[173840] in North American Network Operators' Group
Re: Dealing with abuse complaints to non-existent contacts
daemon@ATHENA.MIT.EDU (Jon Lewis)
Sun Aug 10 13:18:17 2014
X-Original-To: nanog@nanog.org
Date: Sun, 10 Aug 2014 13:18:08 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: Gabriel Marais <gabriel.j.marais@gmail.com>
In-Reply-To: <CAO8NbkRLFtdOs+6sOmEWzRpi3ONwShjPGvicnVQb46MAk+5Lnw@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Sun, 10 Aug 2014, Gabriel Marais wrote:
> I have been receiving some major ssh brute-force attacks coming from random
> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint to
> the e-mail addresses obtained from a whois query on one of the IP Addresses.
>
> My e-mail bounced back from both recipients. Once being rejected by filter
> and the other because the e-mail address doesn't exist. I would have
> thought that contact details are rather important to be up to date, or not?
Why?
> Besides just blocking the IP range on my firewall, I was wondering what
> others would do in this case?
I've been blocking SSH from random IPs for many years. Unless you have to
run an open system that customers SSH into (unlikely in these times), my
recommendation is block SSH entirely from non-trusted networks and setup
some form of port-knocking or similar access controls such that legitimate
users can open a window to make their connection, but the rest of the
world never sees your sshd.
Playing whack-a-mole with firewall or access log violations is a waste of
time.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
