 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Mon, Dec 10, 2007 at 07:10:53PM -0500, eric c wrote:
> BTW, I'm thinking drop obvious jerks via firewall and those merely
> suspected of treachery mod_rewrite to a page explaining their suspension.
I'm wondering if this is worth the effort. There's two basic type of
attacks that people think about. The first is just a wide, automated
scan of many IP addresses looking for a machine that can be popped.
These sorts of attacks tend to be automated tools, and they're most
likely going to be run from a compromised host in the first place.
If it's that type of attack, I think your effort is better spent making
sure your patches are up to date, tracking the security lists for
announcements, or learning how to tighten the security knobs on the
services you're running. You're probably not going to be scanned again
from that IP in this situation.
The other type of attack is the kind where you've attracted the interest
of someone who specifically targets _your machine_, and they'll probably
look for more than one exploit, possibly stretch out their probe over
several days to try to avoid detection, etc.
The second kind of attack is more dangerous, but it's also much less
common provided you're not running a popular web forum or an IRC server
or some other very public service. It's also much harder to detect, and
the time you spend protecting against attacks of the first type will
also help against the second type.
I guess I can sum up my opinion like this: if the scan that's occuring
_right now_ is affecting service, then yes, block it via firewall or
null route or what have you. But if you're just looking at logs after
the fact, I think your time and energy is better spent learning about
and configuring chroots, jails, lowering privileges for daemons,
tripwire/aide, selinux, etc.
-ben
--
all is chaos under heaven, and the situation is excellent.
<mao zedong>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
Discuss mailing list
[hidden email]
http://lists.blu.org/mailman/listinfo/discuss
