Dealing with abuse complaints to non-existent contacts

David Ford david at blue-labs.org
Mon Aug 11 02:16:58 UTC 2014


i have numerous servers that must have open ssh access to everyone in 
multiple datacenters for several hundred users from many different and 
varying origins that change frequently. whitelist/blacklisting would be 
a nightmare.

i use a PAM module that automatically adds every new ssh connection IP 
to an xt_recent blacklist, a) if you succeed authenticating, your IP is 
automatically removed, b) if more packets arrive that exceed the count 
limit within time limit for your /24, you automatically get blocked for 
a while.

no point wasting time managing blacklists on IPs when nearly all of them 
are bots and most of the service providers out there either a) don't 
care, b) don't have a functioning abuse/security contact, c) ignore 
reports, or d) helplessly clueless.

-d

On Sun, 10 Aug 2014, Gabriel Marais wrote:
>> I have been receiving some major ssh brute-force attacks coming from 
>> random
>> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a 
>> complaint to
>> the e-mail addresses obtained from a whois query on one of the IP 
>> Addresses.




More information about the NANOG mailing list