Should I report hacking attempts?

While the answer can depend greatly on the agency you are attempting to inform, I believe that in general you should. In fact, since monitoring and responding to the abuse mailbox for our organization is one of my primary job duties, I can positively say, 'Yes Please!'. I had this same conversation with members of other security organizations and the answers seemed to largely consist of:

  • If the whois information on the IP shows a business or university, then report
  • If the whois information on the IP shows an ISP, then don't bother

I, of course, won't tell you to follow those rules, but I would recommend erring on the side of reporting. It usually doesn't take much effort, and can really help out the guys on the other end. Their reasoning was that ISPs aren't often in positions to take meaningful actions, so they will file the information away. I can say that we will aggressively pursue the matter. We do not appreciate hacked machines on our network, as they have a tendency to spread.

The real trick is to formalize your response and reporting procedure so that it can be consistent between reports, as well as between staff. We want, at minimum, the following:

  1. IP address of the attacking system
  2. Time stamp (including time zone) of the event
  3. The IP addresses of the systems on your end

If you can also include a sample of the log messages that tipped you off, that can also be useful.

Normally, when we see this kind of behaviour, we also institute firewall blocks of the most appropriate scope at the most appropriate location. The definitions of appropriate are going to depend significantly on what is happening, what kind of business you're in, and what your infrastructure looks like. It may range from blocking the single attacking IP at the host, all the way up to not routing that ASN at the border.


This is password-guessing attack known as a brute force attack. Best defense is to make sure that users passwords is strong. Another, solution is to lock out an IP address with multiple failed logins. Brute force attacks are difficult to stop.


As what lynxman said all you really can do is contact their ISPs Abuse department and inform them. I would block that IP both in the Firewall and on the server. Second I would also setup attempt based lockout in Group policy(if you have AD). As long as your Passwords are strong I wouldn't worry about it, I have Servers that I run to learn and I get login attempts all day long.


Unfortunately it's completely normal, most of this attempts are generated through other servers that have been hacked as well.

The best you can do is that if you see these attacks coming persistenly from a unique IP address and you have suspicion that the server got hacked is to email the abuse/sysadmins at that server so they can fix the situation, it's quite easy to lose track of a server when you're overloaded and maintaining hundreds of them.

In any other case firewalling, filtering or ignoring is mostly a good practice.