Menu
▾
▴
Re: [SSHGuard-users] New Attack Signature
|
From: <li...@la...> - 2016-09-10 21:29:55
|
The data centers encourage "private links" since that get to sell more IP space. But the addresses can be anything on their ASN. http://stackoverflow.com/questions/13110386/ip-to-asn-mapping-algorithm I guess the reverse mapping is doable, but at what cost? BTW, I've never had sshguard find any funny business in my maillog, and it is being read as far as I can tell. That said, I would never use the same table to block ssh and email. There can be legitimate email coming from the same IP that is doing a dictionary attack on port 22. Worse yet, the IP that is dictionary attacking your email can also have legitimate email users on it. Other than the rate limiter in postfix, I'm pretty much exposed to these attacks. Now if sshguard detected an attack from postfix, it would make sense to block the IP from 22. That seems safe since the only way you would lock yourself out is if the attack came from behind your router, in which case you have real problems. Original Message From: Mark Chen Sent: Saturday, September 10, 2016 1:27 PM To: ssh...@li... Subject: [SSHGuard-users] New Attack Signature Just found this in my logs. Notice that the spammer alternates among several addresses within the same class B network (in this case, two different class Bs) in order to avoid detection. Any chance we could add a signature for this? > Sep 10 19:11:00 smtp postfix/smtpd[27607]: connect from unknown[182.38.196.133] > Sep 10 19:11:01 smtp postfix/smtpd[27607]: lost connection after AUTH from unkno |
