----- On Apr 29, 2020, at 9:08 AM, Stephen Satchell l...@satchell.net wrote:
Hi, > That said, I use TCPWRAPPER to limit access to SSH to specific IP > addresses. I process my LogWatch messages manually. I pull the fire > alarm for showshoe probes, and excessive number of probes (over 30 in a > 24-hour period). No registered abuse@ address in the WHOIS? The > offending netblock goes into my edge router ACL, because I have learned > that ne'er-do-wells without working abuse@ usually have other bad habits. I have a very simple method to deal with that: a server with no other purpose than to blackhole portscanning culprits. Send so much as a tcp syn to port 22 and your entire /24 goes to null0 for a month. I have a few exceptions for entities that I know are responsive to abuse@, but that's it. Highly effective. Thanks, Sabri