From owner-freebsd-questions@FreeBSD.ORG Thu Feb 19 18:27:30 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F48D106570B for ; Thu, 19 Feb 2009 18:27:30 +0000 (UTC) (envelope-from jeffrey@goldmark.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id E909E8FC1E for ; Thu, 19 Feb 2009 18:27:29 +0000 (UTC) (envelope-from jeffrey@goldmark.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 95BC029E433; Thu, 19 Feb 2009 13:27:29 -0500 (EST) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute1.internal (MEProxy); Thu, 19 Feb 2009 13:27:29 -0500 X-Sasl-enc: zNJFS4SorZkrCMgUcXpkcXqvuZb419J9ayK5wDM93iMZ 1235068049 Received: from hagrid.ewd.goldmark.org (n114.ewd.goldmark.org [72.64.118.114]) by mail.messagingengine.com (Postfix) with ESMTPSA id 1D28431F58; Thu, 19 Feb 2009 13:27:29 -0500 (EST) Message-Id: <3A1F930B-588E-4B24-9C7D-D87282055FE0@goldmark.org> From: Jeffrey Goldberg To: Andrew Gould In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 19 Feb 2009 12:27:27 -0600 References: X-Mailer: Apple Mail (2.930.3) Cc: FreeBSD Questions Subject: Re: off topic: reporting attempts to access computers X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 18:27:30 -0000 On Feb 19, 2009, at 12:00 PM, Andrew Gould wrote: > What information should I send to an abuse@* address when reporting a > break-in attempt? > > My logs show a dictionary attack of invalid user names against port > 22. So source of these is almost always some other compromised Unix-like system. > I obtained an abuse@* email address using 'whois' and reported > the beginning and ending date/times and the originating IP address. When reporting the times, be sure to make the time zone clear. > Is there any other information I need to send? Is there someone > else I > should notify? There's no general answer to that. It really depends the specifics of the case. For example, a small business might have a small netblock and an abuse address, but aren't competent to deal with your notification. Think of a small business that has a bunch of Window's clients and one ancient RedHat system that hasn't been maintained for years and was set up by someone who doesn't work there anymore. In that case, it might be useful to inform their provider as well. Back when I used to report these things, I had a template message for doing so. > Most of the attacks I receive are from other continents, so I just > block the > network range found via 'whois'. If you block, and your firewall will log the failed attempts, then you may also look at participating in DShield http://www.dshield.org/howto.html Cheers, -j