Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Feb 2009 12:27:27 -0600
From:      Jeffrey Goldberg <jeffrey@goldmark.org>
To:        Andrew Gould <andrewlylegould@gmail.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: off topic: reporting attempts to access computers
Message-ID:  <3A1F930B-588E-4B24-9C7D-D87282055FE0@goldmark.org>
In-Reply-To: <d356c5630902191000n16c3d3a0md98c4246a5ff2c79@mail.gmail.com>
References:  <d356c5630902191000n16c3d3a0md98c4246a5ff2c79@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Feb 19, 2009, at 12:00 PM, Andrew Gould wrote:

> What information should I send to an abuse@* address when reporting a
> break-in attempt?
>
> My logs show a dictionary attack of invalid user names against port  
> 22.

So source of these is almost always some other compromised Unix-like  
system.

> I obtained an abuse@* email address using 'whois' and reported
> the beginning and ending date/times and the originating IP address.

When reporting the times, be sure to make the time zone clear.

> Is there any other information I need to send?  Is there someone  
> else I
> should notify?

There's no general answer to that.  It really depends the specifics of  
the case.  For example, a small business might have a small netblock  
and an abuse address, but aren't competent to deal with your  
notification.  Think of a small business that has a bunch of Window's  
clients and one ancient RedHat system that hasn't been maintained for  
years and was set up by someone who doesn't work there anymore.  In  
that case, it might be useful to inform their provider as well.

Back when I used to report these things, I had a template message for  
doing so.

> Most of the attacks I receive are from other continents, so I just  
> block the
> network range found via 'whois'.

If you block, and your firewall will log the failed attempts, then you  
may also look at participating in DShield

   http://www.dshield.org/howto.html

Cheers,

-j

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A1F930B-588E-4B24-9C7D-D87282055FE0>