Break-In Attempt -- Now What?

Alex Beamish talexb-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Nov 30 16:31:38 UTC 2004


On Tue, 30 Nov 2004 11:00:29 -0500, Peter King <peter.king-H217xnMUJC0sA/PxXw9srA at public.gmane.org> wrote:
[..]
> 
> Okay, NOW WHAT?
> 
> I found the computer, and even have limited access to it; apart from
> wanting to take it down as payback, I had and have no clue what to do
> next. The Voice Over My Shoulder told me to give it up and go back to
> rechecking those firewall rules. But I can't help but think if I just
> knew a bit more, I could do something -- like find out the guy's ISP and
> send them a note about cracker attempts.
> 
> Advice? Suggestions? (Other than "Get a life" I mean.)

Retribution? Don't bother. As other posters have mentioned, that
machine you found is likely itself already hacked. I suppose you could
write to the ISP, alerting them to the attack.

My first suggestion is to disable root login from SSH -- a suggestion
that floated by on the list recently. Great advice .. I made that
setting change immediately.

Is it possible to limit the range of IPs that SSH will accept a
connection from? If you're leaving a connection open so you (or
others) can log in from a couple of known locations, that kind of
security will work fine.

Alex
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list