Re: what should I do when....

[lists () spider-security net]

I have always done what you have said.  If I notice scans from an IP 
(mainly SSH brute force attempts) then I will gather the logs and send 
them to the security@ or abuse@ contact that is in the WHOIS.  After 3 
scans from IP addresses that are owned by the same company I will block 
all traffic to/from their entire IP range.  By that time I have already 
given them a sufficient number of attempts to correct the problems.  I 
once blocked a large data center that had a lot of customers (from all 
around ThePlanet, if you catch my drift).  I ran into a lot of problems 
where people needed access to websites that were hosted there or the DNS 
was hosted there and the site was somewhere else.  I ended up allowing 
DNS and HTTP out, but still disallowed connections from them.  Over 
three years and they still can't browse our website. :)

--
Nathan

Adriel Desautels wrote:
> Hi George,
>     My initial reaction to this is that you should block all IP 
> addresses belonging to that company *if* you do not need to 
> communicate with them via the internet. My secondary reaction is to 
> tell you not to advertise what sort of technology you are using in 
> public forum (this mailing list). You don't know if the *attacker* is 
> subscribed to this mailing list or not.
>
>     My professional recommendation for recourse is that you call the 
> company that *owns* the IP address in question. Let them know that 
> suspicious activity is sourcing from their IP address(es) to yours and 
> tell them that you would like it to stop.
>
>     With that said, I'd also recommend that you evaluate the security 
> of your IT Infrastructure. You don't sound too confident that you can 
> prevent the proverbial hacker from penetrating your infrastructure. I 
> suggest that you consider installing some HIDS and NIDS technologies 
> like OSSEC + prelude-ids + snort + prelude-lml (Open Source and 
> effective).
>
>
> Jorge L. Vazquez wrote:
> > for the last 2 days I've been getting lots of connections attempts on 
> > my firewall logs(ipcop firewall), from a specific ip based in Canada, 
> > the log is showing a
> > *
> > *
> > NEW not SYN?
> >
> > it seems that someone is trying to initiate a connections, or may be 
> > a scan. Although the good thing is that the firewall is detecting 
> > them therefore stopping them, I'm getting worried of hacker activity, 
> > I've already done ip lookup, and dns whois query both of those point 
> > to ip and host in Canada it seems to be a company as I got their 
> > public website and also private network.....could anyone advice me 
> > what's the proper course of actions in this case?....
> >
> > thanks
> > Jorge L. Vazquez
> > www.pctechtips.org