nanog mailing list archives

Re: Dealing with abuse complaints to non-existent contacts

From: Mike Hale <eyeronic.design () gmail com>
Date: Sun, 10 Aug 2014 11:33:17 -0700

Well...is it really a problem though?

I mean, a good password will require how many centuries of effort to
brute force?  I've never seen a single IP (or even a range of IPs)
trying to brute force the same user account over more than a day, much
less the huge amount of time required the crack the password.  Sure,
it fills up your logs, but that's good info to have and pass on (to
DShield, for example).

On Sun, Aug 10, 2014 at 11:25 AM, Alexander Merniy <alexmern () xi uz> wrote:

Move ssh to a non-standart port + fail2ban - best solution.


On 10 Aug 2014, at 22:20, Christopher Rogers <phiber () phiber org> wrote:

http://www.fail2ban.org/




2014-08-10 10:18 GMT-07:00 Jon Lewis <jlewis () lewis org>:

On Sun, 10 Aug 2014, Gabriel Marais wrote:

I have been receiving some major ssh brute-force attacks coming from

random
hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint
to
the e-mail addresses obtained from a whois query on one of the IP
Addresses.

My e-mail bounced back from both recipients. Once being rejected by filter
and the other because the e-mail address doesn't exist. I would have
thought that contact details are rather important to be up to date, or
not?


Why?


Besides just blocking the IP range on my firewall, I was wondering what

others would do in this case?


I've been blocking SSH from random IPs for many years.  Unless you have to
run an open system that customers SSH into (unlikely in these times), my
recommendation is block SSH entirely from non-trusted networks and setup
some form of port-knocking or similar access controls such that legitimate
users can open a window to make their connection, but the rest of the world
never sees your sshd.

Playing whack-a-mole with firewall or access log violations is a waste of
time.

----------------------------------------------------------------------
Jon Lewis, MCP :)           |  I route
                            |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Current thread:

Re: Dealing with abuse complaints to non-existent contacts, (continued)
- - - Re: Dealing with abuse complaints to non-existent contacts Owen DeLong (Aug 10)
    - Re: Dealing with abuse complaints to non-existent contacts Mark Andrews (Aug 10)
    - Re: Dealing with abuse complaints to non-existent contacts Suresh Ramasubramanian (Aug 10)
    - RE: Dealing with abuse complaints to non-existent contacts Tony Hain (Aug 10)
    - Re: Dealing with abuse complaints to non-existent contacts Suresh Ramasubramanian (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts Stephen Satchell (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts John Levine (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts Jon Lewis (Aug 10)
  - Re: Dealing with abuse complaints to non-existent contacts Christopher Rogers (Aug 10)
    - Re: Dealing with abuse complaints to non-existent contacts Alexander Merniy (Aug 10)
    - Re: Dealing with abuse complaints to non-existent contacts Mike Hale (Aug 10)
    - Re: Dealing with abuse complaints to non-existent contacts Rich Kulawiec (Aug 11)
  - Re: Dealing with abuse complaints to non-existent contacts David Ford (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts charles (Aug 11)
- Re: Dealing with abuse complaints to non-existent contacts Franck Martin (Aug 11)