Hi Matt On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote:
DDoS, hijacker, botnet C&C, compromised hosts, sufficiently-hard-to-deal-with phishing, etc are all things that carry real risk to services that are otherwise well-maintained (primarily in that many of the latter lead to the former). Nothing wrong with using or monitoring fail2ban, but if you’re spamming abuse contacts in an automated fashion (a pattern of misbehavior may be different) just because of some scanning, I recommend you fire your CSO (or get one).
It a fair game, that we the victim hosts should manually scan hundreds of reports generated due to traffic from automated bots from IP address block, so that things are easy for abuse@ contacts? I haven't come across a false positive report from our fail2ban instances on various servers (which it so far emails to our internal email address). It appears extremely unlikely for its reports to be false postitives - its detection method by parsing logs is identical to what a human would manually do too. I wouldn't call emailing its reports automatically to an abuse contact as "spamming". It is exactly what a human would do, and programmers/sysadmins love to automate. If an abuse report is incorrect, then it is fair to complain. Mukund