Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 13 Aug 2011 15:43:02 -0400
From:      Alejandro Imass <aimass@yabarana.com>
To:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Poll on server attacks
Message-ID:  <CAHieY7Qyj1FDPaxFdyaoTYK5c%2B-3pwvws39Ga-B4H5MXqgG3MQ@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi all,

The purpose of this thread is to get some feedback on actions that
admins here are taking to deal with ever increasing attacks on
servers.

I have relied heavily on fail2ban it's really effective and
frustrating for crakers, and the notifications help you initiate your
inspection workflows.

But of course, it doesn't solve all the problems and way too passive
for massive attacks on some services like Asterisk.

So lately I have opted to simply close down IP block massively using
the lists from wizcraft. I know it's a bit extreme but I've had to
block all chinese, russian and nigerian ip blocks. And we're still
evaluating closing off many other blocks from other lists as well.

Is anyone else using such desperate measures?

BTW I created an automated script in Perl that works with wizcraft's
lists if anyone is interested I can post somewhere...

My question is are any of you following up on US, Canadian, and European ISPs?
Is it actually useful follow up and write to the abuse addresses?
What type of feedback do you get?
Do you use any other authority?
Does it make sense to report to Local Police, DoD, FBI, CIA ?
Do you help feed maintain gray/black lists?

Up to now I just write to the abuse addresses as part of my follow-up
from the fail2ban and my own log evaluations. My response rate from
ISPs has been very low, though it's very gratifying to see that some
have ticket systems, and that a few actually respond, care and take
action. The majority though, are simply deaf so I've been thinking of
pursuing the matter with police and legal authorities, at least for
US, Canada and Europe.

I can't believe that the majority of ISPs simple ignore my petitions
to follow-up on their client's (or employee) abuse. I would like these
people to at least be responsible and cover the enormous
administrative costs. We are 2 admins in our company and we only have
a few servers! I can't begin to imagine what companies with larger
server farms have to through every day, and the enormous costs the
face to fight off attackers. And that's not counting SPAM, which is a
major headache for any organization today. IANA doesn't get involved
so I think that at least where we have legal power within our reach,
some legal action may get ISPs into being a bit more serious about
keeping their networks safe.

What do you think about pursuing matters into the police and legal system?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHieY7Qyj1FDPaxFdyaoTYK5c%2B-3pwvws39Ga-B4H5MXqgG3MQ>