From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 15 21:16:00 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9A7351065679
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Aug 2011 21:16:00 +0000 (UTC) (envelope-from gull@gull.us)
Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 63B9B8FC17
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Aug 2011 21:16:00 +0000 (UTC)
Received: by gwb15 with SMTP id 15so2533532gwb.13
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Aug 2011 14:15:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.115.19 with SMTP id s19mr4229570anm.89.1313441143435; Mon,
	15 Aug 2011 13:45:43 -0700 (PDT)
Received: by 10.101.130.20 with HTTP; Mon, 15 Aug 2011 13:45:43 -0700 (PDT)
X-Originating-IP: [128.95.17.241]
In-Reply-To: <CAHieY7Sq94r8BXB=9-62SGW4smJjQdh2-+-c88YHscgdM64JzQ@mail.gmail.com>
References: <CAHieY7T+rKkwzBr+E=oziXvm4Bm+OS8fpmgSOYxzS1zvmgT0YA@mail.gmail.com>
	<1313313416.22472.YahooMailClassic@web36503.mail.mud.yahoo.com>
	<CAHieY7Sq94r8BXB=9-62SGW4smJjQdh2-+-c88YHscgdM64JzQ@mail.gmail.com>
Date: Mon, 15 Aug 2011 13:45:43 -0700
Message-ID: <CAHhngE1Bz69754YdEVR6rONvuzNoay8ufpLXi8LMjFBs1BwciQ@mail.gmail.com>
From: David Brodbeck <gull@gull.us>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: Poll on server attacks
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 21:16:00 -0000

On Sun, Aug 14, 2011 at 4:33 AM, Alejandro Imass <ait@p2ee.org> wrote:
> There you go! How do you actually know if you've had actual breaches
> if you don't follow up on the logs and spend actual __hours__ doing
> that? How do you know your servers are not root-kitted? I had an
> experience with a Linux server once and it was root-kitted for a long
> time before we ever noticed. It was only after following up an attack
> that was reported to us by another party from our server that we
> actually realized that server was compromised.

Rethink how you're doing your monitoring.  Scanning incoming packets
for attacks is tedious because you capture lots of unsuccessful
attacks that you can't really do anything about.  You'd be better off
watching outgoing packets for unusual activity or responses that
indicate a successful attack.