It is rather easy to block SSH cracking attempts from your own side. Rarely do they put any significant load on your network or computer.
I would sympathize with this except for the fact that abuse desks won't even respond to DDoS attacks, something that can't be fixed on your own end without spending a lot of money. That needs to be fixed first before worrying about password cracking. On Tue, Apr 28, 2020 at 8:58 AM Mike Hammett <na...@ics-il.net> wrote: > I noticed over the weekend that a Fail2Ban instance's complain function > wasn't working. I fixed it. I've noticed a few things: > > 1) Abusix likes to return RIR abuse contact information. The vast majority > are LACNIC, but it also has kicked back a couple for APNIC and ARIN. When I > look up the compromised IP address in Abusix via the CLI, the APNIC and > ARIN ones return both ISP contact information and RIR information. When I > look them up on the RIR's whois, it just shows the ISP abuse information. > Weird, but so rare it's probably just an anomaly. However, almost > everything I see in LACNIC's region is returned with only the LACNIC abuse > information when the ones I've checked on LACNIC's whois list valid abuse > information for that prefix. Can anyone confirm they've seen similar > behavior out of Abusix? I reached out to them, but haven't heard back. > 2) Digital Ocean hits my radar far more than any other entity. > 3) Azure shows up a lot less than GCP or AWS, which are about similar to > each other. > 4) Around 5% respond saying it's been addressed (or why it's not in the > event of security researchers) within a couple hours. The rest I don't > know. I've had a mix of small and large entities in that response. > 5) HostGator seems to have an autoresponder (due to a 1 minute response) > that just indicates that you sent nothing actionable, despite the report > including the relevant log file entries. > 6) Charter seems to have someone actually looking at it as it took them 16 > - 17 hours to respond, but they say they don't have enough information to > act on, requesting relevant log file entries... which were provided in the > initial report and are even included in their response. They request > relevant log file entries with the date, time, timezone, etc. all in the > body in plain text, which was delivered. > 7) The LACNIC region has about 1/3 of my reports. > > > > Do these mirror others' observations with security issues and how abuse > desks respond? > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com >