| Fred Stluka on 6 Sep 2018 11:48:57 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
Rich,
(a) I don't block all of them from everything
I'm glad to hear you're not blocking all of AWS. As I said, that seems extreme and somewhat crude (sledge hammer to swat a mosquito). Especially to me, since my servers are hosted at AWS.
(b) even when I do block them, I log the attempts for research purposes. This furnishes me with ongoing data as observed at a variety of locations.
How do you log them, if you've simply blocked all connection attempts via the iptables firewall? Are you using iptables logging? If so, do you have any problems with log file size? Have you had to update logrotate to rotate/compress/delete more often? If you keep your logs on a central server, is the additional logging traffic enough to be an issue?
Why is this even necessary? Why aren't they pro-actively stopping the abuse before it's necessary for you (or me, or anyone else) to file a report? After all, if we can see it arriving, then they can just as easily see it leaving. Why aren't they looking for it and taking prompt remedial action before any of us have to even lift a finger?
Good points! I agree with all 7 of your arguments. Yes, AWS could, and probably should, be doing a lot more. I agree that they ought to be able to detect patterns in outgoing traffic from the virtual servers they host. Do you know of an IaaS service that does a good job at this? You've dinged AWS, and now a few others, but who WOULD you recommend? Anyone doing it right? Or at least noticeably better? Is there any downside to that for them? Seems like it could be a great PR move for them -- to be able to advertise that they'll detect malicious outgoing traffic from the servers they host, and inform the owners that they've been hacked. At worst, they'd lose business from hackers who set up servers only for use in doing attacks. It wouldn't have to be overly intrusive. Privacy advocates (like me, and probably you) should have no objection to scans that detect repetitive login attempts and failures. Wouldn't require scanning emails, file transfers, login sessions, or any other significant content. BTW, I know that SSH is encrypted, but I assume there's a way to detect failed logins at least, without having to decrypt anything. Wouldn't need (or even want) to know the attempted username or password -- just that a connection attempt failed. Any technical obstacle here? If not, we should all lobby AWS and the others you cite to do a better job of this. --Fred ------------------------------------------------------------------------ Fred Stluka -- Bristle Software, Inc. -- http://bristle.com #DontBeATrump -- Make America Honorable Again! ------------------------------------------------------------------------ On 9/6/18 8:21 AM, Rich Kulawiec wrote:
On Fri, Aug 31, 2018 at 05:33:41PM -0400, Fred Stluka wrote:You may have blocked all of AWS a little too long, and gotten to be out of date.??Nope. This is current experience. (a) I don't block all of them from everything and (b) even when I do block them, I log the attempts for research purposes. This furnishes me with ongoing data as observed at a variety of locations.From my experience, very few attacks currently come from AWS, and when they do, I report them.?? Within a couple days I get a reply from AWS saying it's been investigated and dealt with, and the attacks from that IP address stop.There's a lot to unpack here, so bear with me, please. First, attacks as observed at any one service/host/network/ASN/etc. may differ sharply from attacks observed at another. (The reasons why constitute a much longer discussion.) So both your observations and my observations may both be accurate simultaneously. Second, while I've singled out AWS for particular criticism, they're by no means the only incompetent/negligent/hostile operation out there. Digital Ocean is just as bad. So is Psychz. So is Volia. So are others. Third, part of the reason that I've singled out AWS is that they're one of the wealthiest operations on the planet. Amazon's now valued at $1 trillion. They could afford to staff a 100-person 24x7 response desk that provided individual/personal responses within the hour in a dozen languages without even noticing the missing pocket change. Yet that's not what happens. Fourth, "days" is unacceptable. "Minutes" is acceptable. See previous paragraph. Fifth, and this could be a much longer discussion, so I'll just mention it: abuse control gets easier the larger the scale. I'm putting that in here because sometimes people try to use the size of an operation as an excuse for their incompetence. So, given their size, and given their wealth, they should be the absolute best on the planet at this. They should be the ones that everyone else is trying to catch up to. But they're not. Sixth, let's accept for a moment that your experience reflects their overall responsiveness (even though it doesn't match my experience). Why did this happen? To be clear, what I'm asking is why wasn't their performance this good to begin with? They have essentially unlimited financial and personnel resources. They started AWS after the time that abuse/attacks were rampant, well-documented, often-discussed, and thus they should have known that these would be a problem because everyone with a pulse knew they were a problem. They allegedly hire smart and clueful people. Why didn't they design and build and operate with this in mind? Seventh, let's examine this from another (but related) viewpoint. Why is this even necessary? Why aren't they pro-actively stopping the abuse before it's necessary for you (or me, or anyone else) to file a report? After all, if we can see it arriving, then they can just as easily see it leaving. Why aren't they looking for it and taking prompt remedial action before any of us have to even lift a finger? And to take it a step further, having observed this over and over and over again, why haven't they taken action to stop it permanently? Anybody competent and responsible, on observing these myriad repeated patterns, would have long since figured out how to prevent most of it from ever escaping their operation. The only attacks/abuse we should ever see should be ones that are new/novel, and even those should stop rather quickly. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug