Joe, Is there any reason to have a root-enabled (or any) ssh server exposed to the bare Internet? Any at all? Can you name one? I can’t. That’s basically pilot error.
-mel > On Apr 29, 2020, at 8:37 AM, Joe Greco <jgr...@ns.sol.net> wrote: > > On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote: >> Once upon a time, Mukund Sivaraman <m...@mukund.org> said: >>> If an abuse report is incorrect, then it is fair to complain. >> >> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"? >> >> I've typoed IP/FQDN before and gotten an SSH response, and taken several >> tries before I realized my error. Did I actually "abuse" someone's >> server? I didn't get in, and it's hard to say that the server resources >> I used with a few failed tries were anything more than negligible. >> >> I've had users tripped up by fail2ban because they were trying to access >> a server they don't use often and took several tries to get the password >> right or had the wrong SSH key. Should that have triggered an abuse >> email? > > So your theory is that it is necessary for there to be a threshold of > abuse? > > Is there any reason to expect that a random server is going to be able > to figure out that a large pool of a million compromised IoT devices on > a million different IP addresses is slowly probing their server for the > root password and that a SPECIFIC probe is a member of this set? > > The way this stuff is trending today, you don't have a single host that > is banging on another single host for hours or days at a password per > second, which I hope we would agree would be well beyond any reasonable > threshold to consider abuse. > > On the flip side, is it so much to ask that an abuse desk maybe take a > look at both the ingress and egress packet stream of their customer, to > see if there seems to be something untoward happening? > > And which one of these is a less damaging strategy? > > I know we're in the minority here, but policy over here at SOL hasn't > changed much in the last quarter century. If you are getting unwanted > and unsolicited traffic from us, and you contact abuse@, we're willing > to make it stop. If it didn't originate here (forged, etc) then there > isn't much to be done -- the community has been trying to encourage > BCP38 for years. > > It's probably jumping the gun a bit for a single connection attempt to > result in an abuse@ message, but then again when I look at the stream > of trash addressed at SOL's IP space, maybe not. Some of it is clearly > trying to scan from large botnets. > > There's also a lot of room for computers to be doing the hard work of > detecting and reporting, and helping to analyze, while letting a human > look at what's actually transpired and see if it feels problematic. > > However, the general solution that seems to have been adopted by the > majority of the industry is to hire Dave Null for abuse@ > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "The strain of anti-intellectualism has been a constant thread winding its way > through our political and cultural life, nurtured by the false notion that > democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov