[Tfug] OT: Reporting Network Abuse?

Harry McGregor micros at osef.org
Sun Jun 24 14:28:54 MST 2007


Hi,

I tend to try and track down the box, if I think it's in a data center. 
If it's a customer (ie home) system on some ISP I tend to not bother.

You can do a host on the IP, and a whois on the IP and figure out who to
email.

Additionally, you should run something like fail2ban block SSH at the
iptables level after X failed logins.

                         Harry



Christopher Robbins wrote:
> I've opened up one of my boxes to the internet, and I've got the system
> locked down as much as possible.  However, having SSH access
> is nice,  so I've opened it up.  I've thought about using a different
> port...
>
> In leaving SSH open, I've noticed a ton of failed login attempts, like this
> -
>
> # vi /var/log/messages
> ...
> Jun 24 03:39:12 linux-x8yr sshd[13530]: Did not receive identification
> string from 58.61.157.137
> Jun 24 03:45:42 linux-x8yr sshd[13553]: Invalid user fluffy from
> 58.61.157.137
> Jun 24 03:45:46 linux-x8yr sshd[13555]: Invalid user admin from
> 58.61.157.137
> Jun 24 03:45:48 linux-x8yr sshd[13557]: Invalid user test from 58.61.157.137
> Jun 24 03:45:50 linux-x8yr sshd[13559]: Invalid user guest from
> 58.61.157.137
> Jun 24 03:45:56 linux-x8yr sshd[13561]: Invalid user webmaster from
> 58.61.157.137
> Jun 24 03:46:03 linux-x8yr sshd[13565]: Invalid user oracle from
> 58.61.157.137
> ...
>
> My question is - is it worth it to report the box to abuse at domain?  Does
> anything get done?
> I called RoadRunner the other day, and they had an automated message that
> demanded an email
> with all relevant logs/etc before they'd think about doing anything.
>
> Thoughts?
>
>   - Chris
>
>   





More information about the tfug mailing list