Sabri, A clever idea to be sure, but it seems open to abuse. What stops someone from forging a tcp syn from every /24 on the Internet, causing you to blackhole your access to everywhere?
-mel > On Apr 29, 2020, at 2:24 PM, Sabri Berisha <[email protected]> wrote: > > ----- On Apr 29, 2020, at 9:08 AM, Stephen Satchell [email protected] wrote: > > Hi, > >> That said, I use TCPWRAPPER to limit access to SSH to specific IP >> addresses. I process my LogWatch messages manually. I pull the fire >> alarm for showshoe probes, and excessive number of probes (over 30 in a >> 24-hour period). No registered abuse@ address in the WHOIS? The >> offending netblock goes into my edge router ACL, because I have learned >> that ne'er-do-wells without working abuse@ usually have other bad habits. > > I have a very simple method to deal with that: a server with no other purpose > than to blackhole portscanning culprits. Send so much as a tcp syn to port 22 > and your entire /24 goes to null0 for a month. I have a few exceptions for > entities that I know are responsive to abuse@, but that's it. > > Highly effective. > > Thanks, > > Sabri
