Dealing with abuse complaints to non-existent contacts

Alexander Merniy alexmern at xi.uz
Sun Aug 10 18:25:36 UTC 2014


Move ssh to a non-standart port + fail2ban - best solution.


On 10 Aug 2014, at 22:20, Christopher Rogers <phiber at phiber.org> wrote:

> http://www.fail2ban.org/
> 
> 
> 
> 
> 2014-08-10 10:18 GMT-07:00 Jon Lewis <jlewis at lewis.org>:
> 
>> On Sun, 10 Aug 2014, Gabriel Marais wrote:
>> 
>> I have been receiving some major ssh brute-force attacks coming from
>>> random
>>> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint
>>> to
>>> the e-mail addresses obtained from a whois query on one of the IP
>>> Addresses.
>>> 
>>> My e-mail bounced back from both recipients. Once being rejected by filter
>>> and the other because the e-mail address doesn't exist. I would have
>>> thought that contact details are rather important to be up to date, or
>>> not?
>>> 
>> 
>> Why?
>> 
>> 
>> Besides just blocking the IP range on my firewall, I was wondering what
>>> others would do in this case?
>>> 
>> 
>> I've been blocking SSH from random IPs for many years.  Unless you have to
>> run an open system that customers SSH into (unlikely in these times), my
>> recommendation is block SSH entirely from non-trusted networks and setup
>> some form of port-knocking or similar access controls such that legitimate
>> users can open a window to make their connection, but the rest of the world
>> never sees your sshd.
>> 
>> Playing whack-a-mole with firewall or access log violations is a waste of
>> time.
>> 
>> ----------------------------------------------------------------------
>> Jon Lewis, MCP :)           |  I route
>>                             |  therefore you are
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>> 



More information about the NANOG mailing list