[173842] in North American Network Operators' Group
Re: Dealing with abuse complaints to non-existent contacts
daemon@ATHENA.MIT.EDU (Alexander Merniy)
Sun Aug 10 14:25:49 2014
X-Original-To: nanog@nanog.org
From: Alexander Merniy <alexmern@xi.uz>
In-Reply-To: <CALZUErZqCcS4uwtxOGK=kpJrYQAaVmzdnqRXOC+wTp+HOrNEkA@mail.gmail.com>
Date: Sun, 10 Aug 2014 23:25:36 +0500
To: Christopher Rogers <phiber@phiber.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Move ssh to a non-standart port + fail2ban - best solution.
On 10 Aug 2014, at 22:20, Christopher Rogers <phiber@phiber.org> wrote:
> http://www.fail2ban.org/
>=20
>=20
>=20
>=20
> 2014-08-10 10:18 GMT-07:00 Jon Lewis <jlewis@lewis.org>:
>=20
>> On Sun, 10 Aug 2014, Gabriel Marais wrote:
>>=20
>> I have been receiving some major ssh brute-force attacks coming from
>>> random
>>> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a =
complaint
>>> to
>>> the e-mail addresses obtained from a whois query on one of the IP
>>> Addresses.
>>>=20
>>> My e-mail bounced back from both recipients. Once being rejected by =
filter
>>> and the other because the e-mail address doesn't exist. I would have
>>> thought that contact details are rather important to be up to date, =
or
>>> not?
>>>=20
>>=20
>> Why?
>>=20
>>=20
>> Besides just blocking the IP range on my firewall, I was wondering =
what
>>> others would do in this case?
>>>=20
>>=20
>> I've been blocking SSH from random IPs for many years. Unless you =
have to
>> run an open system that customers SSH into (unlikely in these times), =
my
>> recommendation is block SSH entirely from non-trusted networks and =
setup
>> some form of port-knocking or similar access controls such that =
legitimate
>> users can open a window to make their connection, but the rest of the =
world
>> never sees your sshd.
>>=20
>> Playing whack-a-mole with firewall or access log violations is a =
waste of
>> time.
>>=20
>> =
----------------------------------------------------------------------
>> Jon Lewis, MCP :) | I route
>> | therefore you are
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public =
key_________
>>=20
