Dealing with abuse complaints to non-existent contacts

Mike Hale eyeronic.design at gmail.com
Sun Aug 10 18:33:17 UTC 2014


Well...is it really a problem though?

I mean, a good password will require how many centuries of effort to
brute force?  I've never seen a single IP (or even a range of IPs)
trying to brute force the same user account over more than a day, much
less the huge amount of time required the crack the password.  Sure,
it fills up your logs, but that's good info to have and pass on (to
DShield, for example).

On Sun, Aug 10, 2014 at 11:25 AM, Alexander Merniy <alexmern at xi.uz> wrote:
> Move ssh to a non-standart port + fail2ban - best solution.
>
>
> On 10 Aug 2014, at 22:20, Christopher Rogers <phiber at phiber.org> wrote:
>
>> http://www.fail2ban.org/
>>
>>
>>
>>
>> 2014-08-10 10:18 GMT-07:00 Jon Lewis <jlewis at lewis.org>:
>>
>>> On Sun, 10 Aug 2014, Gabriel Marais wrote:
>>>
>>> I have been receiving some major ssh brute-force attacks coming from
>>>> random
>>>> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint
>>>> to
>>>> the e-mail addresses obtained from a whois query on one of the IP
>>>> Addresses.
>>>>
>>>> My e-mail bounced back from both recipients. Once being rejected by filter
>>>> and the other because the e-mail address doesn't exist. I would have
>>>> thought that contact details are rather important to be up to date, or
>>>> not?
>>>>
>>>
>>> Why?
>>>
>>>
>>> Besides just blocking the IP range on my firewall, I was wondering what
>>>> others would do in this case?
>>>>
>>>
>>> I've been blocking SSH from random IPs for many years.  Unless you have to
>>> run an open system that customers SSH into (unlikely in these times), my
>>> recommendation is block SSH entirely from non-trusted networks and setup
>>> some form of port-knocking or similar access controls such that legitimate
>>> users can open a window to make their connection, but the rest of the world
>>> never sees your sshd.
>>>
>>> Playing whack-a-mole with firewall or access log violations is a waste of
>>> time.
>>>
>>> ----------------------------------------------------------------------
>>> Jon Lewis, MCP :)           |  I route
>>>                             |  therefore you are
>>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>>>
>



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0


More information about the NANOG mailing list