[Tfug] OT: Reporting Network Abuse?
Felix Tilley
fetilley at earthlink.net
Mon Jun 25 20:30:03 MST 2007
----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 24 Jun 2007 13:26:37 -0700
> From: "Christopher Robbins" <robbinsc at gmail.com>
> Subject: [Tfug] OT: Reporting Network Abuse?
> To: "Tucson Free Unix Group" <tfug at tfug.org>
> Message-ID:
> <252d26630706241326t57b76369lb2cfb4a8f4a310e at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I've opened up one of my boxes to the internet, and I've got the system
> locked down as much as possible. However, having SSH access
> is nice, so I've opened it up. I've thought about using a different
> port...
>
> In leaving SSH open, I've noticed a ton of failed login attempts, like this
> -
>
> # vi /var/log/messages
> ...
> Jun 24 03:39:12 linux-x8yr sshd[13530]: Did not receive identification
> string from 58.61.157.137
> Jun 24 03:45:42 linux-x8yr sshd[13553]: Invalid user fluffy from
> 58.61.157.137
> Jun 24 03:45:46 linux-x8yr sshd[13555]: Invalid user admin from
> 58.61.157.137
> [Tfug] OT: Reporting Network Abuse?
> Jun 24 03:45:48 linux-x8yr sshd[13557]: Invalid user test from 58.61.157.137
> Jun 24 03:45:50 linux-x8yr sshd[13559]: Invalid user guest from
> 58.61.157.137
> Jun 24 03:45:56 linux-x8yr sshd[13561]: Invalid user webmaster from
> 58.61.157.137
> Jun 24 03:46:03 linux-x8yr sshd[13565]: Invalid user oracle from
> 58.61.157.137
> ...
>
> My question is - is it worth it to report the box to abuse at domain? Does
> anything get done?
> I called RoadRunner the other day, and they had an automated message that
> demanded an email
> with all relevant logs/etc before they'd think about doing anything.
>
> Thoughts?
>
>
It is no use complaining to China about network abuse.
Firewall the whole CIDR range, especially if it it in in China. Use
arin.net to get the CIDR range. This an example:
whoarin 58.61.157.13
inetnum: 58.60.0.0 - 58.63.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
mnt-routes: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed at apnic.net 20050816
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam at ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy at cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
person: IPMASTER CHINANET-GD
nic-hdl: IC83-AP
e-mail: ipadm at gddc.com.cn
address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
phone: +86-20-83877223
fax-no: +86-20-83877223
country: CN
changed: ipadm at gddc.com.cn 20040902
mnt-by: MAINT-CHINANET-GD
remarks: IPMASTER is not for spam complaint,please send spam
complaint to abuse at gddc.com.cn
source: APNIC
#!/bin/bash
#@(#) IPTables Firewall and Logger
#@(#) Must be run by root
#@(#) 09 JUN 2007
# On Suse 10.1, IPtables logs to /var/log/firewall. On other
# systems, it may log to /var/log/messages or /var/log/syslog.
# It always logs to a file in /var/log.
echo Iptables was last invoked at `cat /tmp/iptables.txt`
/usr/sbin/iptables -N LOGDROP
/usr/sbin/iptables -A LOGDROP -j LOG --log-level 4
/usr/sbin/iptables -A LOGDROP -j DROP
## Crap from China CNC Group CHINA169 Fujian Province Network 30 OCT 2006
/usr/sbin/iptables -A INPUT -s 58.22.0.0/16 -j LOGDROP
# CNC Group CHINA169 Hubei Province Network58.
/usr/sbin/iptables -A INPUT -s 58.19.0.0/16 -j LOGDROP
More information about the tfug
mailing list