Do you care about WHOIS contact information?
Rick Moen
rick at linuxmafia.com
Fri Jul 24 14:49:04 PDT 2009
Quoting David Wolfskill (david at catwhisker.org):
> Over the years, I've developed an approach for addressing (no pun
> intended) this situation, but before I explain that, I'd like to
> do a reality check and ask y'all what you (would) do about it.
Personally, I classify any scripted ssh login-attempt session using
"joe" username/password combos to be essentially doorknob-twisting
rather than an attack worthy of the name, and ignore it completely.
Going by shirtsleeve calculations, if one's system enforces good
password / keypairs, then the attempts you cite are astronomically
unlikely to succeed within geologic time.
The connecting system might have been a malware-compromised MS-Windows
box. Or it might be a freshman misbehaving using his/her first shell
account. And so on. Sure, you're doing a socially beneficial thing
in attempting to clue people in that they might have compromised hosts
or rogue users. One might respond similarly to incoming portscans.
I commend you for doing that. I personally don't bother unless there's
some greater sign that a significant system (such as, say, a major
university ftp site or outgoing mail relay) has been root-compromised
and is being abused by criminals. _Then_, I might send polite notes to
the WHOIS contact mailboxes, or even call the listed telephone numbers
(especially if the WHOIS e-mail mailboxes are in-band, and subject to
possible interception by the bad guys).
--
Rick Moen There was an old man Said with a laugh, "I
rick at linuxmafia From Peru, whose lim'ricks all Cut them in half, the pay is
.com Looked like haiku. He Much better for two."
--Emmet O'Brien
More information about the Baylisa
mailing list