Abuse Desks

Mukund Sivaraman muks at mukund.org
Wed Apr 29 15:58:55 UTC 2020

On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
> Once upon a time, Mukund Sivaraman <muks at mukund.org> said:
> > If an abuse report is incorrect, then it is fair to complain.
> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?

It is configurable. Anyway, I don't know how else one would interpret a
pattern like this other than the obvious:

Apr 28 22:28:05 jupiter sshd[24509]: Invalid user java from port 36334
Apr 28 22:28:05 jupiter sshd[24504]: Invalid user openvpn from port 36768
Apr 28 22:28:05 jupiter sshd[24506]: Invalid user devops from port 36756
Apr 28 22:28:05 jupiter sshd[24510]: Invalid user vagrant from port 36784
Apr 28 22:28:05 jupiter sshd[24507]: Invalid user user from port 36796
Apr 28 22:28:05 jupiter sshd[24508]: Invalid user oracle from port 36776
Apr 28 22:28:05 jupiter sshd[24505]: Invalid user ubuntu from port 36798
Apr 28 22:28:05 jupiter sshd[24514]: Invalid user test from port 36780
Apr 28 22:28:05 jupiter sshd[24513]: Invalid user ec2-user from port 36752

It *can* be legitimate traffic, but then I hope the owner of this
machine has applied for special permission stating their reason for
doing this kind of probing before they are allowed to keep doing this
over time and sending such traffic to multiple IP addresses (similar to
how, at some service providers, one has to apply for TCP port 25 to be
allowed after claiming they're not spammers).


More information about the NANOG mailing list