Dealing with abuse complaints to non-existent contacts
Christopher Rogers
phiber at phiber.org
Sun Aug 10 17:20:15 UTC 2014
http://www.fail2ban.org/
2014-08-10 10:18 GMT-07:00 Jon Lewis <jlewis at lewis.org>:
> On Sun, 10 Aug 2014, Gabriel Marais wrote:
>
> I have been receiving some major ssh brute-force attacks coming from
>> random
>> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint
>> to
>> the e-mail addresses obtained from a whois query on one of the IP
>> Addresses.
>>
>> My e-mail bounced back from both recipients. Once being rejected by filter
>> and the other because the e-mail address doesn't exist. I would have
>> thought that contact details are rather important to be up to date, or
>> not?
>>
>
> Why?
>
>
> Besides just blocking the IP range on my firewall, I was wondering what
>> others would do in this case?
>>
>
> I've been blocking SSH from random IPs for many years. Unless you have to
> run an open system that customers SSH into (unlikely in these times), my
> recommendation is block SSH entirely from non-trusted networks and setup
> some form of port-knocking or similar access controls such that legitimate
> users can open a window to make their connection, but the rest of the world
> never sees your sshd.
>
> Playing whack-a-mole with firewall or access log violations is a waste of
> time.
>
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> | therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
More information about the NANOG
mailing list