[wplug] Re: reporting break-in attempts? (was: Any tips against
this kind of ssh break-in?)
Brady Hunsaker
bkh at member.fsf.org
Sun Jul 17 10:20:34 EDT 2005
I also see many ssh attempts every day on machines I administer. They
don't bother me too much because I have taken most of the precautions
discussed on the list (no root password login, check user passwords,
monitor machines).
One thing that I wonder about is reporting the attempts. It frustrates
me that collectively we have a lot of information about machines that
are being used for these break-in attempts (compromised machines or
not), but we don't do anything to share this information or do anything
about it. At least I don't.
Is there something meaningful we can do that has a chance to be worth
the time it takes to do it?
If many of us are hit by attacks from the same machine, and that machine
later goes on to compromise someone else, it's frustrating that we
didn't do anything to try to stop it. Even dynamic IPs could be
reported because they could be tracked to a user if the ISP were willing.
Are there any efforts to centralize this sort of information in a way
similar to the spam efforts? Are there reasons this would be unlikely
to work?
Brady
More information about the wplug
mailing list