Abuse Desks

Mukund Sivaraman muks at mukund.org
Wed Apr 29 15:58:55 UTC 2020


On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
> Once upon a time, Mukund Sivaraman <muks at mukund.org> said:
> > If an abuse report is incorrect, then it is fair to complain.
> 
> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?

It is configurable. Anyway, I don't know how else one would interpret a
pattern like this other than the obvious:

Apr 28 22:28:05 jupiter sshd[24509]: Invalid user java from 209.141.55.11 port 36334
Apr 28 22:28:05 jupiter sshd[24504]: Invalid user openvpn from 209.141.55.11 port 36768
Apr 28 22:28:05 jupiter sshd[24506]: Invalid user devops from 209.141.55.11 port 36756
Apr 28 22:28:05 jupiter sshd[24510]: Invalid user vagrant from 209.141.55.11 port 36784
Apr 28 22:28:05 jupiter sshd[24507]: Invalid user user from 209.141.55.11 port 36796
Apr 28 22:28:05 jupiter sshd[24508]: Invalid user oracle from 209.141.55.11 port 36776
Apr 28 22:28:05 jupiter sshd[24505]: Invalid user ubuntu from 209.141.55.11 port 36798
Apr 28 22:28:05 jupiter sshd[24514]: Invalid user test from 209.141.55.11 port 36780
Apr 28 22:28:05 jupiter sshd[24513]: Invalid user ec2-user from 209.141.55.11 port 36752

It *can* be legitimate traffic, but then I hope the owner of this
machine has applied for special permission stating their reason for
doing this kind of probing before they are allowed to keep doing this
over time and sending such traffic to multiple IP addresses (similar to
how, at some service providers, one has to apply for TCP port 25 to be
allowed after claiming they're not spammers).

		Mukund



More information about the NANOG mailing list