Dealing with abuse complaints to non-existent contacts

Rich Kulawiec rsk at gsp.org
Mon Aug 11 08:32:44 UTC 2014


On Sun, Aug 10, 2014 at 11:25:36PM +0500, Alexander Merniy wrote:
> Move ssh to a non-standart port + fail2ban - best solution.

No, it is not.

The best solution is to enumerate the ranges from which legitimate ssh
connections will originate and firewall *everything* else.  Yes, this
means (gasp! horror!) actually looking at your own logs and understanding
what they tell you, but anyone capable of using "grep", "sort", "uniq"
et.al. should be able to do that.

The second-best solution is to enumerate the ranges from which legitimate
ssh connections will never originate and firewall those.  The Spamhaus
DROP list is a good starting place for everyone.  The Okean listings of
Chinese and Korean network space are good second stops.  And ipdeny.com
*was* a good third stop, for which I haven't found an equally-usable
replacement just yet.

Both of these are proactive approaches that -- if used properly and
well-maintained -- may largely eliminate the need to fiddle around
with reactive approaches like fail2ban.  They also work with other
ports/protocols/services, e.g., IMAPS.

---rsk


More information about the NANOG mailing list