muks at mukund.org
Wed Apr 29 15:58:55 UTC 2020
On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
> Once upon a time, Mukund Sivaraman <muks at mukund.org> said:
> > If an abuse report is incorrect, then it is fair to complain.
> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
It is configurable. Anyway, I don't know how else one would interpret a
pattern like this other than the obvious:
Apr 28 22:28:05 jupiter sshd: Invalid user java from 184.108.40.206 port 36334
Apr 28 22:28:05 jupiter sshd: Invalid user openvpn from 220.127.116.11 port 36768
Apr 28 22:28:05 jupiter sshd: Invalid user devops from 18.104.22.168 port 36756
Apr 28 22:28:05 jupiter sshd: Invalid user vagrant from 22.214.171.124 port 36784
Apr 28 22:28:05 jupiter sshd: Invalid user user from 126.96.36.199 port 36796
Apr 28 22:28:05 jupiter sshd: Invalid user oracle from 188.8.131.52 port 36776
Apr 28 22:28:05 jupiter sshd: Invalid user ubuntu from 184.108.40.206 port 36798
Apr 28 22:28:05 jupiter sshd: Invalid user test from 220.127.116.11 port 36780
Apr 28 22:28:05 jupiter sshd: Invalid user ec2-user from 18.104.22.168 port 36752
It *can* be legitimate traffic, but then I hope the owner of this
machine has applied for special permission stating their reason for
doing this kind of probing before they are allowed to keep doing this
over time and sending such traffic to multiple IP addresses (similar to
how, at some service providers, one has to apply for TCP port 25 to be
allowed after claiming they're not spammers).
More information about the NANOG