Dealing with abuse complaints to non-existent contacts
Alexander Merniy
alexmern at xi.uz
Sun Aug 10 18:25:36 UTC 2014
Move ssh to a non-standart port + fail2ban - best solution.
On 10 Aug 2014, at 22:20, Christopher Rogers <phiber at phiber.org> wrote:
> http://www.fail2ban.org/
>
>
>
>
> 2014-08-10 10:18 GMT-07:00 Jon Lewis <jlewis at lewis.org>:
>
>> On Sun, 10 Aug 2014, Gabriel Marais wrote:
>>
>> I have been receiving some major ssh brute-force attacks coming from
>>> random
>>> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint
>>> to
>>> the e-mail addresses obtained from a whois query on one of the IP
>>> Addresses.
>>>
>>> My e-mail bounced back from both recipients. Once being rejected by filter
>>> and the other because the e-mail address doesn't exist. I would have
>>> thought that contact details are rather important to be up to date, or
>>> not?
>>>
>>
>> Why?
>>
>>
>> Besides just blocking the IP range on my firewall, I was wondering what
>>> others would do in this case?
>>>
>>
>> I've been blocking SSH from random IPs for many years. Unless you have to
>> run an open system that customers SSH into (unlikely in these times), my
>> recommendation is block SSH entirely from non-trusted networks and setup
>> some form of port-knocking or similar access controls such that legitimate
>> users can open a window to make their connection, but the rest of the world
>> never sees your sshd.
>>
>> Playing whack-a-mole with firewall or access log violations is a waste of
>> time.
>>
>> ----------------------------------------------------------------------
>> Jon Lewis, MCP :) | I route
>> | therefore you are
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>>
More information about the NANOG
mailing list