[Tfug] OT: Reporting Network Abuse?
A. Chris Hilton
lists at particlewars.com
Mon Jun 25 13:04:01 MST 2007
Using fail2ban, DenyHosts, etc:
http://www.ossec.net/en/attacking-loganalysis.html
None of the demostrated exploits give the attacker control of your server,
just lock you out until you can get console access. But they do
demonstrate the main problem with using this method to manage your ACLs.
You can use key exchange to authenticate and turn off password auth
altogether. If you need to have password auth available and you don't
trust your password complexity policy, port knocking is a good way to deal
with brute force attempts against ssh or ftp.
-C-
> Hi,
>
> I tend to try and track down the box, if I think it's in a data center.
If it's a customer (ie home) system on some ISP I tend to not bother.
>
> You can do a host on the IP, and a whois on the IP and figure out who to
email.
>
> Additionally, you should run something like fail2ban block SSH at the
iptables level after X failed logins.
>
> Harry
>
>
>
> Christopher Robbins wrote:
>> I've opened up one of my boxes to the internet, and I've got the system
locked down as much as possible. However, having SSH access
>> is nice, so I've opened it up. I've thought about using a different
port...
>> In leaving SSH open, I've noticed a ton of failed login attempts, like
this
>> -
>> # vi /var/log/messages
>> ...
>> Jun 24 03:39:12 linux-x8yr sshd[13530]: Did not receive identification
string from 58.61.157.137
>> Jun 24 03:45:42 linux-x8yr sshd[13553]: Invalid user fluffy from
58.61.157.137
>> Jun 24 03:45:46 linux-x8yr sshd[13555]: Invalid user admin from
58.61.157.137
>> Jun 24 03:45:48 linux-x8yr sshd[13557]: Invalid user test from
>> 58.61.157.137
>> Jun 24 03:45:50 linux-x8yr sshd[13559]: Invalid user guest from
58.61.157.137
>> Jun 24 03:45:56 linux-x8yr sshd[13561]: Invalid user webmaster from
58.61.157.137
>> Jun 24 03:46:03 linux-x8yr sshd[13565]: Invalid user oracle from
58.61.157.137
>> ...
>> My question is - is it worth it to report the box to abuse at domain?
Does
>> anything get done?
>> I called RoadRunner the other day, and they had an automated message that
>> demanded an email
>> with all relevant logs/etc before they'd think about doing anything.
Thoughts?
>> - Chris
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>
More information about the tfug
mailing list