I typically guage the type of attack it is. Could it have been accident?
What were they doign? BO scan? Attempted login? My first course of
action is to contact the person. It is more difficult obviously if it's a
dial-in user on AOL than say a cable modem or ADSL user who keeps the same
IP for a while. I am shocked at how many of these idiots run web servers
on the machine from which they are attempting to hack that have
information about them, their family, their itenerary, picures of their
last trip to Disney World...
Sometimes all you can really do is contact the ISP. Provide them with the
section of your syslog that demonstrates the attack so they have the exact
time and IP address. This should enable them to check their radius logs
and trace the user account, getting our 3vi| h@x0r shut down.
Sometimes if it looks like a ham-handed tcp scan or something obviously
stupid (someone attempting to telnet in as root 4 or 5 times) I just lock
out that IP or subnet and keep an eye on that sort of activity.
Continued attempts from another IP similar to the initial pokings will
usually prod me to take the next step (i.e. contact the ISP).
If it is someone realy malicious, get the police involved.
Carric Dooley
COM2:Interactive Media
http://www.com2usa.com
On Mon, 19 Jul 1999, Dan wrote:
> I'm sure that everyone on this list from time-to-time sees
> hacking attempts such as port scans, or scans of ranges of
> IP's on a specific port in their firewall logs.
>
> What is your typical response to this kind of activity? I know
> about tracking down owners of IP's, etc with whois and the
> Internic DB, but what do you do once you get that
> information?
>
> A lot of this list is dedicated to stopping the hacking
> attempts, but not much has been said on what to do
> afterwards.
>
> Dan Lenhard
> Systems Administrator
> [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
