From owner-freebsd-questions@FreeBSD.ORG Thu Feb 19 20:01:17 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12C581065691 for ; Thu, 19 Feb 2009 20:01:17 +0000 (UTC) (envelope-from gesbbb@yahoo.com) Received: from web32102.mail.mud.yahoo.com (web32102.mail.mud.yahoo.com [68.142.207.116]) by mx1.freebsd.org (Postfix) with SMTP id C838F8FC1A for ; Thu, 19 Feb 2009 20:01:16 +0000 (UTC) (envelope-from gesbbb@yahoo.com) Received: (qmail 64583 invoked by uid 60001); 19 Feb 2009 20:01:16 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=NwquDaDQ9EwiRswNYtz6+c5jWIIP0x6kVZVKUhTFDCbpZP8l3QUmGwONLAnlet6HLHPbGU5w6uDHOZeO9kVNIuY9Mm6DiQX3lRmv/Q+ZBYBggOTR+UWnfLdIp6A9S8BT+cxzLqvnxq4coRwCeYf9DIRqOqeccw8qQxz8QLMzFFE=; X-YMail-OSG: T2gngMUVM1limJdw6EhJ5NCdlYHBIcT0WxVPC_ztGIWrlFC.w2HmeHElskfgIvWHb4YcYCAzskvEqtzTK8RZ2Vkq4JKAPzM8NpNtCNYo8wcpAboVHAl3m7B0WRS3nI.YKG2TR2.9TFbSbWCg3vvXR.iTNMpVwtfdxD4ZAlNCof7LYIvUd4LYWH.gYa.Tkw3dy8QP0xcpjKjr5LnV9Nych.z.BEH9 Received: from [76.23.177.172] by web32102.mail.mud.yahoo.com via HTTP; Thu, 19 Feb 2009 12:01:16 PST X-Mailer: YahooMailRC/1156.82 YahooMailWebService/0.7.260.1 References: Date: Thu, 19 Feb 2009 12:01:16 -0800 (PST) From: GESBBB To: FreeBSD Users Questions MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <428745.19949.qm@web32102.mail.mud.yahoo.com> Subject: Re: off topic: reporting attempts to access computers X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 20:01:17 -0000 > From: Andrew Gould andrewlylegould@gmail.com=0A> =0A> What information sh= ould I send to an abuse@* address when reporting a=0A> break-in attempt?=0A= > =0A> My logs show a dictionary attack of invalid user names against port = 22.=A0 I=0A> obtained an abuse@* email address using 'whois' and reported t= he beginning=0A> and ending date/times and the originating IP address.=0A> = =0A> Is there any other information I need to send?=A0 Is there someone els= e I=0A> should notify?=0A> =0A> Most of the attacks I receive are from othe= r continents, so I just block the=0A> network range found via 'whois'.=A0 I= n this case, the IP address is fairly=0A> local, so I'm hesitant to block t= he entire range.=0A=0AThere are some applications that you might want to in= stall that can help. Personally, I have found reporting the abuse virtually= useless. I use to just include the entire log with the data that pertained= to the user in question; however, that just proved a waste of time.=0A=0AI= f you are using 'passwords' to access your account, you might want to consi= der using certificates instead. That is far safer than using a password tha= t eventually can be cracked.=0A=0A-- =0AJerry