Poll on server attacks

David Brodbeck gull at gull.us
Mon Aug 15 21:16:00 UTC 2011

On Sun, Aug 14, 2011 at 4:33 AM, Alejandro Imass <ait at p2ee.org> wrote:
> There you go! How do you actually know if you've had actual breaches
> if you don't follow up on the logs and spend actual __hours__ doing
> that? How do you know your servers are not root-kitted? I had an
> experience with a Linux server once and it was root-kitted for a long
> time before we ever noticed. It was only after following up an attack
> that was reported to us by another party from our server that we
> actually realized that server was compromised.

Rethink how you're doing your monitoring.  Scanning incoming packets
for attacks is tedious because you capture lots of unsuccessful
attacks that you can't really do anything about.  You'd be better off
watching outgoing packets for unusual activity or responses that
indicate a successful attack.

More information about the freebsd-questions mailing list