I am running a small (Windows-based) server. When I check the logs, I see a steady flow of (unsuccesfull) password-guessing hacking attempts. Should I try to report those attempts to the owners of the source IP addresses, or are these attempts nowadays considered completely normal and nobody would bother doing anything about them, anyway?
Security – Should I report hacking attempts
abusehackingSecurity
Best Answer
While the answer can depend greatly on the agency you are attempting to inform, I believe that in general you should. In fact, since monitoring and responding to the abuse mailbox for our organization is one of my primary job duties, I can positively say, 'Yes Please!'. I had this same conversation with members of other security organizations and the answers seemed to largely consist of:
I, of course, won't tell you to follow those rules, but I would recommend erring on the side of reporting. It usually doesn't take much effort, and can really help out the guys on the other end. Their reasoning was that ISPs aren't often in positions to take meaningful actions, so they will file the information away. I can say that we will aggressively pursue the matter. We do not appreciate hacked machines on our network, as they have a tendency to spread.
The real trick is to formalize your response and reporting procedure so that it can be consistent between reports, as well as between staff. We want, at minimum, the following:
If you can also include a sample of the log messages that tipped you off, that can also be useful.
Normally, when we see this kind of behaviour, we also institute firewall blocks of the most appropriate scope at the most appropriate location. The definitions of appropriate are going to depend significantly on what is happening, what kind of business you're in, and what your infrastructure looks like. It may range from blocking the single attacking IP at the host, all the way up to not routing that ASN at the border.