Date: Sun, 14 Aug 2011 07:33:25 -0400 From: Alejandro Imass <ait@p2ee.org> To: Bill Tillman <btillman99@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Poll on server attacks Message-ID: <CAHieY7Sq94r8BXB=9-62SGW4smJjQdh2-%2B-c88YHscgdM64JzQ@mail.gmail.com> In-Reply-To: <1313313416.22472.YahooMailClassic@web36503.mail.mud.yahoo.com> References: <CAHieY7T%2BrKkwzBr%2BE=oziXvm4Bm%2BOS8fpmgSOYxzS1zvmgT0YA@mail.gmail.com> <1313313416.22472.YahooMailClassic@web36503.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 14, 2011 at 5:16 AM, Bill Tillman <btillman99@yahoo.com> wrote: > > > --- On Sat, 8/13/11, Alejandro Imass <ait@p2ee.org> wrote: > > > From: Alejandro Imass <ait@p2ee.org> > Subject: Re: Poll on server attacks > To: "FreeBSD" <freebsd-questions@freebsd.org> > Date: Saturday, August 13, 2011, 7:57 PM > > [...] > I, like Jerry would also question your definition of enormous costs. I see attacks at my servers every day. But those are merely attempts to hack in and if you don't have actual breaches into your server then you're ok. There you go! How do you actually know if you've had actual breaches if you don't follow up on the logs and spend actual __hours__ doing that? How do you know your servers are not root-kitted? I had an experience with a Linux server once and it was root-kitted for a long time before we ever noticed. It was only after following up an attack that was reported to us by another party from our server that we actually realized that server was compromised. How do you really know how secure your servers are if you don't spend time testing with nmap, nessus, etc. ? Following up un security patches, etc. That, at least in our case has become time consuming it may not be every day, but on average it does take a lot of man hours. For a small company like our it's become a real cost issue. > major breach and that was due to my failure to plug an obvious hole in my Asterisk dial plan. It great you bring Asterisk up. For example, we've used sipvicious to test our asterisk server and then couple of days ago I get a call at 2am from a sipvicious attack something we couldn't replicate ourselves, at least not immediately. In fact, this particular Asterisk attack took us _many_ hours to figure out and made us decide to block massive China, Russia and Nigerian, ip blocks, and motivated me to write the thread in the first place! Having to stop some other productive activity, and spending a day or day and half figuring out some new form of attack is *very* costly for us at least. And the same thing goes for every other thing we have running on the servers. Everything has different types of holes, and every time there is a new wave or "fever" on attacks on something: phpmyadmin, rsync, subversion, mediawiki, apache, php, asterisk or what have you, then it's more and more hours poured into patching, testing, analyzing. Furthermore if you have Jails you may have different versions of these services with different security vulnerabilities. If you and Jerry are not spending a lot of time on these things, well good for you! I guess, but we do.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHieY7Sq94r8BXB=9-62SGW4smJjQdh2-%2B-c88YHscgdM64JzQ>