|
Security Basics
what should I do when.... Jul 04 2008 02:05AM Jorge L. Vazquez (jlvazquez825 gmail com) (3 replies) Re: what should I do when.... Jul 08 2008 12:48PM Adriel Desautels (adriel netragard com) (1 replies) RE: what should I do when.... Jul 04 2008 11:50PM Sergio Castro (sergio castro unicin net) (1 replies) RE: what should I do when.... Jul 07 2008 05:53PM Rivest, Philippe (PRivest transforce ca) (4 replies) Re: what should I do when.... Jul 07 2008 09:09PM Adriel Desautels (adriel netragard com) (1 replies) |
|
 Privacy Statement |
(mainly SSH brute force attempts) then I will gather the logs and send
them to the security@ or abuse@ contact that is in the WHOIS. After 3
scans from IP addresses that are owned by the same company I will block
all traffic to/from their entire IP range. By that time I have already
given them a sufficient number of attempts to correct the problems. I
once blocked a large data center that had a lot of customers (from all
around ThePlanet, if you catch my drift). I ran into a lot of problems
where people needed access to websites that were hosted there or the DNS
was hosted there and the site was somewhere else. I ended up allowing
DNS and HTTP out, but still disallowed connections from them. Over
three years and they still can't browse our website. :)
--
Nathan
Adriel Desautels wrote:
> Hi George,
> My initial reaction to this is that you should block all IP
> addresses belonging to that company *if* you do not need to
> communicate with them via the internet. My secondary reaction is to
> tell you not to advertise what sort of technology you are using in
> public forum (this mailing list). You don't know if the *attacker* is
> subscribed to this mailing list or not.
>
> My professional recommendation for recourse is that you call the
> company that *owns* the IP address in question. Let them know that
> suspicious activity is sourcing from their IP address(es) to yours and
> tell them that you would like it to stop.
>
> With that said, I'd also recommend that you evaluate the security
> of your IT Infrastructure. You don't sound too confident that you can
> prevent the proverbial hacker from penetrating your infrastructure. I
> suggest that you consider installing some HIDS and NIDS technologies
> like OSSEC + prelude-ids + snort + prelude-lml (Open Source and
> effective).
>
>
> Jorge L. Vazquez wrote:
>> for the last 2 days I've been getting lots of connections attempts on
>> my firewall logs(ipcop firewall), from a specific ip based in Canada,
>> the log is showing a
>> *
>> *
>> NEW not SYN?
>>
>> it seems that someone is trying to initiate a connections, or may be
>> a scan. Although the good thing is that the firewall is detecting
>> them therefore stopping them, I'm getting worried of hacker activity,
>> I've already done ip lookup, and dns whois query both of those point
>> to ip and host in Canada it seems to be a company as I got their
>> public website and also private network.....could anyone advice me
>> what's the proper course of actions in this case?....
>>
>> thanks
>> Jorge L. Vazquez
>> www.pctechtips.org
>>
>>
[ reply ]