Re: What to do with attackers?
On Fri, 04 Nov 2005, Thomas wrote:
> recently, i can see ofthen brute force attacks in my ssh logfile.
> A friend of mine, who has the same ISP gets the same bruteforce attacks.
> What would be an adequate reaction to repeated ssh bruteforce attacks?
Once I tried to do something about it, just because I had nothing better to
I used whois, found the abuse contact of the relevant domain owners and
their upstream providers, and emailed them the logs, requesting that they
inspect why a machine of theirs was trying to attack one of mine.
Out of the three reports I sent:
One was replied to in 5 minutes(!), the attacker had been immediately
unplugged, and the machine would be investigated.
One was replied to within 3 hours, the attack was being investigated
(and I wasn't being proped by them anymore, so I suppose they took it
offline as well).
One was replied to within 1 day, the server had been reinstalled from
scratch and they thanked me about the report.
So I got proper replies for 100% of the reports I sent, and three zoombies
were put to rest. It is something nice to do if you feel bored.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot