1) Automation is your friend. 2) If a host is compromised and doing an SSH scan, it's likely going to also be attempting SMTP, WordPress, home router, etc. attacks. Use a canary to block that host altogether to better your network.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Baldur Norddahl" <baldur.nordd...@gmail.com> To: nanog@nanog.org Sent: Saturday, December 26, 2015 9:19:15 AM Subject: Re: de-peering for security sake On 26 December 2015 at 16:09, Stephen Satchell <l...@satchell.net> wrote: > On 12/26/2015 06:19 AM, Mike Hammett wrote: > >> How much is an acceptable standard to the community? Individual /32s >> ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's >> IPv6 equivalent would be) has made your naughty list that you block >> the whole prefix? >> > > My gauge is volume of obnoxious traffic. When I get lots of SSH probes > from a /32, I block the /32. When I get lots of SSH probes across a range > of a /24, I block the /24. > Do you people have nothing better to do than scan firewall log files and insert rules to block stuff that was already blocked by default? Hint: if ssh probes spams your log then move your ssh service to a non standard port. Regards, Baldur