Abuse Desks

Mel Beckman mel at beckman.org
Wed Apr 29 15:41:06 UTC 2020


Joe,

Is there any reason to have a root-enabled (or any) ssh server exposed to the bare Internet? Any at all? Can you name one? I can’t. That’s basically pilot error.

 -mel 

> On Apr 29, 2020, at 8:37 AM, Joe Greco <jgreco at ns.sol.net> wrote:
> 
> On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
>> Once upon a time, Mukund Sivaraman <muks at mukund.org> said:
>>> If an abuse report is incorrect, then it is fair to complain.
>> 
>> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
>> 
>> I've typoed IP/FQDN before and gotten an SSH response, and taken several
>> tries before I realized my error.  Did I actually "abuse" someone's
>> server?  I didn't get in, and it's hard to say that the server resources
>> I used with a few failed tries were anything more than negligible.
>> 
>> I've had users tripped up by fail2ban because they were trying to access
>> a server they don't use often and took several tries to get the password
>> right or had the wrong SSH key.  Should that have triggered an abuse
>> email?
> 
> So your theory is that it is necessary for there to be a threshold of
> abuse?
> 
> Is there any reason to expect that a random server is going to be able
> to figure out that a large pool of a million compromised IoT devices on
> a million different IP addresses is slowly probing their server for the
> root password and that a SPECIFIC probe is a member of this set?
> 
> The way this stuff is trending today, you don't have a single host that
> is banging on another single host for hours or days at a password per
> second, which I hope we would agree would be well beyond any reasonable
> threshold to consider abuse.
> 
> On the flip side, is it so much to ask that an abuse desk maybe take a
> look at both the ingress and egress packet stream of their customer, to 
> see if there seems to be something untoward happening?
> 
> And which one of these is a less damaging strategy?
> 
> I know we're in the minority here, but policy over here at SOL hasn't 
> changed much in the last quarter century.  If you are getting unwanted 
> and unsolicited traffic from us, and you contact [email protected], we're willing
> to make it stop.  If it didn't originate here (forged, etc) then there
> isn't much to be done -- the community has been trying to encourage 
> BCP38 for years.
> 
> It's probably jumping the gun a bit for a single connection attempt to
> result in an [email protected] message, but then again when I look at the stream
> of trash addressed at SOL's IP space, maybe not.  Some of it is clearly
> trying to scan from large botnets.
> 
> There's also a lot of room for computers to be doing the hard work of
> detecting and reporting, and helping to analyze, while letting a human
> look at what's actually transpired and see if it feels problematic.
> 
> However, the general solution that seems to have been adopted by the
> majority of the industry is to hire Dave Null for [email protected]
> 
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "The strain of anti-intellectualism has been a constant thread winding its way
> through our political and cultural life, nurtured by the false notion that
> democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov


More information about the NANOG mailing list