Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 14 Aug 2011 07:33:25 -0400
From:      Alejandro Imass <ait@p2ee.org>
To:        Bill Tillman <btillman99@yahoo.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Poll on server attacks
Message-ID:  <CAHieY7Sq94r8BXB=9-62SGW4smJjQdh2-+-c88YHscgdM64JzQ@mail.gmail.com>
In-Reply-To: <1313313416.22472.YahooMailClassic@web36503.mail.mud.yahoo.com>
References:  <CAHieY7T+rKkwzBr+E=oziXvm4Bm+OS8fpmgSOYxzS1zvmgT0YA@mail.gmail.com> <1313313416.22472.YahooMailClassic@web36503.mail.mud.yahoo.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, Aug 14, 2011 at 5:16 AM, Bill Tillman <btillman99@yahoo.com> wrote:
>
>
> --- On Sat, 8/13/11, Alejandro Imass <ait@p2ee.org> wrote:
>
>
> From: Alejandro Imass <ait@p2ee.org>
> Subject: Re: Poll on server attacks
> To: "FreeBSD" <freebsd-questions@freebsd.org>
> Date: Saturday, August 13, 2011, 7:57 PM
>
>

[...]

> I, like Jerry would also question your definition of enormous costs. I see attacks at my servers every day. But those are merely attempts to hack in and if you don't have actual breaches into your server then you're ok.

There you go! How do you actually know if you've had actual breaches
if you don't follow up on the logs and spend actual __hours__ doing
that? How do you know your servers are not root-kitted? I had an
experience with a Linux server once and it was root-kitted for a long
time before we ever noticed. It was only after following up an attack
that was reported to us by another party from our server that we
actually realized that server was compromised.

How do you really know how secure your servers are if you don't spend
time testing with nmap, nessus, etc. ? Following up un security
patches, etc. That, at least in our case has become time consuming it
may not be every day, but on average it does take a lot of man hours.
For a small company like our it's become a real cost issue.

> major breach and that was due to my failure to plug an obvious hole in my Asterisk dial plan.

It great you bring Asterisk up. For example, we've used sipvicious to
test our asterisk server and then couple of days ago I get a call at
2am from a sipvicious attack something we couldn't replicate
ourselves, at least not immediately. In fact, this particular Asterisk
attack took us _many_ hours to figure out and made us decide to block
massive China, Russia and Nigerian, ip blocks, and motivated me to
write the thread in the first place! Having to stop some other
productive activity, and spending a day or day and half figuring out
some new form of attack is *very* costly for us at least.

And the same thing goes for every other thing we have running on the
servers. Everything has different types of holes, and every time there
is a new wave or "fever" on attacks on something: phpmyadmin, rsync,
subversion, mediawiki, apache, php, asterisk or what have you, then
it's more and more hours poured into patching, testing, analyzing.
Furthermore if you have Jails you may have different versions of these
services with different security vulnerabilities.

If you and Jerry are not spending a lot of time on these things, well
good for you! I guess, but we do.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAHieY7Sq94r8BXB=9-62SGW4smJjQdh2-+-c88YHscgdM64JzQ>