Security Basics mailing list archives
Re: what should I do when....
From: Adriel Desautels <adriel () netragard com>
Date: Tue, 08 Jul 2008 08:48:47 -0400
Hi George,My initial reaction to this is that you should block all IP addresses belonging to that company *if* you do not need to communicate with them via the internet. My secondary reaction is to tell you not to advertise what sort of technology you are using in public forum (this mailing list). You don't know if the *attacker* is subscribed to this mailing list or not.
My professional recommendation for recourse is that you call the company that *owns* the IP address in question. Let them know that suspicious activity is sourcing from their IP address(es) to yours and tell them that you would like it to stop.
With that said, I'd also recommend that you evaluate the security of your IT Infrastructure. You don't sound too confident that you can prevent the proverbial hacker from penetrating your infrastructure. I suggest that you consider installing some HIDS and NIDS technologies like OSSEC + prelude-ids + snort + prelude-lml (Open Source and effective).
Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Jorge L. Vazquez wrote:
for the last 2 days I've been getting lots of connections attempts on my firewall logs(ipcop firewall), from a specific ip based in Canada, the log is showing a* * NEW not SYN?it seems that someone is trying to initiate a connections, or may be a scan. Although the good thing is that the firewall is detecting them therefore stopping them, I'm getting worried of hacker activity, I've already done ip lookup, and dns whois query both of those point to ip and host in Canada it seems to be a company as I got their public website and also private network.....could anyone advice me what's the proper course of actions in this case?....thanks Jorge L. Vazquez www.pctechtips.org
Current thread:
- Re: what should I do when...., (continued)
- Re: what should I do when.... Adriel Desautels (Jul 15)
- RE: what should I do when.... Rivest, Philippe (Jul 10)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 10)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 11)
- RE: what should I do when.... Worrell, Brian (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 07)
- Re: what should I do when.... Dave Koontz (Jul 08)
- Re: what should I do when.... Gregory Boyce (Jul 07)
- RE: what should I do when.... Rivest, Philippe (Jul 08)
- Re: what should I do when.... lists (Jul 09)