(Where) should I report breakin attempts?

(Where) should I report breakin attempts?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
(Where) should I report breakin attempts? Tristan Miller 06-06-2006
Posted by Tristan Miller on June 6, 2006, 9:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Greetings.

Most of the time my computers are behind a router/firewall that blocks port
22, but occasionally I unblock it if I'm going somewhere and need to log
into my machines remotely. Whenever I do this I notice in
my /var/log/messages that some script kiddie is repeatedly connecting via
ssh and trying to guess usernames. The IP changes every time so I'm not
sure if it's just one guy using hijacked machines or different people.

Is it worth reporting this behaviour to whatever ISP is associated with the
IP addresses? Is there some sort of SpamCop-type service that will
automatically file a report to the correct contact address? Or should I
just copy and paste from /var/log/messages and send it to
abuse@example.com, where example.com is whatever domain name nslookup
associates with the IP address?

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\ http://www.nothingisreal.com/ >< To finish what you

Posted by Tristan Miller on June 6, 2006, 9:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Greetings.

wrote:

> Most of the time my computers are behind a router/firewall that blocks
> port 22, but occasionally I unblock it if I'm going somewhere and need to
> log
> into my machines remotely. Whenever I do this I notice in
> my /var/log/messages that some script kiddie is repeatedly connecting via
> ssh and trying to guess usernames. The IP changes every time so I'm not
> sure if it's just one guy using hijacked machines or different people.

I should clarify that the IP changes each time I enable port 22 (which is
once a day every few weeks), not every time a connection is made.

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\ http://www.nothingisreal.com/ >< To finish what you

Posted by Unruh on June 6, 2006, 10:59 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>Greetings.

>Most of the time my computers are behind a router/firewall that blocks port
>22, but occasionally I unblock it if I'm going somewhere and need to log
>into my machines remotely. Whenever I do this I notice in
>my /var/log/messages that some script kiddie is repeatedly connecting via
>ssh and trying to guess usernames. The IP changes every time so I'm not
>sure if it's just one guy using hijacked machines or different people.

>Is it worth reporting this behaviour to whatever ISP is associated with the
>IP addresses? Is there some sort of SpamCop-type service that will
>automatically file a report to the correct contact address? Or should I
>just copy and paste from /var/log/messages and send it to
>abuse@example.com, where example.com is whatever domain name nslookup
>associates with the IP address?

Make sure your passwords are stong. And then forget about it. Those are
hijacked machines, usually belonging to people who do not give a damn that
they are hijacked. If you enjoy catching rain in a sieve, you might try
sending notices to the ISPs. You will not get answers, and you will not
decrease your attacks.



Posted by Robert on June 9, 2006, 11:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Wed, 07 Jun 2006 02:06:31 +0100, Tristan Miller wrote:

> Greetings.
>
> Most of the time my computers are behind a router/firewall that blocks port
> 22, but occasionally I unblock it if I'm going somewhere and need to log
> into my machines remotely. Whenever I do this I notice in
> my /var/log/messages that some script kiddie is repeatedly connecting via
> ssh and trying to guess usernames. The IP changes every time so I'm not
> sure if it's just one guy using hijacked machines or different people.

I see as you have a few options;

1. Use Key-login
2. Use a different port
3. Use IPTABLES to block all connections after x number of failed
connections.

It would be best to use all 3 of these options and then you would really
be securing your system.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Posted by Chuck on June 12, 2006, 3:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Robert wrote:
> On Wed, 07 Jun 2006 02:06:31 +0100, Tristan Miller wrote:
>
>> Greetings.
>>
>> Most of the time my computers are behind a router/firewall that blocks port
>> 22, but occasionally I unblock it if I'm going somewhere and need to log
>> into my machines remotely. Whenever I do this I notice in
>> my /var/log/messages that some script kiddie is repeatedly connecting via
>> ssh and trying to guess usernames. The IP changes every time so I'm not
>> sure if it's just one guy using hijacked machines or different people.
>
> I see as you have a few options;
>
> 1. Use Key-login
> 2. Use a different port
> 3. Use IPTABLES to block all connections after x number of failed
> connections.
>
> It would be best to use all 3 of these options and then you would really
> be securing your system.
>
>

FYI I am running my ssh server on a nonstandard port (way up high), and
set the only authentication method allowed to be PubkeyAuthentication.
In 6 months with this config, not one break in attempt has been detected.


Similar ThreadsPosted
The origin of breakin attempts May 19, 2006, 6:24 pm
Security Vulnerability Report September 11, 2006, 2:01 pm
ISO 27001 Report Launched July 1, 2007, 4:04 pm
WTF?!?!?! "nessusd returned an empty report" January 2, 2006, 4:47 pm
Report: PC security weakened by Sony (Rootkit) uninstaller November 19, 2005, 12:30 am
How to Report - Online Frauds, Internet Scams and Phising Emails: -"Web and Internet" - Support & Network Group March 21, 2006, 7:03 pm
Strange logon attempts June 14, 2006, 10:55 am
how to log or block login attempts on OS X? August 18, 2006, 5:04 pm
Please rip apart a Noob's pathetic attempts... February 17, 2008, 6:00 pm
Re: Please rip apart a Noob's pathetic attempts... February 21, 2008, 5:56 am

The site map in XML format XML site map

Contact Us | Privacy Policy