On Feb 19, 2009, at 12:00 PM, Andrew Gould wrote:
What information should I send to an ab...@* address when reporting a
break-in attempt?
My logs show a dictionary attack of invalid user names against port
22.
So source of these is almost always some other compromised Unix-like
system.
I obtained an ab...@* email address using 'whois' and reported
the beginning and ending date/times and the originating IP address.
When reporting the times, be sure to make the time zone clear.
Is there any other information I need to send? Is there someone
else I
should notify?
There's no general answer to that. It really depends the specifics of
the case. For example, a small business might have a small netblock
and an abuse address, but aren't competent to deal with your
notification. Think of a small business that has a bunch of Window's
clients and one ancient RedHat system that hasn't been maintained for
years and was set up by someone who doesn't work there anymore. In
that case, it might be useful to inform their provider as well.
Back when I used to report these things, I had a template message for
doing so.
Most of the attacks I receive are from other continents, so I just
block the
network range found via 'whois'.
If you block, and your firewall will log the failed attempts, then you
may also look at participating in DShield
http://www.dshield.org/howto.html
Cheers,
-j
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
