nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: de-peering for security sake

From: Mike Hammett <nanog () ics-il net>
Date: Sat, 26 Dec 2015 09:30:02 -0600 (CST)
1) Automation is your friend. 
2) If a host is compromised and doing an SSH scan, it's likely going to also be attempting SMTP, WordPress, home 
router, etc. attacks. Use a canary to block that host altogether to better your network. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


----- Original Message -----

From: "Baldur Norddahl" <baldur.norddahl () gmail com> 
To: nanog () nanog org 
Sent: Saturday, December 26, 2015 9:19:15 AM 
Subject: Re: de-peering for security sake 

On 26 December 2015 at 16:09, Stephen Satchell <list () satchell net> wrote: 


On 12/26/2015 06:19 AM, Mike Hammett wrote: 


How much is an acceptable standard to the community? Individual /32s 
( or /64s)? Some tipping point where 50% of a /24 (or whatever it's 
IPv6 equivalent would be) has made your naughty list that you block 
the whole prefix? 



My gauge is volume of obnoxious traffic. When I get lots of SSH probes 
from a /32, I block the /32. When I get lots of SSH probes across a range 
of a /24, I block the /24. 




Do you people have nothing better to do than scan firewall log files and 
insert rules to block stuff that was already blocked by default? 

Hint: if ssh probes spams your log then move your ssh service to a non 
standard port. 

Regards, 

Baldur
Previous By Date Next
Previous By Thread Next

Current thread: