[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Automatic abuse reports

Subject: Automatic abuse reports
From: bill at herrin.us (William Herrin)
Date: Tue, 12 Nov 2013 20:43:28 -0500
In-reply-to: <[email protected]>
References: <Pine.LNX.4.64.1311122255060.7242@crisp> <[email protected]>

On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats <sam at circlenet.us> wrote:
> We used to use a small perl script called tattle that would parse out the
> /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup
> the proper abuse contacts and report them. I haven't seen anything similar
> in years but it would be interesting to do more than null route IPs.
>
> The problem we had with the automated reporting was dealing with spoofed
> sources, we see lots of traffic that is obviously hostile but unless it
> becomes serious enough to impact performance we rarely report it. An
> automated system didn't seem to fit anymore due to false positives.

Hi Sam,

Out of curiosity -- how does one get a false positive on an ssh
exploit attempt? Does the origin IP not have to complete a 3-way
handshake before it can attempt an exploit?

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Follow-Ups:
- Automatic abuse reports
  - From: sam at circlenet.us (Sam Moats)

References:
- Automatic abuse reports
  - From: jonas at bjorklund.cn (Jonas Björklund)
- Automatic abuse reports
  - From: sam at circlenet.us (Sam Moats)

Prev by Date: Automatic abuse reports
Next by Date: Automatic abuse reports
Previous by thread: Automatic abuse reports
Next by thread: Automatic abuse reports
Index(es):
- Date
- Thread