On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
Once upon a time, Mukund Sivaraman <muks@mukund.org> said:
If an abuse report is incorrect, then it is fair to complain.
The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
It is configurable. Anyway, I don't know how else one would interpret a pattern like this other than the obvious: Apr 28 22:28:05 jupiter sshd[24509]: Invalid user java from 209.141.55.11 port 36334 Apr 28 22:28:05 jupiter sshd[24504]: Invalid user openvpn from 209.141.55.11 port 36768 Apr 28 22:28:05 jupiter sshd[24506]: Invalid user devops from 209.141.55.11 port 36756 Apr 28 22:28:05 jupiter sshd[24510]: Invalid user vagrant from 209.141.55.11 port 36784 Apr 28 22:28:05 jupiter sshd[24507]: Invalid user user from 209.141.55.11 port 36796 Apr 28 22:28:05 jupiter sshd[24508]: Invalid user oracle from 209.141.55.11 port 36776 Apr 28 22:28:05 jupiter sshd[24505]: Invalid user ubuntu from 209.141.55.11 port 36798 Apr 28 22:28:05 jupiter sshd[24514]: Invalid user test from 209.141.55.11 port 36780 Apr 28 22:28:05 jupiter sshd[24513]: Invalid user ec2-user from 209.141.55.11 port 36752 It *can* be legitimate traffic, but then I hope the owner of this machine has applied for special permission stating their reason for doing this kind of probing before they are allowed to keep doing this over time and sending such traffic to multiple IP addresses (similar to how, at some service providers, one has to apply for TCP port 25 to be allowed after claiming they're not spammers). Mukund