On Feb 19, 2009, at 12:00 PM, Andrew Gould wrote:

What information should I send to an ab...@* address when reporting a
break-in attempt?

My logs show a dictionary attack of invalid user names against port 22.

So source of these is almost always some other compromised Unix-like system.

I obtained an ab...@* email address using 'whois' and reported
the beginning and ending date/times and the originating IP address.

When reporting the times, be sure to make the time zone clear.

Is there any other information I need to send? Is there someone else I
should notify?

There's no general answer to that. It really depends the specifics of the case. For example, a small business might have a small netblock and an abuse address, but aren't competent to deal with your notification. Think of a small business that has a bunch of Window's clients and one ancient RedHat system that hasn't been maintained for years and was set up by someone who doesn't work there anymore. In that case, it might be useful to inform their provider as well.

Back when I used to report these things, I had a template message for doing so.

Most of the attacks I receive are from other continents, so I just block the
network range found via 'whois'.

If you block, and your firewall will log the failed attempts, then you may also look at participating in DShield




freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to