This would be good advice in a perfect world. If you put a system in
the Internet, it will be scanned at least a few times a day. The more
systems you own, the more scan activity you will see.

After some period of time watching what is the usual noise level of
scanning, reporting anything unusual that could be either a targeted
attack or perhaps an attempt to exploit a new vulneraiblity.

Contacting your ISP for every ssh brute force scan on you server with
password auth disabled will likely just waste your time and theirs.

On Jul 7, 2008, at 1:53 PM, "Rivest, Philippe" <PRivest (at) transforce (dot) ca [email concealed]>
wrote:

> This is not a good practice.
> If you just tolerate brute forcing and scanning you are on the wrong
> track.
> Imagine if the network usage would double or triple because of these
> behavior. When will you start to report this to your ISP? When will
> you start
> to pressure them that they have clients that need & WANT a secure
> service
> (ISP)?
>
> As I stated, you should follow your internal procedure, hardened you
> device
> after your investigation (&before also..) and contact your ISP.
>
> When you have a contract with your ISP you should have a contact for
> *emergency*. Contact him or normal enterprise service level and have
> them
> take a look at the situation.
>
> Not doing anything is just accepting that you can be probe and
> that's not
> very wise.
>
> **Also note that if the guy whos probing you knows nobody ever
> contacts the
> ISP for investigation.. do you really think his gonna do nice and
> limited
> (rate) scans? His gonna pop everything he has against you to do a
> full &
> extensive & complet scan.
>
>
> Merci / Thanks
> Philippe Rivest, CEH
> Vérificateur interne en sécurité de l'information
> Courriel: Privest (at) transforce (dot) ca [email concealed]
> Téléphone: (514) 331-4417
> www.transforce.ca
>
> Vous pourriez imprimer ce courriel, mais faire pousser un arbre
> c'est long.
> You could print this email, but it does takes a long time to grow
> trees.
>
>
> -----Message d'origine-----
> De : listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] De la
> part de Sergio Castro
> Envoyé : 4 juillet 2008 19:51
> Ã? : 'Jorge L. Vazquez'; 'security-basics';
> security-basics-sc.1207759308.halobnafecliebdpegpn-
> Jlvazquez825=gmail.com@sec
> urityfocus.com; 'security focus listbounce'
> Objet : RE: what should I do when....
>
> Hi Jorge,
>
> My recommendation, other than make sure your public IP systems are
> properly
> hardened, is to do nothing. Continuous scans and brute force login
> attempts
> are the norm on the Internet. For every ISP that pays attention to
> your
> complaints, 10 will ignore you.
>
> - Sergio
>
> -----Mensaje original-----
> De: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] En
> nombre de Jorge L. Vazquez
> Enviado el: Jueves, 03 de Julio de 2008 09:05 p.m.
> Para: security-basics;
> security-basics-sc.1207759308.halobnafecliebdpegpn-
> Jlvazquez825=gmail.com@se
> curityfocus.com; security focus listbounce
> Asunto: what should I do when....
>
> for the last 2 days I've been getting lots of connections attempts
> on my
> firewall logs(ipcop firewall), from a specific ip based in Canada,
> the log
> is showing a
> *
> *
> NEW not SYN?
>
> it seems that someone is trying to initiate a connections, or may be
> a scan.
> Although the good thing is that the firewall is detecting them
> therefore
> stopping them, I'm getting worried of hacker activity, I've already
> done ip
> lookup, and dns whois query both of those point to ip and host in
> Canada it
> seems to be a company as I got their public website and also private
> network.....could anyone advice me what's the proper course of
> actions in
> this case?....
>
> thanks
> Jorge L. Vazquez
> www.pctechtips.org
>
>
>
> __________ NOD32 3243 (20080704) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>

[ reply ]