Date: Sat, 13 Aug 2011 16:40:52 -0400 From: Jerry <jerry@seibercom.net> To: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Poll on server attacks Message-ID: <20110813164052.50af1126@scorpio> In-Reply-To: <CAHieY7Qyj1FDPaxFdyaoTYK5c%2B-3pwvws39Ga-B4H5MXqgG3MQ@mail.gmail.com> References: <CAHieY7Qyj1FDPaxFdyaoTYK5c%2B-3pwvws39Ga-B4H5MXqgG3MQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 13 Aug 2011 15:43:02 -0400 Alejandro Imass articulated: > The purpose of this thread is to get some feedback on actions that > admins here are taking to deal with ever increasing attacks on > servers. > > I have relied heavily on fail2ban it's really effective and > frustrating for crakers, and the notifications help you initiate your > inspection workflows. > > But of course, it doesn't solve all the problems and way too passive > for massive attacks on some services like Asterisk. > > So lately I have opted to simply close down IP block massively using > the lists from wizcraft. I know it's a bit extreme but I've had to > block all chinese, russian and nigerian ip blocks. And we're still > evaluating closing off many other blocks from other lists as well. Personally, I prefer: <https://www.countryipblocks.net/>. It is just a matter of personal taste I guess. > Is anyone else using such desperate measures? > > BTW I created an automated script in Perl that works with wizcraft's > lists if anyone is interested I can post somewhere... > > My question is are any of you following up on US, Canadian, and > European ISPs? Is it actually useful follow up and write to the abuse > addresses? What type of feedback do you get? > Do you use any other authority? > Does it make sense to report to Local Police, DoD, FBI, CIA ? > Do you help feed maintain gray/black lists? > > Up to now I just write to the abuse addresses as part of my follow-up > from the fail2ban and my own log evaluations. My response rate from > ISPs has been very low, though it's very gratifying to see that some > have ticket systems, and that a few actually respond, care and take > action. The majority though, are simply deaf so I've been thinking of > pursuing the matter with police and legal authorities, at least for > US, Canada and Europe. Other useful exercises are flapping your arms at a high rate of speed and attempting to fly. > I can't believe that the majority of ISPs simple ignore my petitions > to follow-up on their client's (or employee) abuse. I would like these > people to at least be responsible and cover the enormous > administrative costs. We are 2 admins in our company and we only have > a few servers! I can't begin to imagine what companies with larger > server farms have to through every day, and the enormous costs the > face to fight off attackers. And that's not counting SPAM, which is a > major headache for any organization today. IANA doesn't get involved > so I think that at least where we have legal power within our reach, > some legal action may get ISPs into being a bit more serious about > keeping their networks safe. > > What do you think about pursuing matters into the police and legal > system? About as useful as attempting to build a time machine in my basement. Knujon <http://www.knujon.com/>; is basically a one man operation that has made huge strides in discovering criminal activity among registrars, etcetera. You might want to investigate them further. They are always looking for help. Just for my own morbid curiosity, what are these "enormous costs" that you refer to? You are not buying new hard ware I assume. If you are using FOSS then there is little or no software cost involved. Other than paying for someone's time, something that would be happening anyway, what "enormous cost" comes into play? -- Jerry ✌ jerry+fbsd@seibercom.net Disclaimer: off-list followups get on-list replies or ignored. Do not CC this poster. Please do not ignore the "Reply-To" header. http://www.catb.org/~esr/faqs/smart-questions.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110813164052.50af1126>