muks at mukund.org
Wed Apr 29 06:22:32 UTC 2020
On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote:
> DDoS, hijacker, botnet C&C, compromised hosts,
> sufficiently-hard-to-deal-with phishing, etc are all things that carry
> real risk to services that are otherwise well-maintained (primarily in
> that many of the latter lead to the former). Nothing wrong with using
> or monitoring fail2ban, but if you’re spamming abuse contacts in an
> automated fashion (a pattern of misbehavior may be different) just
> because of some scanning, I recommend you fire your CSO (or get one).
It a fair game, that we the victim hosts should manually scan hundreds
of reports generated due to traffic from automated bots from IP address
block, so that things are easy for [email protected] contacts?
I haven't come across a false positive report from our fail2ban
instances on various servers (which it so far emails to our internal
email address). It appears extremely unlikely for its reports to be
false postitives - its detection method by parsing logs is identical to
what a human would manually do too.
I wouldn't call emailing its reports automatically to an abuse contact
as "spamming". It is exactly what a human would do, and
programmers/sysadmins love to automate.
If an abuse report is incorrect, then it is fair to complain.
More information about the NANOG