Re: off topic: reporting attempts to access computers
Andrew Gould wrote: Yes, it's probably time to move to certificates. Thanks for the suggestion. If you realize this, then you also want to look at devising an allow-allow-deny_by_default approach for other critical protocols that you can't employ certificates for... Instead of blocking huge netblocks with your firewall (possibly causing a denial of service on legitimate hosts), it's easier and more resource friendly to create access rules that deny by default in ANY case. (Those who provide transit or hosting services can obviously ignore this). Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: off topic: reporting attempts to access computers
My logs show a dictionary attack of invalid user names against port 22. I obtained an ab...@* email address using 'whois' and reported the beginning and ending date/times and the originating IP address. Is there any other information I need to send? i don't think so. anyway - if all password are well made still there is no problem. Is there someone else I should notify? i don't think so. Most of the attacks I receive are from other continents, so I just block the network range found via 'whois'. it's good solution, mostly because those in ab...@* often simply ignore such mails. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: off topic: reporting attempts to access computers
On Feb 19, 2009, at 12:00 PM, Andrew Gould wrote: What information should I send to an ab...@* address when reporting a break-in attempt? My logs show a dictionary attack of invalid user names against port 22. So source of these is almost always some other compromised Unix-like system. I obtained an ab...@* email address using 'whois' and reported the beginning and ending date/times and the originating IP address. When reporting the times, be sure to make the time zone clear. Is there any other information I need to send? Is there someone else I should notify? There's no general answer to that. It really depends the specifics of the case. For example, a small business might have a small netblock and an abuse address, but aren't competent to deal with your notification. Think of a small business that has a bunch of Window's clients and one ancient RedHat system that hasn't been maintained for years and was set up by someone who doesn't work there anymore. In that case, it might be useful to inform their provider as well. Back when I used to report these things, I had a template message for doing so. Most of the attacks I receive are from other continents, so I just block the network range found via 'whois'. If you block, and your firewall will log the failed attempts, then you may also look at participating in DShield http://www.dshield.org/howto.html Cheers, -j ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: off topic: reporting attempts to access computers
From: Andrew Gould andrewlylego...@gmail.com What information should I send to an ab...@* address when reporting a break-in attempt? My logs show a dictionary attack of invalid user names against port 22. I obtained an ab...@* email address using 'whois' and reported the beginning and ending date/times and the originating IP address. Is there any other information I need to send? Is there someone else I should notify? Most of the attacks I receive are from other continents, so I just block the network range found via 'whois'. In this case, the IP address is fairly local, so I'm hesitant to block the entire range. There are some applications that you might want to install that can help. Personally, I have found reporting the abuse virtually useless. I use to just include the entire log with the data that pertained to the user in question; however, that just proved a waste of time. If you are using 'passwords' to access your account, you might want to consider using certificates instead. That is far safer than using a password that eventually can be cracked. -- Jerry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: off topic: reporting attempts to access computers
On Thu, Feb 19, 2009 at 2:01 PM, GESBBB ges...@yahoo.com wrote: From: Andrew Gould andrewlylego...@gmail.com What information should I send to an ab...@* address when reporting a break-in attempt? My logs show a dictionary attack of invalid user names against port 22. I obtained an ab...@* email address using 'whois' and reported the beginning and ending date/times and the originating IP address. Is there any other information I need to send? Is there someone else I should notify? Most of the attacks I receive are from other continents, so I just block the network range found via 'whois'. In this case, the IP address is fairly local, so I'm hesitant to block the entire range. There are some applications that you might want to install that can help. Personally, I have found reporting the abuse virtually useless. I use to just include the entire log with the data that pertained to the user in question; however, that just proved a waste of time. If you are using 'passwords' to access your account, you might want to consider using certificates instead. That is far safer than using a password that eventually can be cracked. -- Jerry Yes, it's probably time to move to certificates. Thanks for the suggestion. Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
