I am running a small (Windows-based) server. When I check the logs, I see a steady flow of (unsuccesfull) password-guessing hacking attempts. Should I try to report those attempts to the owners of the source IP addresses, or are these attempts nowadays considered completely normal and nobody would bother doing anything about them, anyway?
SnapOverflow
While the answer can depend greatly on the agency you are attempting to inform, I believe that in general you should. In fact, since monitoring and responding to the abuse mailbox for our organization is one of my primary job duties, I can positively say, 'Yes Please!'. I had this same conversation with members of other security organizations and the answers seemed to largely consist of:
I, of course, won't tell you to follow those rules, but I would recommend erring on the side of reporting. It usually doesn't take much effort, and can really help out the guys on the other end. Their reasoning was that ISPs aren't often in positions to take meaningful actions, so they will file the information away. I can say that we will aggressively pursue the matter. We do not appreciate hacked machines on our network, as they have a tendency to spread.
The real trick is to formalize your response and reporting procedure so that it can be consistent between reports, as well as between staff. We want, at minimum, the following:
If you can also include a sample of the log messages that tipped you off, that can also be useful.
Normally, when we see this kind of behaviour, we also institute firewall blocks of the most appropriate scope at the most appropriate location. The definitions of appropriate are going to depend significantly on what is happening, what kind of business you're in, and what your infrastructure looks like. It may range from blocking the single attacking IP at the host, all the way up to not routing that ASN at the border.
This is password-guessing attack known as a brute force attack. Best defense is to make sure that users passwords is strong. Another, solution is to lock out an IP address with multiple failed logins. Brute force attacks are difficult to stop.
As what lynxman said all you really can do is contact their ISPs Abuse department and inform them. I would block that IP both in the Firewall and on the server. Second I would also setup attempt based lockout in Group policy(if you have AD). As long as your Passwords are strong I wouldn't worry about it, I have Servers that I run to learn and I get login attempts all day long.
Unfortunately it's completely normal, most of this attempts are generated through other servers that have been hacked as well.
The best you can do is that if you see these attacks coming persistenly from a unique IP address and you have suspicion that the server got hacked is to email the abuse/sysadmins at that server so they can fix the situation, it's quite easy to lose track of a server when you're overloaded and maintaining hundreds of them.
In any other case firewalling, filtering or ignoring is mostly a good practice.
Your problem here is that the vast number of these are likely to be coming from compromised machines, in various countries, that are probably home users' PC's and are probably on dynamic addressing schemes.
Which means that the owners of the machines don't know they are forwarding attacks, and don't care, they may be in countries where the law really doesn't care, and the ISP's probably don't care and in any case won't want to trawl logs to see who was using that IP address.
Best plan is a combination of lynxman's, Jacob's and packs' - generally block them, but set up a script to see if there are common culprits and specifically send your comms to the Abuse departments of those ISP's.
Better use of your time that way.