From owner-freebsd-questions@FreeBSD.ORG Sun Aug 14 11:33:26 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A33011065678 for ; Sun, 14 Aug 2011 11:33:26 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx1.freebsd.org (Postfix) with ESMTP id 7490B8FC0A for ; Sun, 14 Aug 2011 11:33:26 +0000 (UTC) Received: by iye7 with SMTP id 7so11204855iye.17 for ; Sun, 14 Aug 2011 04:33:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.54.104 with SMTP id p40mr5776826ibg.39.1313321605155; Sun, 14 Aug 2011 04:33:25 -0700 (PDT) Sender: aimass@yabarana.com Received: by 10.231.15.70 with HTTP; Sun, 14 Aug 2011 04:33:25 -0700 (PDT) In-Reply-To: <1313313416.22472.YahooMailClassic@web36503.mail.mud.yahoo.com> References: <1313313416.22472.YahooMailClassic@web36503.mail.mud.yahoo.com> Date: Sun, 14 Aug 2011 07:33:25 -0400 X-Google-Sender-Auth: oVboxL_Vd-WwzzZYOaNh4_fNN8k Message-ID: From: Alejandro Imass To: Bill Tillman Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: Poll on server attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Aug 2011 11:33:26 -0000 On Sun, Aug 14, 2011 at 5:16 AM, Bill Tillman wrote: > > > --- On Sat, 8/13/11, Alejandro Imass wrote: > > > From: Alejandro Imass > Subject: Re: Poll on server attacks > To: "FreeBSD" > Date: Saturday, August 13, 2011, 7:57 PM > > [...] > I, like Jerry would also question your definition of enormous costs. I see attacks at my servers every day. But those are merely attempts to hack in and if you don't have actual breaches into your server then you're ok. There you go! How do you actually know if you've had actual breaches if you don't follow up on the logs and spend actual __hours__ doing that? How do you know your servers are not root-kitted? I had an experience with a Linux server once and it was root-kitted for a long time before we ever noticed. It was only after following up an attack that was reported to us by another party from our server that we actually realized that server was compromised. How do you really know how secure your servers are if you don't spend time testing with nmap, nessus, etc. ? Following up un security patches, etc. That, at least in our case has become time consuming it may not be every day, but on average it does take a lot of man hours. For a small company like our it's become a real cost issue. > major breach and that was due to my failure to plug an obvious hole in my Asterisk dial plan. It great you bring Asterisk up. For example, we've used sipvicious to test our asterisk server and then couple of days ago I get a call at 2am from a sipvicious attack something we couldn't replicate ourselves, at least not immediately. In fact, this particular Asterisk attack took us _many_ hours to figure out and made us decide to block massive China, Russia and Nigerian, ip blocks, and motivated me to write the thread in the first place! Having to stop some other productive activity, and spending a day or day and half figuring out some new form of attack is *very* costly for us at least. And the same thing goes for every other thing we have running on the servers. Everything has different types of holes, and every time there is a new wave or "fever" on attacks on something: phpmyadmin, rsync, subversion, mediawiki, apache, php, asterisk or what have you, then it's more and more hours poured into patching, testing, analyzing. Furthermore if you have Jails you may have different versions of these services with different security vulnerabilities. If you and Jerry are not spending a lot of time on these things, well good for you! I guess, but we do.