Dealing with abuse complaints to non-existent contacts

Christopher Rogers phiber at phiber.org
Sun Aug 10 17:20:15 UTC 2014


http://www.fail2ban.org/




2014-08-10 10:18 GMT-07:00 Jon Lewis <jlewis at lewis.org>:

> On Sun, 10 Aug 2014, Gabriel Marais wrote:
>
>  I have been receiving some major ssh brute-force attacks coming from
>> random
>> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint
>> to
>> the e-mail addresses obtained from a whois query on one of the IP
>> Addresses.
>>
>> My e-mail bounced back from both recipients. Once being rejected by filter
>> and the other because the e-mail address doesn't exist. I would have
>> thought that contact details are rather important to be up to date, or
>> not?
>>
>
> Why?
>
>
>  Besides just blocking the IP range on my firewall, I was wondering what
>> others would do in this case?
>>
>
> I've been blocking SSH from random IPs for many years.  Unless you have to
> run an open system that customers SSH into (unlikely in these times), my
> recommendation is block SSH entirely from non-trusted networks and setup
> some form of port-knocking or similar access controls such that legitimate
> users can open a window to make their connection, but the rest of the world
> never sees your sshd.
>
> Playing whack-a-mole with firewall or access log violations is a waste of
> time.
>
> ----------------------------------------------------------------------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>


More information about the NANOG mailing list