next time, since at present I 
>can block the "offending" Ip-address. But if the attack comes from a 
>complete different network in future it will not be blocked (the pop3 
>service i.e. should be open for our legal clients from outside the 
>university). I was just wondering why all these offences were logged as 
>"single" offences and not "bundled" as one so that a retry with another 
>user-name does not help. I noticed that the SSHD form HP/TCPIP does 
>probably this.

I get these breakin attempts all the time.  I've seeen 30,000+ attempts at
once.  In fact, I created a little program that, once it reaches "INTRUDER"
on a SSH/FTP login attempt, it routes the IP address it comes from (the
whole /24, actually) to the bit bucket.  No more attempts, at least
until the zombies start coming from somewhere else.

More information about the Info-vax mailing list