[173851] in North American Network Operators' Group
Re: Dealing with abuse complaints to non-existent contacts
daemon@ATHENA.MIT.EDU (David Ford)
Sun Aug 10 22:17:31 2014
X-Original-To: nanog@nanog.org
Date: Sun, 10 Aug 2014 22:16:58 -0400
From: David Ford <david@blue-labs.org>
To: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.61.1408101313590.10544@soloth.lewis.org>
Errors-To: nanog-bounces@nanog.org
i have numerous servers that must have open ssh access to everyone in
multiple datacenters for several hundred users from many different and
varying origins that change frequently. whitelist/blacklisting would be
a nightmare.
i use a PAM module that automatically adds every new ssh connection IP
to an xt_recent blacklist, a) if you succeed authenticating, your IP is
automatically removed, b) if more packets arrive that exceed the count
limit within time limit for your /24, you automatically get blocked for
a while.
no point wasting time managing blacklists on IPs when nearly all of them
are bots and most of the service providers out there either a) don't
care, b) don't have a functioning abuse/security contact, c) ignore
reports, or d) helplessly clueless.
-d
On Sun, 10 Aug 2014, Gabriel Marais wrote:
>> I have been receiving some major ssh brute-force attacks coming from
>> random
>> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a
>> complaint to
>> the e-mail addresses obtained from a whois query on one of the IP
>> Addresses.
