# SSH attacks and law...



## akripo (Oct 25, 2009)

Hi to all,

First of all I want to say that I am missing a security-dedicated subforum on this forums.

To the point: 
I have some FreeBSD servers running 24X7 and I have the port 22 and the openssh daemon running. 

It is required by the network infrastructure to use only the port 22 for this purpose and not any other port and for that reason I receive daily ssh probes and dictionary attacks on the logs from attackers.

Of course I have taken all the needed precautions such us very strict openssh configuration and denyhosts configured using custom scripts that blocks the attacker at the firewall level as well.

Now I am planning to write a script to be executed by denyhosts so as to detect attackers's isp from the whois database and send an informational email to their isp's abuse mailing list about the attackers actions.

Do you have any comment on this? Do you find something not legal there in the terms of law?

Thanks


----------



## DutchDaemon (Oct 25, 2009)

> First of all I want to say that I am missing a security-dedicated subforum on this forums.


http://forums.freebsd.org/showthread.php?t=4108

As to informing abuse desks of ISPs: I've been doing that professionally for about five years. Observations:

1. not all ISPs have abuse deks
2. loads of ISPs and networks don't even have an abuse address
3. some ISPs want you to fill out a web form
4. most of them don't reply or have a full abuse mailbox
5. complaining to ISPs in about 95% of the world is useless
6. lots of organisations don't care about complaints from end-users
7. IP addresses can easily be spoofed, leading to misdirected complaints (which may actually be the goal)
8. many organisations lack personnel, knowledge and resources to handle complaints
9. simply block and forget


----------



## akripo (Oct 25, 2009)

Thanks DutchDaemon
I was aware from this FAQ. Maybe I wasn't clear enough: IMHO what I meant was that a dedicated subforum like the "General", "Window managers" etc.. to post new threads and discuss about security oriented issues was nice to have.


----------



## akripo (Oct 25, 2009)

Continuing from the last post..
Ok, I understand that it is useless based on your experience and that will make stop creating that kind of script.
In general, the act of sending complains with specific IP addresses to the abuse lists is 100% legal?


----------



## DutchDaemon (Oct 25, 2009)

Of course it is.


----------



## DutchDaemon (Oct 25, 2009)

Most security-related issues are covered by that HowTo, and the subjects that do come up usually find their way to the appropriate forums, Base System, Firewalling and Web & Network Services, so that basically covers 'how to secure' and 'what to secure'. Security all by itself isn't a very well-defined area. It always ties in with the OS, tools and services somehow, so having security topics in those forums makes more sense.


----------



## fronclynne (Oct 26, 2009)

akripo said:
			
		

> Now I am planning to write a script to be executed by denyhosts so as to detect attackers's isp from the whois database and send an informational email to their isp's abuse mailing list about the attackers actions.


Be doubly careful with scripts that send e-mail.

If you get flooded with attacks you could end up unwittingly sending thousands of e-mails to any given ISP, which might actually get their attention, & get you blacklisted as a spammer or sued for unreasonable use of their resources.


----------



## SirDice (Oct 26, 2009)

DutchDaemon said:
			
		

> 7. IP addresses can easily be spoofed, leading to misdirected complaints (which may actually be the goal)


While true spoofing a fully blown TCP connection (which is needed for the authentication to work) is hard enough to do in a lab environment. Forget about doing a blind spoof over the Internet.

UDP and ICMP however are a different matter, they're simple even via the Internet.

Do note that these types of attacks are usually done from hacked boxes. Noone in their right mind is going to do this from their own home.


----------



## SirDice (Oct 26, 2009)

akripo said:
			
		

> In general, the act of sending complains with specific IP addresses to the abuse lists is 100% legal?


Why would sending a complaint to an abuse address be illegal?


----------



## akripo (Oct 26, 2009)

SirDice said:
			
		

> Why would sending a complaint to an abuse address be illegal?



IMHO since the IP address and an access to a computer resource at specific date & time could be defined as some sort of personal data in some aspect, so I don't know how this can handled properly.

Also I could think of some other reasons, such as IP/hostname mistakes or something that may led to repeated unsuccessful logins.

I have also heard some stories of people in the US suing restaurant due to a hot cafe skin-burn , some other who step on their shoelace and fell down and sued the mayor for the bad pedestals and won !!! 

I agree with DutchDaemon and it will be only a waste of time by creating this script.


----------



## akripo (Oct 26, 2009)

pedestals => pavements
Sorry for my bad English


----------



## SirDice (Oct 26, 2009)

akripo said:
			
		

> IMHO since the IP address and an access to a computer resource at specific date & time could be defined as some sort of personal data in some aspect, so I don't know how this can handled properly.


Yes but they're your computer resources which they're trying to illegally obtain. In a lot of countries the act of gaining (or trying to gain) unauthorized access is a criminal offense. This outweighs any privacy issues.



> Also I could think of some other reasons, such as IP/hostname mistakes or something that may led to repeated unsuccessful logins.


Which is why it's considered good form to at least inform the abuse desk of that ISP. They can inform their customer.



> I have also heard some stories of people in the US suing restaurant due to a hot cafe skin-burn , some other who step on their shoelace and fell down and sued the mayor for the bad pedestals and won !!!


True but those are civil lawsuits. Hacking is a criminal offense.



> I agree with DutchDaemon and it will be only a waste of time by creating this script.


That I agree. You will run the risk of flooding an abuse desk with emails which will only result in you being ignored or put on a spammers list.


If you do write an email to an abuse@ use a text only email, no attachments. Short statement on what is happening and some log file extracts. Nothing more. Do NOT put all sorts of analytical data in there like whois extracts etc. Keep it simple and stick to facts (bits of logs that show what's going on.


----------



## overmind (Oct 29, 2009)

It is possible to build a database with such ip addresses, on the same way blacklists for spams are built?


----------



## akripo (Oct 30, 2009)

overmind said:
			
		

> It is possible to build a database with such ip addresses, on the same way blacklists for spams are built?



The denyhosts already does this job. See this link


----------

