how to deal with port scan and brute force attack from AS 8075 ?

Valdis.Kletnieks at Valdis.Kletnieks at
Thu Mar 31 14:20:03 UTC 2016

On Thu, 31 Mar 2016 10:02:05 +0200, "marcel.duregards--- via NANOG" said:

> We consider port scan and brute force on ssh port as an attack, and even

So explain to me why you don't have ACLs that silently drop inbound SYN
packets on port 22 from outside your allocated address space?  (And if
you can't do it at your border because you sub-allocate address space
to customers, figure out how to use iptables or similar to block it on
the target hosts, or only apply the ACL for your own subnets).

If you have a *legitimate* business case for needing to SSH in from outside,
there are fine products such as OpenVPN (and not-so-fine like the one we
have in production - although it's mostly usable too, and achieves the goal
of presenting you as being inside our corporate address space)

Also, move your SSH service to some port other than 22, and consider
putting 'Password Authentication no/PubKeyAuthentication yes' in your

I admit never understanding why people run their systems in a low-hanging
fruit configuration, and then are surprised that miscreants go looking for
low hanging fruit.

(For the record, our border routers drop inbound SYN on port 22 on *both*
ipv4 and ipv6 address spaces.  It's amazing how few brute force
attempts we see on our servers... :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list