From owner-freebsd-questions@FreeBSD.ORG Thu Feb 19 20:36:27 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF193106564A for ; Thu, 19 Feb 2009 20:36:27 +0000 (UTC) (envelope-from andrewlylegould@gmail.com) Received: from mail-bw0-f170.google.com (mail-bw0-f170.google.com [209.85.218.170]) by mx1.freebsd.org (Postfix) with ESMTP id 4BA4F8FC15 for ; Thu, 19 Feb 2009 20:36:27 +0000 (UTC) (envelope-from andrewlylegould@gmail.com) Received: by bwz18 with SMTP id 18so2048359bwz.19 for ; Thu, 19 Feb 2009 12:36:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=KHZbr1rB0tgmrnBg8wVeF7zAICAaVgXk0QVEnsj2Xwk=; b=b2er5YL+7eZGpqIhosS2eHtP6YbrVxkVp/hz4i1AAhxJLY/W1QjHVf+QgFXt87BTXV 0lzIhON2gxhJJNmUGYiuSUvDTGBoWoszSeT+SGmaXPerEzsaQdpfkhMbKyY2htV6Ycol szwil3tQvXdgpnZMX2dViFICSQIMEvA0a/srE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=W/XbF/E4nUVfCOKzBKRIlb+l64X4LqmdgD6ib2dhvvjgYqySJIKsJjpVsfRIoqXGKW oDl9elpV5h3FqXzanYrYaMlXPtTw6Ks5/hgpcBWfsgYkc6XLZgdJON0EppYbz5szBfP3 PojoWvHhjEHCKaS69+YSU0bXOt6j5anTjthF4= MIME-Version: 1.0 Received: by 10.102.228.10 with SMTP id a10mr1009375muh.26.1235075786342; Thu, 19 Feb 2009 12:36:26 -0800 (PST) In-Reply-To: <428745.19949.qm@web32102.mail.mud.yahoo.com> References: <428745.19949.qm@web32102.mail.mud.yahoo.com> Date: Thu, 19 Feb 2009 14:36:26 -0600 Message-ID: From: Andrew Gould To: GESBBB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD Users Questions Subject: Re: off topic: reporting attempts to access computers X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 20:36:28 -0000 On Thu, Feb 19, 2009 at 2:01 PM, GESBBB wrote: > > From: Andrew Gould andrewlylegould@gmail.com > > > > What information should I send to an abuse@* address when reporting a > > break-in attempt? > > > > My logs show a dictionary attack of invalid user names against port 22. > I > > obtained an abuse@* email address using 'whois' and reported the > beginning > > and ending date/times and the originating IP address. > > > > Is there any other information I need to send? Is there someone else I > > should notify? > > > > Most of the attacks I receive are from other continents, so I just block > the > > network range found via 'whois'. In this case, the IP address is fairly > > local, so I'm hesitant to block the entire range. > > There are some applications that you might want to install that can help. > Personally, I have found reporting the abuse virtually useless. I use to > just include the entire log with the data that pertained to the user in > question; however, that just proved a waste of time. > > If you are using 'passwords' to access your account, you might want to > consider using certificates instead. That is far safer than using a password > that eventually can be cracked. > > -- > Jerry > Yes, it's probably time to move to certificates. Thanks for the suggestion. Andrew