Do you read your server logs?

Do you read your server logs? I admit that I only read them rarely. Let's face it, they are pretty dull and repetitive. Most sensible administrators - those who do not find reading syslogs eight times a day to be rewarding - will use some sort of log monitoring tool to let them know if anything interesting is going on. My favorite would be logwatch and I have also used swatch in the past. However, these and other fine tools, even after very careful and time consuming configuration, are prone to raising alarms when there is really nothing to see. And these false positives lead, over time, to the never cry wolf syndrome. You just stop listening to the alarms. Or you configure the monitoring tool to ignore potentially interesting information just to shut it up.

One of the systems that I am responsible for is an old Compaq/HP Tru64 Unix box. Tru64 has among its features an alarm that is tripped if too many log entries are made to the system binary log in a short period of time. Recently, we received this alarm stating that over 500 log entries had been made in a one minute period. I immediately thought that one of the drives was dying a most unwelcome death again. However, when I checked the log, it turned out that some IP at a Spanish university (names withheld to protect the guilty) had made over 1000 attempts to brute force the root password via ssh in a two minute period (try THC-Hydra). Of course, root logins via ssh were disabled (check your sshd.conf) and the root password is very strong anyway so no harm was done.

But an attack is an attack and even if revenge is not possible, at least some action should be taken to reduce the likelihood of reoccurence. How can you do that? Let the attacker and the attacker's ISP know that you detected the attack and are motivated enough to do something about it. Hackers, whether pimply-faced script kiddiez or hardened criminals, are lazy and risk-averse and prefer to go after easy prey. If you detected this attack, you might detect others in the future. If you write a complaint email, you might call the police or at least your lawyer next time. How do you find your assailant's ISP? Through the controversial whois database.

After a couple of whois queries (try Sam Spade if you don't want to use the command line), I was able to contact the abuse email of the assailant's institution. Within 24 hours, they acknowledged receipt of my email. Within 48 hours they sent me an email stating that they had contacted the owner of the offending IP and were closing the trouble ticket. While I would like to have seen the assailant suffer in front of my own eyes, this is probably the best resolution that I could hope for. After all, the break in was not successful and no damage was done other than wasting my time - not to mention the fact that Fiji has no cybercrime legislation nor has a computer crime (or attempted computer crime) ever gone before Fiji's courts.

Photo by: kenwood

Blogged with Flock