Do you care about WHOIS contact information?

Thu Jul 23 06:32:34 PDT 2009

Under normal circumstances, I'm in the habit of perusing certain
logfiles on my home network (which I admit isn't "Large") every
morning, looking for certain forms of anomalous activity.

One of those forms that has proved fairly common over the years is
a sequence of attempts to login via my SSH server.

While I'm aware of strategies such as port-shifting and the like,
I don't do that.  For one thing, it complicates my life more than
necessary; for another, my SSH server is actually one of the
better-protected services, as I only permit public key authentication
via SSH.

So if the stupid perps want to wear themselves out & advertise their
activities by banging their heads against my SSH server, well,
that's just fine by me.

Of course, that doesn't stop me from noticing -- or reporting --
their activities.

This is all the more so because I have my packet filter configured
to log all 22/TCP SYN packets; the SSH server already logs all
attempts to connect to it.

So when I notice a burst of activity, I do a WHOIS query and provide
the allegedly responsible party for the netblock in question an
appropriate excerpt from each of the logfiles in question, together
with a slightly-customized (for the occasion) bit of boilerplate
text explaining why I'm writing and what the significance of certain
bits of the logfile extracts is, concluding with an offer to provide
additional information on request.  The whole thing is deliberately
phrased to be non-confrontational and non-accusatory -- e.g., it
starts with:

| Below, please find log entries corresponding to several unauthorized
| attempts to access my SSH server.  I have no reason to believe that
| any of my systems were harmed or compromised, but the activity was
| certainly not welcome, and I'm notifying you of it in case the
| information helps a current or future investigation you may make.

Fundamentally, I believe there is much value in treating others as
I'd like to be treated.  And if stuff like that originated from a
network for which I have responsiblity, I'd really like to know.

Anyhow, I often get auto-responses; I also sometimes get a more
personal note of thanks from the other admins (e.g., when they find
out that they had a compromised host they didn't know about on their
network), so I believe it's a useful exercise in general.

Sometimes, though, my notification message gets bounced -- e.g.,
with an equivalent of "no such mailbox" for each of the addresses
on the recipient list.

Over the years, I've developed an approach for addressing (no pun
intended) this situation, but before I explain that, I'd like to
do a reality check and ask y'all what you (would) do about it.

:-)

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://www.baylisa.org/pipermail/baylisa/attachments/20090723/b6230235/attachment.bin>