Date: Mon, 15 Aug 2011 13:45:43 -0700 From: David Brodbeck <gull@gull.us> To: freebsd-questions@freebsd.org Subject: Re: Poll on server attacks Message-ID: <CAHhngE1Bz69754YdEVR6rONvuzNoay8ufpLXi8LMjFBs1BwciQ@mail.gmail.com> In-Reply-To: <CAHieY7Sq94r8BXB=9-62SGW4smJjQdh2-%2B-c88YHscgdM64JzQ@mail.gmail.com> References: <CAHieY7T%2BrKkwzBr%2BE=oziXvm4Bm%2BOS8fpmgSOYxzS1zvmgT0YA@mail.gmail.com> <1313313416.22472.YahooMailClassic@web36503.mail.mud.yahoo.com> <CAHieY7Sq94r8BXB=9-62SGW4smJjQdh2-%2B-c88YHscgdM64JzQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 14, 2011 at 4:33 AM, Alejandro Imass <ait@p2ee.org> wrote: > There you go! How do you actually know if you've had actual breaches > if you don't follow up on the logs and spend actual __hours__ doing > that? How do you know your servers are not root-kitted? I had an > experience with a Linux server once and it was root-kitted for a long > time before we ever noticed. It was only after following up an attack > that was reported to us by another party from our server that we > actually realized that server was compromised. Rethink how you're doing your monitoring. Scanning incoming packets for attacks is tedious because you capture lots of unsuccessful attacks that you can't really do anything about. You'd be better off watching outgoing packets for unusual activity or responses that indicate a successful attack.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHhngE1Bz69754YdEVR6rONvuzNoay8ufpLXi8LMjFBs1BwciQ>