nanog mailing list archives
Re: Dealing with abuse complaints to non-existent contacts
From: Rich Kulawiec <rsk () gsp org>
Date: Mon, 11 Aug 2014 04:32:44 -0400
On Sun, Aug 10, 2014 at 11:25:36PM +0500, Alexander Merniy wrote:
Move ssh to a non-standart port + fail2ban - best solution.
No, it is not. The best solution is to enumerate the ranges from which legitimate ssh connections will originate and firewall *everything* else. Yes, this means (gasp! horror!) actually looking at your own logs and understanding what they tell you, but anyone capable of using "grep", "sort", "uniq" et.al. should be able to do that. The second-best solution is to enumerate the ranges from which legitimate ssh connections will never originate and firewall those. The Spamhaus DROP list is a good starting place for everyone. The Okean listings of Chinese and Korean network space are good second stops. And ipdeny.com *was* a good third stop, for which I haven't found an equally-usable replacement just yet. Both of these are proactive approaches that -- if used properly and well-maintained -- may largely eliminate the need to fiddle around with reactive approaches like fail2ban. They also work with other ports/protocols/services, e.g., IMAPS. ---rsk
Current thread:
- Re: Dealing with abuse complaints to non-existent contacts, (continued)
- Re: Dealing with abuse complaints to non-existent contacts Mark Andrews (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts Suresh Ramasubramanian (Aug 10)
- RE: Dealing with abuse complaints to non-existent contacts Tony Hain (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts Suresh Ramasubramanian (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts Christopher Rogers (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts Alexander Merniy (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts Mike Hale (Aug 10)
- Re: Dealing with abuse complaints to non-existent contacts Rich Kulawiec (Aug 11)