Ron Guilmet on 6 Sep 2018 09:08:33 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban...


AWS takes the wild west approach to some extent. I've been through a lot of their certs, so I have a good understanding of how they approach security. Sad to say, they feel it's up to you to protect yourself.

When it comes to an email server they are very protective. For example, I can't setup an email server, and have it running tonight. I have to fill out all kinds of forms showing how I intend to handle spam, and it has to be approved before they will lift the smtp restrictions that every EC2 instance comes with.

Why don't they hire more people to respond faster? That is just their business model. Even customers don't get a response. They kinda take the Red Hat approach. If you want faster response, you need to part with a few grand a month for an SLA. Even, If I have issues, I have to go to the forums. I had a billing question last week, and it took three days to get back to me. I feel they can do better seeing that they have the money.

If I can, let me use a local construction company as an example. There is a construction company on 95 that is suppose to put up precautions to keep their runoff debris from damaging cars parked under the highway. The precautions cost over a million dollars, I forget the actual number, to put in place. They don't put them in place. They gamble rather. If five, six thousand dollar auto claims come in they still saved a lot of money.

So it's not hard from a bottom-line point of view to see why they are not proactive.

Is there a way to get IPs that are not involved in email spam penalized?

If you could penalize the IPs would that help seeing how they are protective of that when it comes to email servers?


Ron


On 09/06/2018 08:21 AM, Rich Kulawiec wrote:
On Fri, Aug 31, 2018 at 05:33:41PM -0400, Fred Stluka wrote:
You may have blocked all of AWS a little too long, and gotten
to be out of date.??
Nope.  This is current experience.   (a) I don't block all of them
from everything and (b) even when I do block them, I log the attempts
for research purposes.  This furnishes me with ongoing data as observed
at a variety of locations.

 From my experience, very few attacks currently come from AWS,
and when they do, I report them.?? Within a couple days I get a
reply from AWS saying it's been investigated and dealt with, and
the attacks from that IP address stop.
There's a lot to unpack here, so bear with me, please.

First, attacks as observed at any one service/host/network/ASN/etc.
may differ sharply from attacks observed at another.  (The reasons
why constitute a much longer discussion.)  So both your observations
and my observations may both be accurate simultaneously.

Second, while I've singled out AWS for particular criticism, they're
by no means the only incompetent/negligent/hostile operation out there.
Digital Ocean is just as bad.  So is Psychz.  So is Volia.  So are others.

Third, part of the reason that I've singled out AWS is that they're one
of the wealthiest operations on the planet.  Amazon's now valued at $1
trillion.  They could afford to staff a 100-person 24x7 response desk
that provided individual/personal responses within the hour in a dozen
languages without even noticing the missing pocket change.  Yet that's
not what happens.

Fourth, "days" is unacceptable.  "Minutes" is acceptable.  See previous
paragraph.

Fifth, and this could be a much longer discussion, so I'll just mention it:
abuse control gets easier the larger the scale.  I'm putting that
in here because sometimes people try to use the size of an operation
as an excuse for their incompetence.   So, given their size,
and given their wealth, they should be the absolute best on the
planet at this.  They should be the ones that everyone else is trying
to catch up to.  But they're not.

Sixth, let's accept for a moment that your experience reflects their
overall responsiveness (even though it doesn't match my experience).
Why did this happen?

To be clear, what I'm asking is why wasn't their performance this good
to begin with?  They have essentially unlimited financial and
personnel resources.  They started AWS after the time that abuse/attacks
were rampant, well-documented, often-discussed, and thus they should
have known that these would be a problem because everyone with a pulse
knew they were a problem.  They allegedly hire smart and clueful people.
Why didn't they design and build and operate with this in mind?

Seventh, let's examine this from another (but related) viewpoint.

Why is this even necessary?  Why aren't they pro-actively stopping the
abuse before it's necessary for you (or me, or anyone else) to file
a report?  After all, if we can see it arriving, then they can just
as easily see it leaving.  Why aren't they looking for it and taking
prompt remedial action before any of us have to even lift a finger?

And to take it a step further, having observed this over and over
and over again, why haven't they taken action to stop it permanently?
Anybody competent and responsible, on observing these myriad repeated
patterns, would have long since figured out how to prevent most of it
from ever escaping their operation.  The only attacks/abuse we should
ever see should be ones that are new/novel, and even those should
stop rather quickly.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug