how to deal with bruteforcing

[skisteven1]

I'm the net admin for a small organization in town (it's a part time job), and I was going through the logs to find a bunch of ssh brute force attempts (pretty normal). However, I noticed over 1000 of them from a particular .edu host. I figure that this is something that their network admin would want to know, but I have ZERO experience in this sort of thing.

Can anyone recommend what I should write in the letter to their netadmin? I know it's worthless going after .tw domains and such, but this one is local, and an academic, so I figure it's worth a shot.

Any ideas on what I should send? Should I even bother?

Thanks!

 

[Kelemvor]

I'd call them up and let them know someone was trying ot hack into your network and that before you contact the police, you thought you'd try contacting their IT department first.

Then let the IT person know what's going on.

 

[nweaver]

there is almost always an abuse@domain.edu that you could send to.


tbh, this is easy to fix, move SSH to a higher, nonstandard port. Since moving mine up to 4 digits, I've never had a single login attempt.

 

[skisteven1]

Originally posted by: nweaver
there is almost always an abuse@domain.edu that you could send to.


tbh, this is easy to fix, move SSH to a higher, nonstandard port. Since moving mine up to 4 digits, I've never had a single login attempt.

It hasn't really bothered me enough to do that -- though I probably should. SSH is the only port open on the server, and is secure as it is now (so far as I know). Is there any pressing reason to move it?

 

[nweaver]

saves time going through logs, sleep better at night

 

[skisteven1]

guess who just changed the port but forgot to change the firewall!

anybody?

luckily, for one reason or another, redhat doesn't kill your ssh session when you restart the service. Weird.

 

[Boscoh]

Might be a good idea to send the logs with your email.

 

[skisteven1]

too strong?

Hello,

My name is ~~~~~~, and I am the network administrator for the ~~~~~ Foundation of Urbana-Champaign. On the date of March 5, we logged over 1000 separate brute force attempts to gain unauthorized access to our network from the following host:

XXXXX.XXXXX.SCHOOL.edu (XX.YY.XX.42)

We must ask that you cease and desist in these actions, and track down the person or group who is responsible. Please keep me updated on how this goes.

Thank you,
~me~

 

[nweaver]

add a small sample of the logs, so they can see time/date/ip's