Abuse Desks

Sabri Berisha sabri at cluecentral.net
Wed Apr 29 21:24:44 UTC 2020


----- On Apr 29, 2020, at 9:08 AM, Stephen Satchell list at satchell.net wrote:

Hi,

> That said, I use TCPWRAPPER to limit access to SSH to specific IP
> addresses.  I process my LogWatch messages manually.  I pull the fire
> alarm for showshoe probes, and excessive number of probes (over 30 in a
> 24-hour period).  No registered [email protected] address in the WHOIS?  The
> offending netblock goes into my edge router ACL, because I have learned
> that ne'er-do-wells without working [email protected] usually have other bad habits.

I have a very simple method to deal with that: a server with no other purpose
than to blackhole portscanning culprits. Send so much as a tcp syn to port 22
and your entire /24 goes to null0 for a month. I have a few exceptions for 
entities that I know are responsive to [email protected], but that's it.

Highly effective.

Thanks,

Sabri



More information about the NANOG mailing list