[ajp11]

Fail2ban blocked 1087 ip addresses in the last week, which seems normal.

I reset it and it has blocked eleven ip addresses in the last hour, mainly China and Digital Ocean as usual.

Just to see what happens, I'v tried sending abuse reports about ssh brute force, vnc brute force and phishing sites, by the standard method of doing a whois lookup on the ip for the abuse email address.

Some server and web hosting companies take the inconvenient approach of having an email auto-reply that says "we ignore all emailed abuse reports, you must use this web form", sometimes requiring a captcha.

When I reported a load of boxes attempting brute force logins, most complaints disappeared into the void.

I got a few responses from virtual server providers saying "no response from the customer after two weeks so we shut down the box" and one CC:ed email that appeared to be from an end user saying "we have reinstalled the box and changed the password."

[squeaky-clean]

I had a DigitalOcean droplet running Selenium grid that I didn't secure properly. I got an email that Sony Entertainment had reported my IP for botting login attempts in the Playstation store. I think I had 48 hours to respond to DigitalOcean.

Shut down Selenium right away, checked the logs, yep someone had taken over my selenium grid. It was just a small personal project on a sever I had forgot was still running, but at least they took reports seriously when my account was causing things.

[nousermane]

Honestly, I don't understand why people make reporting abuse so hard/labour-intensive.

It is trivial to record netflow data (and most networks do that already), and then verify incoming abuse reports against those records.

[supertrope]

Because processing abuse tickets is hard and labor intensive. If reporting abuse to a host lead to shutdowns as swiftly as YouTube DMCA it would become a denial of service attack method. Or the abuse ticket queue would be flooded and it would take even longer to cut off bad actors. Cloud services are notorious for abuse traffic. If they were required to raise KYC requirements it might mean the end of $5/mo. VPS. Finally hosting services have an inherent conflict of interest between making money selling service and cancelling someone's account for abuse.

[hackernewds]

the counterpoint is that the antagonists can abuse the reporting mechanisms, so some friction is necessary

[gingerlime]

is there a chance of forming some kind of a community fail2ban blocklist? I guess trusting the contributors and admins is the hard part here and that’s why spam lists are a double edged sword?

[klausagnoletti]

As someone else mentions, CrowdSec can do just that. It's FOSS and can act as a modern Fail2Ban replacement that can detect all sorts of attacks - in this case ssh bruteforce/slow brute force attacks - and shares very basic information about those attacks (source ip, timestamp, which attack) with everyone else. So in that way everybody using CrowdSec are helping each other out. More information at https://crowdsec.net. Disclaimer: I am head of community at CrowdSec so feel free to ask me any questions you may have here or join our Discord at https://dicord.gg/crowdsec.

[gingerlime]

Thank you! super cool! how do you solve the trust issue? (e.g. someone reporting their competitor ips as attackers, or whitelisting false positives/appeals)

[pabs3]

The CrowdSec folks have something similar to that:

https://crowdsec.net/ https://github.com/crowdsecurity/crowdsec

[somat]

peter hessler had an interesting system where the blacklists were distributed via bgp. It sounds weird at first but the more I think about it the more it makes sense. delivering routes(or in this case anti routes) is bgp's core mission.

Unfortunately he shut down his bgp spam route sender last year.

http://www.bgp-spamd.net/

[gruez]

That's basically what DNS RBLs are.

[NavinF]

Well that and sane people just disable password auth. fail2ban is a 90s sysadmin solution to a nonexistent problem.

[seized]

Fail2Ban can do more than SSH. Any log that can be parsed and has a useful remote IP can work.

I have it scanning my Ubiquiti NVR logs, I modified Tomcat to log the remote IP from my reverse proxy. If anyone tries to log into my NVR three times then Fail2Ban adds the IP to a permanent blocklist on my OpnSense firewall and then HAProxy kills the TCP connection. They can't even ping after that.

[nousermane]

IP reputation is a problem wider then just SSH password brute-forcing - see HTTP(S) brute-force example elsewhere in this thread.

[jsmith99]

Perhaps VPS providers should monitor for things like huge volumes of outgoing SSH login attempts, the same way they monitor for crypto mining.

[orangepurple]

I am genuinely surprised that the virtual server providers responded meaningfully to the abuse complaints and took action. Good job reporting the scum.

[m4jor]

Doesnt fail2ban have an option that will automatically send out abuse complaints for you?

[nisegami]

There's something ironic about that.

A bot tries to mass ssh login on entire subnets.

A bot on one machine blocks the first bot and notified their hosting provider.

A bot on the hosting provider responds with a web form for reporting abuse.

A bot tries to fill out the web form, but is hit with a captcha.

[m4jor]

Its bots all the way down!

[zimpenfish]

Same kind of numbers on my main host - 1325 the last 7 days, 1125 the 7 before that. Bloody annoying.