-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

From: "Stephen Satchell" <list@satchell.net>
To: nanog@nanog.org
Sent: Wednesday, April 29, 2020 11:50:42 AM
Subject: Re: Abuse Desks

On 4/29/20 9:24 AM, Mukund Sivaraman wrote:
> If there's a lock on my door, and someone tries to pick it, you can call
> me at fault for having a lock on my door facing outside all you
> want. But the thief picking it has no business doing so, and will be
> guilty of a crime if caught.

This is a good start to an analogy.  Let's build on it, courtesy to
YouTube's "Lock Picking Lawyer".  In a video, the host shows how to
improve the security of a common easily-picked home lock: drill holes in
the lock body, such that if someone picks the lock and tries to turn the
keyway, the pins will fall into those carefully-placed holes and foil
The Bad Guy(tm).

In the networking world, we use an Access Control List to limit access
to the service.  Unlike the simple modification shown in LPL's video,
the "lock" is still usable by users from authorized IP addresses.  Or,
we require the use of certificates to validate access within the SSHD
server itself.

Here's the deal:  just blocking access or requiring certificate-based
access is intrusion prevention.  Having a log event when there are
unsuccessful probes is intrusion [attempt] detection.  Sure, the
ne'er-do-well is kept out in the prevention cycle, but a persistent
cracker lives by the axiom "if at first you don't succeed, try something
else."  You really want to stop an attacker from making a large number
of attempts, such as with a Joe script.

I turn off root SSH access, pinhole 22/tcp to a limited number of IP
addresses, and monitor failed SUDO attempts.  As I build up my new
firewall, I'll turn off public SSH access completely, and instead use a
robust VPN implementation.  (Which has its own issues.)