× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.





When I have time, I do a "who is" check and if the source IP traces back to a US based company, I shoot off an email to them.  To date, I have yet to get a response even from that.

Sad state of affairs all around.

Rich
-------------------------

Quoting "Monnier, Gary" <Gary.Monnier@xxxxxxxxx>:

Is the user ID from all locations the same?

Since you are using exit points, and assuming your vendor allows you  to run supplemental exit programs, have you thought of using a  supplemental to obtain the remote server's identity?  Since you have  the IP address you can use C function gethostbyaddr to get the  remote hose name.  Maybe contacting the host's owner will help.

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf  Of Rich Loeber
Sent: Wednesday, May 20, 2015 1:05 PM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: What Can You Do?



    Please note that in my original post I did indicate that we were effectively blocking the Telnet attempts before they even see the signon screen.  This is done using our exit point software and implementing IP address range controls.  We do this for all TCP servers.

    I like David's idea about blocking an IP address for a couple of  weeks, but every access attempt in this series, which has been going  on since the start of the month, has come from a different address.

    Thanks for all the comments so far.

    Rich
-------------------------

     Quoting Helge Bichel <hbi@xxxxxxx>:

Hi Rich.

I do recognize the 27 telnet attempts on my site from almost all over
the world.

I have a nice system (Easy400 SECTCP) to block telnet and ftp, it
works, but it takes some time to investigate and add new ip  patterns for blocking.
FTP is only open for dedicated ip's since only a few ip's using it.

You could ask: why not just allowed selected/validated ip's for telnet.
It's not an option for telnet, or at least a difficult one, because
real users are connecting from many different countries on a 24/
basis, and even switches ip between office, home, airport, hotel etc.
Therefore the need having *all ip's open and try to block ip ranges
used by hackers.

That's what I do.

Best regards
Helge Bichel
Copenhagen
Denmark



-----Oprindelig meddelelse-----
Fra: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] På vegne af
Rich Loeber
Sendt: 20. maj 2015 21:01
Til: Midrange Systems Technical Discussion
Emne: What Can You Do?

    I regularly see and capture information about attempts to gain
access to
    my system.  This month, I've seen a repeated attempt by someone to
gain
    access by establishing a Telnet session.  So far, our software has
    successfully rebuffed every access attempt.  Because of the
pattern, it
    appears to me that someone is specifically targeting our IBM i server.
    Every attempt consists of 27 attempts to establish a Telnet
session, none
    of which are successful.  Then, the process repeats itself several
hours
    later.  The IP addresses are from all over the place from RIPE in
The
    Netherlands to APNIC in Brisbane, Australia and from Time Warner,
Comcast
    and more.

    I thought I'd notice law enforcement to see if something can be
done
    before damage happens and it turns out that there is NOTHING that
can be
    done.  This is clearly malicious in intent but since no crime has
been
    committed, nobody can do anything about it.  I checked with the
local
    police and the state police and I get the same response from both. 
I
    suppose I could call the FBI, but I suspect they will sing the same song.

    So, my question is, is there anything that you can do when you see
this
    kind of activity?  Is there any agency that would respond?

    The state police offered to take my system and audit it for me,
but that
    is just not an option.

    Is this the state of protection from cybercrime?

    Rich Loeber - @richloeber
    Kisco Information Systems
    [1]http://www.kisco.com

References

    Visible links
    1. http://www.kisco.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.




--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)  mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To  subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please  take a moment to review the archives at  http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.