Abuse Desks
Mel Beckman
mel at beckman.org
Wed Apr 29 15:41:06 UTC 2020
Joe,
Is there any reason to have a root-enabled (or any) ssh server exposed to the bare Internet? Any at all? Can you name one? I can’t. That’s basically pilot error.
-mel
> On Apr 29, 2020, at 8:37 AM, Joe Greco <jgreco at ns.sol.net> wrote:
>
> On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
>> Once upon a time, Mukund Sivaraman <muks at mukund.org> said:
>>> If an abuse report is incorrect, then it is fair to complain.
>>
>> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
>>
>> I've typoed IP/FQDN before and gotten an SSH response, and taken several
>> tries before I realized my error. Did I actually "abuse" someone's
>> server? I didn't get in, and it's hard to say that the server resources
>> I used with a few failed tries were anything more than negligible.
>>
>> I've had users tripped up by fail2ban because they were trying to access
>> a server they don't use often and took several tries to get the password
>> right or had the wrong SSH key. Should that have triggered an abuse
>> email?
>
> So your theory is that it is necessary for there to be a threshold of
> abuse?
>
> Is there any reason to expect that a random server is going to be able
> to figure out that a large pool of a million compromised IoT devices on
> a million different IP addresses is slowly probing their server for the
> root password and that a SPECIFIC probe is a member of this set?
>
> The way this stuff is trending today, you don't have a single host that
> is banging on another single host for hours or days at a password per
> second, which I hope we would agree would be well beyond any reasonable
> threshold to consider abuse.
>
> On the flip side, is it so much to ask that an abuse desk maybe take a
> look at both the ingress and egress packet stream of their customer, to
> see if there seems to be something untoward happening?
>
> And which one of these is a less damaging strategy?
>
> I know we're in the minority here, but policy over here at SOL hasn't
> changed much in the last quarter century. If you are getting unwanted
> and unsolicited traffic from us, and you contact abuse@, we're willing
> to make it stop. If it didn't originate here (forged, etc) then there
> isn't much to be done -- the community has been trying to encourage
> BCP38 for years.
>
> It's probably jumping the gun a bit for a single connection attempt to
> result in an abuse@ message, but then again when I look at the stream
> of trash addressed at SOL's IP space, maybe not. Some of it is clearly
> trying to scan from large botnets.
>
> There's also a lot of room for computers to be doing the hard work of
> detecting and reporting, and helping to analyze, while letting a human
> look at what's actually transpired and see if it feels problematic.
>
> However, the general solution that seems to have been adopted by the
> majority of the industry is to hire Dave Null for abuse@
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "The strain of anti-intellectualism has been a constant thread winding its way
> through our political and cultural life, nurtured by the false notion that
> democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
More information about the NANOG
mailing list