Re: Poll on server attacks

On Sat, 13 Aug 2011 15:43:02 -0400
Alejandro Imass articulated:

The purpose of this thread is to get some feedback on actions that
admins here are taking to deal with ever increasing attacks on

I have relied heavily on fail2ban it's really effective and
frustrating for crakers, and the notifications help you initiate your
inspection workflows.

But of course, it doesn't solve all the problems and way too passive
for massive attacks on some services like Asterisk.

So lately I have opted to simply close down IP block massively using
the lists from wizcraft. I know it's a bit extreme but I've had to
block all chinese, russian and nigerian ip blocks. And we're still
evaluating closing off many other blocks from other lists as well.

Personally, I prefer: <>. It is just a
matter of personal taste I guess.

Is anyone else using such desperate measures?

BTW I created an automated script in Perl that works with wizcraft's
lists if anyone is interested I can post somewhere...

My question is are any of you following up on US, Canadian, and
European ISPs? Is it actually useful follow up and write to the abuse
addresses? What type of feedback do you get?
Do you use any other authority?
Does it make sense to report to Local Police, DoD, FBI, CIA ?
Do you help feed maintain gray/black lists?

Up to now I just write to the abuse addresses as part of my follow-up
from the fail2ban and my own log evaluations. My response rate from
ISPs has been very low, though it's very gratifying to see that some
have ticket systems, and that a few actually respond, care and take
action. The majority though, are simply deaf so I've been thinking of
pursuing the matter with police and legal authorities, at least for
US, Canada and Europe.

Other useful exercises are flapping your arms at a high rate of speed
and attempting to fly.

I can't believe that the majority of ISPs simple ignore my petitions
to follow-up on their client's (or employee) abuse. I would like these
people to at least be responsible and cover the enormous
administrative costs. We are 2 admins in our company and we only have
a few servers! I can't begin to imagine what companies with larger
server farms have to through every day, and the enormous costs the
face to fight off attackers. And that's not counting SPAM, which is a
major headache for any organization today. IANA doesn't get involved
so I think that at least where we have legal power within our reach,
some legal action may get ISPs into being a bit more serious about
keeping their networks safe.

What do you think about pursuing matters into the police and legal

About as useful as attempting to build a time machine in my basement.

Knujon <> is basically a one man operation that
has made huge strides in discovering criminal activity among registrars,
etcetera. You might want to investigate them further. They are always
looking for help.

Just for my own morbid curiosity, what are these "enormous costs" that
you refer to? You are not buying new hard ware I assume. If you are
using FOSS then there is little or no software cost involved. Other
than paying for someone's time, something that would be happening
anyway, what "enormous cost" comes into play?

Jerry ✌

Disclaimer: off-list followups get on-list replies or ignored.
Do not CC this poster. Please do not ignore the "Reply-To" header.
freebsd-questions@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"