What can I do about breaking attempts? (clarified)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
In an earlier thread, I asked what I could do about repeated breakin
attempts. The answers pertained to protecting my server. Thanks, but I
should have clarified the question: it was really about law enforcement. Who
can I report these breakin attempts to? And what law enforcement agencies
are out there that could find and arrest this criminal?

The question is sufficiently different from the earlier version that I
thought it worth starting a new thread.

Re: What can I do about breaking attempts? (clarified)

On Sat, 25 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article

Quoted text here. Click to load it

Are you serious???

1. There are no Internet Police.
2. The zombie is most likely in a different jurisdiction
3. In the USA, can you demonstrate a substantial financial loss (I believe
the figure is US$5000 for the FBI to become involved), or other violation
of laws of sufficient importance for a law enforcement agency to get into
the picture?  Do you have information on the system that the laws require
you to protect?

Quoted text here. Click to load it

See that your firewall is working, and ignore the noise.

        Old guy

Re: What can I do about breaking attempts? (clarified)

Quoted text here. Click to load it

At least your law enforcement will get a good belly-laugh from
your attitude.

Do you not lock your front door?  car?  So why do you leave your
computer wide open and then complain?  Roving gangs of kids are
looking for something to play with, you are inviting them to
play with you.  Don't like it?  Shut the bloody door!

Take responsibility.

...  The computer scientist, who had listened to all of this said,
"Yes, but where do you think the chaos came from?"

Re: What can I do about breaking attempts? (clarified)

Chris wrote:
Quoted text here. Click to load it

LOL... this is one of the funniest posts I've seen in a long time :)

Re: What can I do about breaking attempts? (clarified)

Quoted text here. Click to load it

Regarding law it depends on your and the attacker's country.  A smart
attacker doesn't get busted anyway (theoretically it often would be
possible, but it's expensive also).  Many people in the past (including
very large companies) have counted on law, just to realize that it's a
big mistake.

So I can just repeat what Grant has already said.  Secure your server
properly.  That's cheap and saves you a lot of trouble.


Re: What can I do about breaking attempts? (clarified)

Chris wrote:
Quoted text here. Click to load it

Something like this:
http://www.dshield.org /
may be much more suitable for the more general cases (e.g. unsuccessful
unauthorized breakin attempts).

I've sent many e-mails (e.g. to the responsible ISP) on such
incidents.  Most of the time one won't even get a response when
reporting such items.  When one does get a response, it's usually a
canned (but often at least somewhat encouraging) response.  Once in a
while, one gets a more detailed response (e.g. excerpted, redacted,
characters translated to ASCII and some line folding:

Subject: Re: unauthorized ssh login attempts from <redacted>

Dear Sir/Madam

Thank you for contacting the <redacted> Customer Security team
regarding your port scan concern and for forwarding your personal
firewall logs.

Port scanning contravenes <redacted>'s Acceptable Usage Policy and
Terms & Conditions. We take any abuse of our service very seriously.

I've carried out an investigation into this and we've taken action
against our user to stop this happening again.

I'm sorry to say, though, that I won't be able to give you any more
information about the user in question.

There are free services available that may extract detected malicious
activity from your firewall logs and automatically send
them to the appropriate abuse department for further action. Two such
services are:
MyNetWatchman at http://www.mynetwatchman.com
and DShield at http://www.dshield.org

Other services are also available.

In addition, you may like to consider these steps to reduce the chances
of your computer being compromised by hackers:

i) make sure any anti-virus or port protection software you're already
running is up to date and that it is programmed to reject
remote access. You can usually update via the software maker's web site
ii) if you keep sensitive information on your computer, you could
consider getting some encryption software for more protection
iii) when you're connected to the internet, do not publicise your IP
address (the unique ID number your ISP gives on connecting)
as this invites hackers. You're especially vulnerable when using
applications such as chat, internet relay chat or video
iv) be careful what applications you install direct from the internet -
do you trust the supplier? Most viruses and trojans
enter systems via shareware and freeware downloads.

If you use Microsoft software, we would also like to bring to your
attention the importance of installing any necessary security
updates from Microsoft.  You can see the available patches at

If you're worried that your computer has been accessed remotely and
that data has been read or taken, we suggest you contact the
police with whatever evidence you may have.

At <redacted> we are consistently looking at ways to improve the
service we offer our customers.  As part of this we have put together
an online questionnaire about the your experience of dealing with the
<redacted> Customer Security Team which we would like to complete.
The questionnaire can be found at the following URL:
http://<redacted>questionnaire  and will only take a few minutes
of your time.  Your feedback will help us improve the service we offer

I hope the above helps. Please don't hesitate to contact us with any
further enquiries or comments.

Thank you again.

Yours faithfully

<redacted> Customer Security Team
http://www.getsafeonline.org /

<redacted> is a founding member of the Internet Watch Foundation, ISP
Abuse Management Forum and the Internet Content Rating

This electronic message contains information from the <redacted>
Acceptable Use team, which may be privileged and confidential. The
information is intended for use only by the individuals or entity named
above. If you are not the intended recipient, be aware
that any disclosure, copying, distribution or use of the contents of
this information is prohibited. If you have received this
message in error please notify <redacted> by email immediately.

<redacted> does not accept responsibility for the content of third
party web sites.

Original Message Follows:
unauthorized ssh login attempts from <redacted>
timestamps PST8PDT
Jan 28 18:27:12 <redacted> sshd: Failed password for root from
<redacted> port <redacted> ssh2

Site Timeline