Re: Abuse Desks

[Matt Corallo via NANOG <nanog () nanog org>]

Sadly dumb kids are plentiful. If you have to nag an abuse desk every time they sell a server to a kid who’s 
experimenting with nmap for the first time then.... we’ll end up exactly where we are - abuse contacts are not a 
reliable way to get in touch with anyone, and definitely not a reliable way to do so fast or with any reasonably large 
network. Please don’t clog the otherwise-useful system.

If you have trouble sleeping at night, I’d recommend the “PasswordAuthentication no” option in sshd_config.

Matt

> On Apr 28, 2020, at 23:22, Mukund Sivaraman <muks () mukund org> wrote:
>
> Hi Matt
>
> > On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote:
> > DDoS, hijacker, botnet C&C, compromised hosts,
> > sufficiently-hard-to-deal-with phishing, etc are all things that carry
> > real risk to services that are otherwise well-maintained (primarily in
> > that many of the latter lead to the former). Nothing wrong with using
> > or monitoring fail2ban, but if you’re spamming abuse contacts in an
> > automated fashion (a pattern of misbehavior may be different) just
> > because of some scanning, I recommend you fire your CSO (or get one).
>
> It a fair game, that we the victim hosts should manually scan hundreds
> of reports generated due to traffic from automated bots from IP address
> block, so that things are easy for abuse@ contacts?
>
> I haven't come across a false positive report from our fail2ban
> instances on various servers (which it so far emails to our internal
> email address). It appears extremely unlikely for its reports to be
> false postitives - its detection method by parsing logs is identical to
> what a human would manually do too.
>
> I wouldn't call emailing its reports automatically to an abuse contact
> as "spamming". It is exactly what a human would do, and
> programmers/sysadmins love to automate.
>
> If an abuse report is incorrect, then it is fair to complain.
>
>        Mukund