In my logs I find entries about attacks on my system. I know IP addresses, I know date and time and I know what they tried to do. So what's the best I can do now? Tell everybody that there are cybercriminals on that network? Write an email to their admin? Anything else?
I would want to block the known attacking IP(s) on the firewall at the gateway into the network and the node that is being attacked.
You should block those IPs using firewall.
- You should constantly monitor the log, and append your block list with the new IPs that attacks.
- Or allow only the IPs that are expected.
You should have strong password for root login, if that is ssh attack. Or even you can think about locking the root account, and use some sudo account to do the administration and be in the safer side.
While the advises above are valuable, I can also vote for contacting Spamhaus for such issues, if deemed they are proper for their activity. Having worked as Security and Abuse administrator, I can only say I was pleased to work with Spamhaus for a few years, but like I said, it will depend on the type of attack.
This question cannot be answered unless you describe the nature of the attack.
Your question is so vague, that we have no idea, really what you are talking about. A web attack? An SSH login attempt? A simple scan? Spam? What kind of attack?
Why would you ask such a question without providing any details and expect to get a useful answer?
Sorry.
To provide more details, with "attack" i meant SSH brute force - somebody tries to login as "Administrator" or with other users over SSH for many times. I think the IPs are always dynamic. To spam, what do you think of offers on the Web to subscribe for spam and of using it to spam spammers? Using email aliases, it would be possible. And, i didn't know (email) spam is considered as an attack.
To make my question in the first posting more precise: did I understand it right that for an attacker there will be no consequences?
It depends. Back in the days when I was dealing with hundreds of spammers and attackers as a security officer I have even seen people ending up in the jail. But again, it will depend on the ISP / Enterprise, the local laws - California may be different than, let's say, Arizona, though they are neighbors, and especially the way you report the attacks / spam messages. Both Spamcop.net and Spamhaus.org do a pretty good job in providing cooperation to network / abuse admins through automated mail systems. There's a risk, however - some or all of the IP addresses may be indeed legitimate, but the attack itself deploys forged addresses injected directly into TCP packets.
Nevertheless, all spam messages fall under the CAN SPAM ACT 2003.
As for the SSHD attacks, you may consider those general advises, deploy sshdfilter or implement SSHBL.
HTH.
Thank you!
In my experience it is very rare that anything consequential can be done about such attacks. This is because:
a) Usually executed behind offshore proxies
b) lack of political will
(unfortunately)
Well, If you see attacks originating from any machine, I'd block them.