[154228] in North American Network Operators' Group
Re: Constant low-level attack
daemon@ATHENA.MIT.EDU (Alain Hebert)
Fri Jun 29 08:56:02 2012
Date: Fri, 29 Jun 2012 08:54:35 -0400
From: Alain Hebert <ahebert@pubnix.net>
To: nanog@nanog.org
In-Reply-To: <90182E62-192D-4FCD-9805-EF9088423D1D@oitc.com>
Reply-To: ahebert@pubnix.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
We implemented fail2ban about a year ago to cut down on incoming
spamming (down from 500k+ emails a day to 20k)
Now what can I do with the ~11,000 IP's I identify as spammer every
week :(
Reporting them to their Telco is pretty much a waste of time...
they are not about to lose customers to something as trivial as computer
security.
-----
Alain Hebert ahebert@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 06/28/12 17:52, TR Shaw wrote:
> On Jun 28, 2012, at 4:31 PM, Lou Katz wrote:
>
>> The other day, I looked carefully at my auth.log (Xubuntu 11.04) and discovered many lines
>> of the form:
>>
>> Jun 28 13:13:54 localhost sshd[12654]: Bad protocol version identification '\200F\001\003\001' from 94.252.177.159
>>
>> In the past day, I have recorded about 20,000 unique IP addresses used for this type of probe.
>> I doubt if this is a surprise to anyone - my question is twofold:
>>
>> 1. Does anyone want this evergrowing list of, I assume, compromised machines?
>> 2. Is there anything useful to do with this info other than put the IP addresses into a firewall reject table? I have done
>> that and do see a certain amount of repeat hits.
> Just a note that if you were running fail2ban.org you would get automatic updates of your firewall and share the IPs with the community and get the advantage of the communities detections as well.
>
>
>
