Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: What do you do with minor attacks?
I have recently put up a small website to help some friends and as I'm bored today I watch the logs... I see quite a few attempts to break in - all of which are Microsoft exploits so they aren't really important at all. On a daily basis, I also receive quite a few spoofed ip addresses or other forms of scans/attacks captured by the syslog and iptables.
Now, what do you folks do with MINOR attacks on your systems? Do you report them to the ISP, attack them back, do nothing because they are futile against your machines? (We're talking minor attacks here)
So far, I only report abuse when I'm bored on Saturdays or late evenings... What's the 'norm'?
ignore them... its waaaay too much effort to chase them all up.
if anyone is persistant in attempting to break in or annoying, then main there ISP with the important parts of your server logs.
Most attacks like that are automated nowdays, scripts, bots, worms, zombies.. It simply does not make sense to report them. Report real crime in your neighborhood not white noise that flows over the internet everyday.
mostly ignore.
if I see an attempt at SSH or similar then they get IP blocked.
If there is a persistant attempt ...
eg I've been probed for 3 hours straight, every 5 -10 secs, by one guy ( usr/moron ) after the same port ( ooh duh ) , then I get annoyed, do a who-is and report if possible.
sometimes works sometimes not.
Definately works if the usr/moron is a customer of same ISP as yourself as is usually a breach of rules- email off your logs as proof.
If youre running in stealth then attacking someone else kind of gives the game away, blow your own cover etc. Not recommended !
I report them if they are outlandish attempts. For example, a few days ago someone tried to Brutessh their way into one of our boxes for 4 hours. Somthing like 1500 failed login attempts. I'll report them and anyone else that tries repeatedly for a period of time.
Of course it also depends on where they are coming from. If they are coming from China or Japan or Korea, I won't even bother b/c I know I won't get a response from their ISP. Some European ISPs have been responsive (I've had a few experiences with schlund.de and found them to be very responsive). Domestic (US) ISPs are usually very responsive when you send them logs.
So I guess if I'm bored and care enough I'll report them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.