off topic: reporting attempts to access computers
Jeffrey Goldberg
jeffrey at goldmark.org
Thu Feb 19 10:27:30 PST 2009
On Feb 19, 2009, at 12:00 PM, Andrew Gould wrote:
> What information should I send to an abuse@* address when reporting a
> break-in attempt?
>
> My logs show a dictionary attack of invalid user names against port
> 22.
So source of these is almost always some other compromised Unix-like
system.
> I obtained an abuse@* email address using 'whois' and reported
> the beginning and ending date/times and the originating IP address.
When reporting the times, be sure to make the time zone clear.
> Is there any other information I need to send? Is there someone
> else I
> should notify?
There's no general answer to that. It really depends the specifics of
the case. For example, a small business might have a small netblock
and an abuse address, but aren't competent to deal with your
notification. Think of a small business that has a bunch of Window's
clients and one ancient RedHat system that hasn't been maintained for
years and was set up by someone who doesn't work there anymore. In
that case, it might be useful to inform their provider as well.
Back when I used to report these things, I had a template message for
doing so.
> Most of the attacks I receive are from other continents, so I just
> block the
> network range found via 'whois'.
If you block, and your firewall will log the failed attempts, then you
may also look at participating in DShield
http://www.dshield.org/howto.html
Cheers,
-j
More information about the freebsd-questions
mailing list