The machines that are ssh probing are probably doing other stuff. Take the win that you have been informed about a compromised machine and get it cleaned / quarantined.
-- Mark Andrews > On 30 Apr 2020, at 06:20, Bottiger <bottige...@gmail.com> wrote: > > > It is rather easy to block SSH cracking attempts from your own side. Rarely > do they put any significant load on your network or computer. > > I would sympathize with this except for the fact that abuse desks won't even > respond to DDoS attacks, something that can't be fixed on your own end > without spending a lot of money. > > That needs to be fixed first before worrying about password cracking. > >> On Tue, Apr 28, 2020 at 8:58 AM Mike Hammett <na...@ics-il.net> wrote: >> I noticed over the weekend that a Fail2Ban instance's complain function >> wasn't working. I fixed it. I've noticed a few things: >> >> 1) Abusix likes to return RIR abuse contact information. The vast majority >> are LACNIC, but it also has kicked back a couple for APNIC and ARIN. When I >> look up the compromised IP address in Abusix via the CLI, the APNIC and ARIN >> ones return both ISP contact information and RIR information. When I look >> them up on the RIR's whois, it just shows the ISP abuse information. Weird, >> but so rare it's probably just an anomaly. However, almost everything I see >> in LACNIC's region is returned with only the LACNIC abuse information when >> the ones I've checked on LACNIC's whois list valid abuse information for >> that prefix. Can anyone confirm they've seen similar behavior out of Abusix? >> I reached out to them, but haven't heard back. >> 2) Digital Ocean hits my radar far more than any other entity. >> 3) Azure shows up a lot less than GCP or AWS, which are about similar to >> each other. >> 4) Around 5% respond saying it's been addressed (or why it's not in the >> event of security researchers) within a couple hours. The rest I don't know. >> I've had a mix of small and large entities in that response. >> 5) HostGator seems to have an autoresponder (due to a 1 minute response) >> that just indicates that you sent nothing actionable, despite the report >> including the relevant log file entries. >> 6) Charter seems to have someone actually looking at it as it took them 16 - >> 17 hours to respond, but they say they don't have enough information to act >> on, requesting relevant log file entries... which were provided in the >> initial report and are even included in their response. They request >> relevant log file entries with the date, time, timezone, etc. all in the >> body in plain text, which was delivered. >> 7) The LACNIC region has about 1/3 of my reports. >> >> >> >> Do these mirror others' observations with security issues and how abuse >> desks respond? >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com
