Sadly dumb kids are plentiful. If you have to nag an abuse desk every time they sell a server to a kid who’s experimenting with nmap for the first time then.... we’ll end up exactly where we are - abuse contacts are not a reliable way to get in touch with anyone, and definitely not a reliable way to do so fast or with any reasonably large network. Please don’t clog the otherwise-useful system. If you have trouble sleeping at night, I’d recommend the “PasswordAuthentication no” option in sshd_config. Matt
On Apr 28, 2020, at 23:22, Mukund Sivaraman <muks@mukund.org> wrote:
Hi Matt
On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote: DDoS, hijacker, botnet C&C, compromised hosts, sufficiently-hard-to-deal-with phishing, etc are all things that carry real risk to services that are otherwise well-maintained (primarily in that many of the latter lead to the former). Nothing wrong with using or monitoring fail2ban, but if you’re spamming abuse contacts in an automated fashion (a pattern of misbehavior may be different) just because of some scanning, I recommend you fire your CSO (or get one).
It a fair game, that we the victim hosts should manually scan hundreds of reports generated due to traffic from automated bots from IP address block, so that things are easy for abuse@ contacts?
I haven't come across a false positive report from our fail2ban instances on various servers (which it so far emails to our internal email address). It appears extremely unlikely for its reports to be false postitives - its detection method by parsing logs is identical to what a human would manually do too.
I wouldn't call emailing its reports automatically to an abuse contact as "spamming". It is exactly what a human would do, and programmers/sysadmins love to automate.
If an abuse report is incorrect, then it is fair to complain.
Mukund