|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: nanog@nanog.org Date: Sat, 26 Dec 2015 09:30:02 -0600 (CST) From: Mike Hammett <nanog@ics-il.net> Cc: nanog@nanog.org In-Reply-To: <CAPkb-7CRsC0Kdfxg+JgVUXGWb5mNYQWWJo0aaV_1cPrCU0vTkA@mail.gmail.com> Errors-To: nanog-bounces@nanog.org 1) Automation is your friend. 2) If a host is compromised and doing an SSH scan, it's likely going to also be attempting SMTP, WordPress, home router, etc. attacks. Use a canary to block that host altogether to better your network. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Baldur Norddahl" <baldur.norddahl@gmail.com> To: nanog@nanog.org Sent: Saturday, December 26, 2015 9:19:15 AM Subject: Re: de-peering for security sake On 26 December 2015 at 16:09, Stephen Satchell <list@satchell.net> wrote: > On 12/26/2015 06:19 AM, Mike Hammett wrote: > >> How much is an acceptable standard to the community? Individual /32s >> ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's >> IPv6 equivalent would be) has made your naughty list that you block >> the whole prefix? >> > > My gauge is volume of obnoxious traffic. When I get lots of SSH probes > from a /32, I block the /32. When I get lots of SSH probes across a range > of a /24, I block the /24. > Do you people have nothing better to do than scan firewall log files and insert rules to block stuff that was already blocked by default? Hint: if ssh probes spams your log then move your ssh service to a non standard port. Regards, Baldur
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |