[Tfug] OT: Reporting Network Abuse?

Matthew T. Eskes meskes at gmail.com
Sun Jun 24 17:38:12 MST 2007


Another thing you can along with the TCP Wrappers is to set your ssh port to
something that's no commonly used for said purpose. I usually run mine in
the high thousands so when they do a scan it doesn't come back as something
typical. Its sort of like a second layer.

-----Original Message-----
From: tfug-bounces at tfug.org [mailto:tfug-bounces at tfug.org] On Behalf Of
Harry McGregor
Sent: Sunday, June 24, 2007 2:29 PM
To: Tucson Free Unix Group
Subject: Re: [Tfug] OT: Reporting Network Abuse?

Hi,

I tend to try and track down the box, if I think it's in a data center. 
If it's a customer (ie home) system on some ISP I tend to not bother.

You can do a host on the IP, and a whois on the IP and figure out who to
email.

Additionally, you should run something like fail2ban block SSH at the
iptables level after X failed logins.

                         Harry



Christopher Robbins wrote:
> I've opened up one of my boxes to the internet, and I've got the system
> locked down as much as possible.  However, having SSH access
> is nice,  so I've opened it up.  I've thought about using a different
> port...
>
> In leaving SSH open, I've noticed a ton of failed login attempts, like
this
> -
>
> # vi /var/log/messages
> ...
> Jun 24 03:39:12 linux-x8yr sshd[13530]: Did not receive identification
> string from 58.61.157.137
> Jun 24 03:45:42 linux-x8yr sshd[13553]: Invalid user fluffy from
> 58.61.157.137
> Jun 24 03:45:46 linux-x8yr sshd[13555]: Invalid user admin from
> 58.61.157.137
> Jun 24 03:45:48 linux-x8yr sshd[13557]: Invalid user test from
58.61.157.137
> Jun 24 03:45:50 linux-x8yr sshd[13559]: Invalid user guest from
> 58.61.157.137
> Jun 24 03:45:56 linux-x8yr sshd[13561]: Invalid user webmaster from
> 58.61.157.137
> Jun 24 03:46:03 linux-x8yr sshd[13565]: Invalid user oracle from
> 58.61.157.137
> ...
>
> My question is - is it worth it to report the box to abuse at domain?  Does
> anything get done?
> I called RoadRunner the other day, and they had an automated message that
> demanded an email
> with all relevant logs/etc before they'd think about doing anything.
>
> Thoughts?
>
>   - Chris
>
>   


_______________________________________________
Tucson Free Unix Group - tfug at tfug.org
Subscription Options:
http://www.tfug.org/mailman/listinfo/tfug_tfug.org





More information about the tfug mailing list