Sadly dumb kids are plentiful. If you have to nag an abuse desk every time they sell a server to a kid who’s experimenting with nmap for the first time then.... we’ll end up exactly where we are - abuse contacts are not a reliable way to get in touch with anyone, and definitely not a reliable way to do so fast or with any reasonably large network. Please don’t clog the otherwise-useful system.
If you have trouble sleeping at night, I’d recommend the “PasswordAuthentication no” option in sshd_config. Matt > On Apr 28, 2020, at 23:22, Mukund Sivaraman <m...@mukund.org> wrote: > > Hi Matt > >> On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote: >> DDoS, hijacker, botnet C&C, compromised hosts, >> sufficiently-hard-to-deal-with phishing, etc are all things that carry >> real risk to services that are otherwise well-maintained (primarily in >> that many of the latter lead to the former). Nothing wrong with using >> or monitoring fail2ban, but if you’re spamming abuse contacts in an >> automated fashion (a pattern of misbehavior may be different) just >> because of some scanning, I recommend you fire your CSO (or get one). > > It a fair game, that we the victim hosts should manually scan hundreds > of reports generated due to traffic from automated bots from IP address > block, so that things are easy for abuse@ contacts? > > I haven't come across a false positive report from our fail2ban > instances on various servers (which it so far emails to our internal > email address). It appears extremely unlikely for its reports to be > false postitives - its detection method by parsing logs is identical to > what a human would manually do too. > > I wouldn't call emailing its reports automatically to an abuse contact > as "spamming". It is exactly what a human would do, and > programmers/sysadmins love to automate. > > If an abuse report is incorrect, then it is fair to complain. > > Mukund