Tip: Use IFTTT + CSF to fire off automatic abuse complaints
Posted: 28 Feb 2014, 15:42
Lately I've been seeing a lot of botnet activity so I setup a few IFTTT recipes to fire off emails to abuse departments of major dedicated & cloud hosting providers whenever their IPs get blocked by CSF / LFD.
The rules are basically as follows: If new email from search from:root@[myserver] lfd blocked softlayer OR theplanet, then forward email to abuse@softlayer and append the message
"SoftLayer Abuse Department,
Below is a copy of our firewall's logging of intrusion attempts from one of your IP addresses to my server (x.x.x.x). Please take action to prevent further activity from this IP. Note that all times are in [my time zone]. If you need any further information please let me know."
I setup similar recipes for "lfd blocked secureserver" to email abuse@godaddy
"lfd blocked ovh" to email abuse@ovh and "lfd blocked amazonaws" to email ec2-abuse@amazon
I also setup the recipes to CC me and I show that they've each been triggered a few times each day without any false positives. I chose only major hosts because of the volume of exploited servers being used to try to brute-force attack my server, and because I know my customer's won't be trying to access my server from those services.
Hopefully this helps those providers shut down / clean up their compromised servers more quickly.
The rules are basically as follows: If new email from search from:root@[myserver] lfd blocked softlayer OR theplanet, then forward email to abuse@softlayer and append the message
"SoftLayer Abuse Department,
Below is a copy of our firewall's logging of intrusion attempts from one of your IP addresses to my server (x.x.x.x). Please take action to prevent further activity from this IP. Note that all times are in [my time zone]. If you need any further information please let me know."
I setup similar recipes for "lfd blocked secureserver" to email abuse@godaddy
"lfd blocked ovh" to email abuse@ovh and "lfd blocked amazonaws" to email ec2-abuse@amazon
I also setup the recipes to CC me and I show that they've each been triggered a few times each day without any false positives. I chose only major hosts because of the volume of exploited servers being used to try to brute-force attack my server, and because I know my customer's won't be trying to access my server from those services.
Hopefully this helps those providers shut down / clean up their compromised servers more quickly.