From owner-freebsd-questions@FreeBSD.ORG Sat Aug 13 20:40:58 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 868031065676 for ; Sat, 13 Aug 2011 20:40:58 +0000 (UTC) (envelope-from jerry@seibercom.net) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3AEFA8FC12 for ; Sat, 13 Aug 2011 20:40:57 +0000 (UTC) Received: by qwc9 with SMTP id 9so2654110qwc.13 for ; Sat, 13 Aug 2011 13:40:57 -0700 (PDT) Received: by 10.229.176.105 with SMTP id bd41mr1464090qcb.273.1313268056552; Sat, 13 Aug 2011 13:40:56 -0700 (PDT) Received: from scorpio.seibercom.net (twdp-174-109-142-001.nc.res.rr.com [174.109.142.1]) by mx.google.com with ESMTPS id m7sm3138245qct.17.2011.08.13.13.40.54 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 13 Aug 2011 13:40:55 -0700 (PDT) Received: from scorpio (zeus [192.168.1.1]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jerry@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 3Rbw2r67D5z2CG4d for ; Sat, 13 Aug 2011 16:40:52 -0400 (EDT) Date: Sat, 13 Aug 2011 16:40:52 -0400 From: Jerry To: FreeBSD Message-ID: <20110813164052.50af1126@scorpio> In-Reply-To: References: Organization: seibercom.net X-Mailer: Claws Mail 3.7.9 (GTK+ 2.24.5; amd64-portbld-freebsd8.2) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAHlBMVEUAAABYRlwJCw4FAgAIBwKprDkBAQFQLR0BAgCir7VRttp8AAACAUlEQVQ4jZWUTYvbMBCGTVl8V2hX6Gg5G5FbWQdBj0lEfE7BhN4cyzi5Wt1E5L70roWy6N92xok/skkP+5IYrMcz78xIduDWpNM3vFzuA/jX5EY1AI6KHFwW/CzFuQAwqUBbV12p+CzIh6Awq7sg33pn5D64SQXAexffeuQlA/L35RrkaB551OjGfP/cAO8mCNaDcgvfky5ijoD0pAXlCQCnljiAjsJD9Ax05Ko5sZxbnLQcmM+dZg5IjREfZrWIHK0JuwU68pAGwHvfRxBundRzTxxz3r9dNUikPsEihjz2Dc4kjp1hKsJGuot4EDxaxzMoC7XqhxhOSfZrTS6gSX1JVdjp+o1PvWfekXgw3WL0g70nDEwA0H0HQsEZc8sTmFMTkWUfYWC/vdR1zQy3xLQgLwzu90QnlnFLjeiGWBjwhb4Sa42IqOg2qqS4O1/zhKokFUb1Q8Rj4Eb69WVflXEehJ35DgChVTE5n50eaGyMLOfH8AOodoSM4PVYAQgQdBulOa+knklYks3vAuQ+uX492lTl+A+e8qBV2AKoXalVKFfyuUp0pUp1ARaUHh82lv9MN+Ig7CZtgE6FNYvjlywT2VP2dMgOG46gTIWcqdfvuwyXNz0oMJNd/N5lh1YNiJt19ADTUo3VuFSNeQwVqRSrGjSCp53fk2g+Mvfk/gfoPxHeUS8MH9vRAAAAAElFTkSuQmCC Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: Poll on server attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: FreeBSD List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Aug 2011 20:40:58 -0000 On Sat, 13 Aug 2011 15:43:02 -0400 Alejandro Imass articulated: > The purpose of this thread is to get some feedback on actions that > admins here are taking to deal with ever increasing attacks on > servers. > > I have relied heavily on fail2ban it's really effective and > frustrating for crakers, and the notifications help you initiate your > inspection workflows. > > But of course, it doesn't solve all the problems and way too passive > for massive attacks on some services like Asterisk. > > So lately I have opted to simply close down IP block massively using > the lists from wizcraft. I know it's a bit extreme but I've had to > block all chinese, russian and nigerian ip blocks. And we're still > evaluating closing off many other blocks from other lists as well. Personally, I prefer: . It is just a matter of personal taste I guess. > Is anyone else using such desperate measures? > > BTW I created an automated script in Perl that works with wizcraft's > lists if anyone is interested I can post somewhere... > > My question is are any of you following up on US, Canadian, and > European ISPs? Is it actually useful follow up and write to the abuse > addresses? What type of feedback do you get? > Do you use any other authority? > Does it make sense to report to Local Police, DoD, FBI, CIA ? > Do you help feed maintain gray/black lists? > > Up to now I just write to the abuse addresses as part of my follow-up > from the fail2ban and my own log evaluations. My response rate from > ISPs has been very low, though it's very gratifying to see that some > have ticket systems, and that a few actually respond, care and take > action. The majority though, are simply deaf so I've been thinking of > pursuing the matter with police and legal authorities, at least for > US, Canada and Europe. Other useful exercises are flapping your arms at a high rate of speed and attempting to fly. > I can't believe that the majority of ISPs simple ignore my petitions > to follow-up on their client's (or employee) abuse. I would like these > people to at least be responsible and cover the enormous > administrative costs. We are 2 admins in our company and we only have > a few servers! I can't begin to imagine what companies with larger > server farms have to through every day, and the enormous costs the > face to fight off attackers. And that's not counting SPAM, which is a > major headache for any organization today. IANA doesn't get involved > so I think that at least where we have legal power within our reach, > some legal action may get ISPs into being a bit more serious about > keeping their networks safe. > > What do you think about pursuing matters into the police and legal > system? About as useful as attempting to build a time machine in my basement. Knujon is basically a one man operation that has made huge strides in discovering criminal activity among registrars, etcetera. You might want to investigate them further. They are always looking for help. Just for my own morbid curiosity, what are these "enormous costs" that you refer to? You are not buying new hard ware I assume. If you are using FOSS then there is little or no software cost involved. Other than paying for someone's time, something that would be happening anyway, what "enormous cost" comes into play? -- Jerry ✌ jerry+fbsd@seibercom.net Disclaimer: off-list followups get on-list replies or ignored. Do not CC this poster. Please do not ignore the "Reply-To" header. http://www.catb.org/~esr/faqs/smart-questions.html