“By now, nearly everyone who has been using Linux for some time
and had their system connected to the Internet has seen attempts to
compromise their security. The question that often comes up is what
to do about it. Unless it’s a financial or safety issue, it’s
probably going to get laughed at by the legal authorities, but it’s
worth reporting.”
“I spend a good chunk of my time on mailing lists and
organizations concerned with monitoring hacker activity. Such lists
are the INCIDENTS list from SecurityFocus.com and the SANS GIAC
effort, providing a daily update of hacker activities from various
parties around the world. Often, the question of the value of
reporting an incident is debated. I routinely counsel people to
report most incidents they see. What this does for the ISP is help
them gather information about a set of independently correlated
data about a nefarious customer or a compromised machine on their
network. Just don’t expect much to be done about it. Most ISPs
don’t react and aren’t very neighborly. Some of us in the business
routinely block entire networks from connecting to our networks
based on their patterns of allowing unseemly activity to
continue.”
“We’ll not go into detecting incidents, but we will define them
as port probes, port scans, denial of service (DoS) attempts and
unauthorized access attempts. Each of these warrants investigation,
some more than others. Combining intrusion detection software with
log analysis (which you should be doing anyhow), these events
should stand out.”