nanog mailing list archives
Re: Automatic abuse reports
From: William Herrin <bill () herrin us>
Date: Tue, 12 Nov 2013 20:43:28 -0500
On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats <sam () circlenet us> wrote:
We used to use a small perl script called tattle that would parse out the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup the proper abuse contacts and report them. I haven't seen anything similar in years but it would be interesting to do more than null route IPs. The problem we had with the automated reporting was dealing with spoofed sources, we see lots of traffic that is obviously hostile but unless it becomes serious enough to impact performance we rarely report it. An automated system didn't seem to fit anymore due to false positives.
Hi Sam, Out of curiosity -- how does one get a false positive on an ssh exploit attempt? Does the origin IP not have to complete a 3-way handshake before it can attempt an exploit? Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Automatic abuse reports Jonas Björklund (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- Re: Automatic abuse reports Daniël W . Crompton (Nov 12)
- Re: Automatic abuse reports William Herrin (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- Re: Automatic abuse reports William Herrin (Nov 12)
- Re: Automatic abuse reports Brandon Galbraith (Nov 12)
- Re: Automatic abuse reports joel jaeggli (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- <Possible follow-ups>
- Re: Automatic abuse reports Hal Murray (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 13)
- Re: Automatic abuse reports Paul Bennett (Nov 13)
- Re: Automatic abuse reports Sam Moats (Nov 13)