Abuse Desks

Wed Apr 29 06:40:16 UTC 2020

Sadly dumb kids are plentiful. If you have to nag an abuse desk every time they sell a server to a kid who’s experimenting with nmap for the first time then.... we’ll end up exactly where we are - abuse contacts are not a reliable way to get in touch with anyone, and definitely not a reliable way to do so fast or with any reasonably large network. Please don’t clog the otherwise-useful system.

If you have trouble sleeping at night, I’d recommend the “PasswordAuthentication no” option in sshd_config.

Matt

> On Apr 28, 2020, at 23:22, Mukund Sivaraman <muks at mukund.org> wrote:
> 
> Hi Matt
> 
>> On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote:
>> DDoS, hijacker, botnet C&C, compromised hosts,
>> sufficiently-hard-to-deal-with phishing, etc are all things that carry
>> real risk to services that are otherwise well-maintained (primarily in
>> that many of the latter lead to the former). Nothing wrong with using
>> or monitoring fail2ban, but if you’re spamming abuse contacts in an
>> automated fashion (a pattern of misbehavior may be different) just
>> because of some scanning, I recommend you fire your CSO (or get one).
> 
> It a fair game, that we the victim hosts should manually scan hundreds
> of reports generated due to traffic from automated bots from IP address
> block, so that things are easy for abuse@ contacts?
> 
> I haven't come across a false positive report from our fail2ban
> instances on various servers (which it so far emails to our internal
> email address). It appears extremely unlikely for its reports to be
> false postitives - its detection method by parsing logs is identical to
> what a human would manually do too.
> 
> I wouldn't call emailing its reports automatically to an abuse contact
> as "spamming". It is exactly what a human would do, and
> programmers/sysadmins love to automate.
> 
> If an abuse report is incorrect, then it is fair to complain.
> 
>        Mukund