On 01:00, Sat 05 Nov 05, Henrique de Moraes Holschuh wrote: > On Fri, 04 Nov 2005, Thomas wrote: > > recently, i can see ofthen brute force attacks in my ssh logfile. > > A friend of mine, who has the same ISP gets the same bruteforce attacks. > > > > What would be an adequate reaction to repeated ssh bruteforce attacks? > > Once I tried to do something about it, just because I had nothing better to > do. > > I used whois, found the abuse contact of the relevant domain owners and > their upstream providers, and emailed them the logs, requesting that they > inspect why a machine of theirs was trying to attack one of mine. > > Out of the three reports I sent: > > One was replied to in 5 minutes(!), the attacker had been immediately > unplugged, and the machine would be investigated. > > One was replied to within 3 hours, the attack was being investigated > (and I wasn't being proped by them anymore, so I suppose they took it > offline as well). > > One was replied to within 1 day, the server had been reinstalled from > scratch and they thanked me about the report. > > So I got proper replies for 100% of the reports I sent, and three zoombies > were put to rest. It is something nice to do if you feel bored. > > -- > "One disk to rule them all, One disk to find them. One disk to bring > them all and in the darkness grind them. In the Land of Redmond > where the shadows lie." -- The Silicon Valley Tarot > Henrique Holschuh
My experience is the opposite I use to do whois and search down the ip address mail the abuse reports, taken straight from my logs. Most email address listed are of the type of [EMAIL PROTECTED] most have automatic replys. Yes you get a reply, but after that its anyone's guess. Then you have to account for the zombie machines, maybe you do get a good reply, and a decent ip whois lookup. But then grandma is upset her internet account is blocked because she did not have the proper setup. Then you need to account for accurate information on the lookup sheet, people lie, or put down bogus information, or its over a year old and the abuse, or techinical dude has quit or been moved and the information is not their. To me a whois search right now is about worthless, just too many dang variables that can be changed to hide someone's intent. I think the ISP should take more control, after all why should I get port scanned with all the 1026-1027 spam that is almost all I get now. I think the end user is the wrong place to have to run spam filters, robust rules just to keep a sane personal network running. People like me rely on the ISP for their dhcp ip address, so why would a ISP allow their routers to forward port scans to their own ip address net blocks? Gnu_Raiz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
