From owner-freebsd-questions@FreeBSD.ORG Sat Aug 13 19:43:03 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A68B106566C for ; Sat, 13 Aug 2011 19:43:03 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx1.freebsd.org (Postfix) with ESMTP id D6B9C8FC08 for ; Sat, 13 Aug 2011 19:43:02 +0000 (UTC) Received: by iye7 with SMTP id 7so9389731iye.17 for ; Sat, 13 Aug 2011 12:43:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.146.133 with SMTP id j5mr2289095icv.180.1313264582051; Sat, 13 Aug 2011 12:43:02 -0700 (PDT) Received: by 10.231.15.70 with HTTP; Sat, 13 Aug 2011 12:43:02 -0700 (PDT) Date: Sat, 13 Aug 2011 15:43:02 -0400 Message-ID: From: Alejandro Imass To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1 Subject: Poll on server attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Aug 2011 19:43:03 -0000 Hi all, The purpose of this thread is to get some feedback on actions that admins here are taking to deal with ever increasing attacks on servers. I have relied heavily on fail2ban it's really effective and frustrating for crakers, and the notifications help you initiate your inspection workflows. But of course, it doesn't solve all the problems and way too passive for massive attacks on some services like Asterisk. So lately I have opted to simply close down IP block massively using the lists from wizcraft. I know it's a bit extreme but I've had to block all chinese, russian and nigerian ip blocks. And we're still evaluating closing off many other blocks from other lists as well. Is anyone else using such desperate measures? BTW I created an automated script in Perl that works with wizcraft's lists if anyone is interested I can post somewhere... My question is are any of you following up on US, Canadian, and European ISPs? Is it actually useful follow up and write to the abuse addresses? What type of feedback do you get? Do you use any other authority? Does it make sense to report to Local Police, DoD, FBI, CIA ? Do you help feed maintain gray/black lists? Up to now I just write to the abuse addresses as part of my follow-up from the fail2ban and my own log evaluations. My response rate from ISPs has been very low, though it's very gratifying to see that some have ticket systems, and that a few actually respond, care and take action. The majority though, are simply deaf so I've been thinking of pursuing the matter with police and legal authorities, at least for US, Canada and Europe. I can't believe that the majority of ISPs simple ignore my petitions to follow-up on their client's (or employee) abuse. I would like these people to at least be responsible and cover the enormous administrative costs. We are 2 admins in our company and we only have a few servers! I can't begin to imagine what companies with larger server farms have to through every day, and the enormous costs the face to fight off attackers. And that's not counting SPAM, which is a major headache for any organization today. IANA doesn't get involved so I think that at least where we have legal power within our reach, some legal action may get ISPs into being a bit more serious about keeping their networks safe. What do you think about pursuing matters into the police and legal system?