I have a small little virtual server that I use for email and what not *cloud* *cough*. I set up fail2ban to monitor ssh and I get the usual flood of alert emails. I'm not too alarmed by the internet background noise, but want to know if there is something productive to do with the notifications.
Here is what I have been doing - If the domain registry looks like it is from the Western world, I have been forwarding them to the abuse email address. However, most of the notifications I have been getting are from China, Vietnam, Russia, and China. Those, I just let go, although I don't really have a rhyme or reason. If I see a persistant attempt (my ban time is 12 hours), I will permanently ban the whole address range associated with the IP address. Yup, I don't just ban one bad server, I ban the whole farm.
Is there a best practice? Should I forward these to the abuse email? Notify the White House? Petition the FCC?
[link][48 comments]