nanog mailing list archives
Re: Constant low-level attack
From: Rich Kulawiec <rsk () gsp org>
Date: Fri, 29 Jun 2012 09:30:31 -0400
On Thu, Jun 28, 2012 at 01:31:56PM -0700, Lou Katz wrote:
2. Is there anything useful to do with this info other than put the IP addresses into a firewall reject table?
Do you need to allow inbound ssh connections from the entire planet? If not, then head over to ipdeny.com and grab the relevant network allocations for the countries that you *do* need to allow them from. Block everyone else, allow only the countries you need. This won't solve your problem completely, but it'll take a substantial bite out of it, and it'll minimize the number of additional point entries that you need for annoying hosts whose connections originate in the set of countries you need to allow. Then: do you need to allow inbound ssh connections from all operating systems? If not, then use passive OS fingerprinting to block those which originate from operating systems known not to be in use, particularly if those operatng systems happen to be the ones running on a few hundred million compromised systems. (Obviously, this technique is far less effective is you can't do that. My condolences.) And then: consider, instead of point blocks for the remaining annoyances, use the enclosing /24. A lot of compromised hosts are not on static addresses, and guessing that they will bounce around inside (roughly) a /24 is often a good enough approximation to reality that it works. Your mileage may vary. And then: scotch. Macallan. 18-year. You've earned it. ---rsk
Current thread:
- Constant low-level attack Lou Katz (Jun 28)
- Re: Constant low-level attack TR Shaw (Jun 28)
- Re: Constant low-level attack Alain Hebert (Jun 29)
- Re: Constant low-level attack Denys Fedoryshchenko (Jun 28)
- Re: Constant low-level attack Rich Kulawiec (Jun 29)
- Re: Constant low-level attack TR Shaw (Jun 28)