Hello! If I see a repeated IP in my server log, let's say, trying to ssh into my box as different users, including root; would there be anyway to contact this person to let them know I know?

I don't wanna get them into a lot of trouble, especially if they are just "testing" however, I don't like the "root" tests. I just wanna let them know I can see them and could get them in trouble. Nothing's been hacked on my system, no rootkit's nothing dorked, all is OK, but I just don't like seeing the attempts.

Any suggestions? I would really just like to send em a little email saying, yo (whatever their username/DNS or ISP's login name) I can see you ssh'ing my system, can I help you find something?

Thanks for any ideas...

Cool

1. dig -x xxx.xxx.xxx.xxx
2. whois xxx.xxx.xxx.xxx
3. ping xxx.xxx.xxx.xxx
4. nmap -sS -P0 xxx.xxx.xxx.xxx

These methods will usually resolve a name if it can be, and if you're lucky, it won't be a dsl or dynamic number.
Once you have the name, do a whois on the country's interNIC server or
dig -t MX name
Works for me overall less than 40% of the time.

Doing a reverse lookup will give you an administrative address to report them to, but not an email address for the individual.
Why not fire a port scan straight back at em, maybe try to connect into their ssh, trying user names like "iknowwhat" and passwords like "yourupto", or "closeto" and "reportingyou", they should take a hint.

Best to fire an email to "abuse@xxxxx" to avoid them thinking they have a live wire to "have a competition with".

Yes, I'd agree some extremely large icmp packets would wake them up, but flaming never was considered "constructive".

These people thrive on information, hence the scans and probes.
The best defense for this is "silence" in a form.
Well, my experience has taught me that...

Yeah, but if their IP is say, a cable modem, they may or may not have mail set up on it, and wont' recieve the abuse@ mail.

The best you can often do if you're looking at a script kiddie is to track them to their ISP and report it to their ISP.

A traceroute will often net you the border router for their ISP, (it'll be one of the last on the list) and you can then fire an abuse@ off to 'them'.

Bear in mind though, that in the days of dynamic IP's and suchlike it's *possible* that you've inherited an IP that was used by someone else beforehand.

I'll admit that I've incorrectly assumed that the ip address I had this morning, is still there and attempted to 'root' someone else's box that just happened to get it after me. So, develop a threshold, and try not to jump all over someone for a minor infringement. Obviously there's making a mistake, and there's outright hack attempts, and the difference should be clear

Slick.

Cool, well I don't wanna get them into huge trouble, after all, nothing was done, they didn't get in, and my system is still stable... for now. So I am wanting to avoid sending an email to their ISP about it, but if that's the general consensus of what I should do, I will.

Cool

If you do report them to the admin of their domain, you need to include times and timezone, its the only way they can check in their logs to see who had what IP address at what time. As pointed out addresses move around.

I quite often get port scans and I always report em. Most often they are from modem connections so the IPs change. As I say the only way to know is from the ISPs RADIUS server logs, tells em who was using what IP when.

I should also point out that people can use port scans and ssh sessions bounced of another persons machine via a trojan port redirector or scanner, so even then you may not necessarily get the culprit.

I think this is why the ISPs normally send warnings before disconnecting people. If you got an email telling you to stop scanning and you don't have a port scanner, at least you 'd know something was wrong.