CULTe : Home | Association | Reunions | Projets | Listes de diffusion | Recherche | Best of Linux-31 | Trombinoscope

(Courriels de diversion: <agrement@crachez-inexpliques.com> <versees@recensera-pavanerait.com> <peuplerions@entêterais-ballets.com> <constants@gronderais-apprêterai.com> <bricole@craindrions-suffocations.com> <bifurquerez@calligraphiant-persevererions.com> <sertissiez@bloqueront-edifierez.com> <media@financee-intensifiees.com> <fusils-mitrailleurs@lignes-insurgerent.com> <synthetisaient@chevrette-hegemonique.com> ) 

je trouve ce message très intéressant, mais je n'ai pas le temps de le 
traduire, si quelqu'un a du temps... sinon pour anglophones.
jdd

----------  Message transmis  ----------
Subject: RE: [suse-security] security policy
Date: Mon, 20 Aug 2001 11:46:58 +0200 (MEST)
From: Boris Lorenz <bolo@lupa.de>To: suse-security@suse.com

Yup,

On 17-Aug-01 Anders Johansson wrote:
> What is the common policy when it comes to reporting 'incidents'? Do people
> here commonly report, say, script kiddies uploading things to ftp servers
> in an attempt to exploit frontpage installations that aren't there? Or is
> that considered overkill?

considering the sheer number of, say, code red attack attempts to webservers
all around the globe, it would be a bit of fun to report them all, both for
 you and your upstream provider/housing center/provider
 administration/CERT/whatever. If you would constantly report these very
 obvious attacks people would get tired of your reports I bet. The cry wolf
 syndrome.

Incidents we usually log but do not report immediately if occuring as a
 single attack/scan are:

- Scans to ftp/rpc(portmap)/netbios, scans to dns coming from a socket with a
port <=1024, pings, traceroutes.

Incidents we log, digestify and report in the normal course of our duty
 (every week or so) are:

- Password guessing/brute force attempts, UDP scans, unauthorized mail
relaying, tricks with pop3, winproxy exploits, ping floods, icmp router
redirects.

Incidents we report immediately are:

- Exploits to uncommon targets, fragmented scans/probes, overflows, icmp/udp
DoS, strange ARP behaviour, robot/bot activity, router redirects/announces,
trojan activity both inbound and outbound, mail bombs and virii (if it's more
serious than e. g. Win95.Hybris), exaggerated spamming activity, and any
 other activity "smelling like cracking spirit"...:)

Apart from that we have the following security policy:

I.) First attack/scan/probe: Log, digestify, monitor. If the attacker is just
"nosing around", collect data about him (whois, nslookup, traceroute, nmap).
 If your adversary tries a few things, drop his route and look if he comes
 back with similar attack patterns, but with a different IP. Chances are good
 that he/she sits on a dial-up line; try to find the provider and note down
 his mail address. Also grep through your archived logs (if there are any)
 for the attacker's IP.

II.) Second/third/fourth/etc. attack/scan/probe: Drop route, take your log
digests and prepare a mail to a) the provider of the attacker, b) your
 upstream provider, and b) (optionally) to registries like CERT. Also, inform
 your management what's going on in a brief note. It's important to have all
 the logs of the attacks/scans handy. Before starting any email communication
 about the issue, exchange public keys and crypt both your messages and the
 log data you will send over the wire. If you have a legal departement, make
 sure you coordinate your actions with them.

III.) If the attacks still are coming in via a certain net block and none of
your mail complaints have lead to cooperation with your network
neighbours/providers, collect some more evidences, digestify them, send them
 to the attacker's provider again. If there's no other way and you can afford
 it, drop the whole of the attacker's net block, and send a short note to the
 provider saying so. That may seem brute-force but it spurs on many providers
 to finally go into action.

However, it's sometimes hard to distinguish between script kiddie activity
 and serious attacks. Experience will be helpful here. Considering your ftp
 frontpage BoF/upload-example I would definitely report that, at least to
 your networking neighbourhood and/or co-admins. You may have no such
frightening IIS/Frontpage extension thingy in your network, but others would
(poor fellas!)...

> Anders
> --
> Fortune: Truly great madness can not be achieved without significant
> intelligence.
>               -- Henrik Tikkanen

---
Boris Lorenz <bolo@lupa.de>System Security Admin *nix - *nux
---

--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.comFor additional commands, e-mail: suse-security-help@suse.com
-------------------------------------------------------

-- 
<http://www.dodin.net> <mailto:jdanield@dodin.net>WHO'S THAT GUY ? Help me found it
Russia & South america help needed
http://www.dodin.net/serge/index.html


---------------------------------------------------------------------
Aide sur la liste: <URL:mailto:linux-31-help@CULTe.org>Le CULTe sur le web: <URL:http://www.CULTe.org/>

Cette page fait partie des archives des listes de diffusion de l'association CULTe.

A l'intention des mechants robots qui parcourent notre site a la recherche d'adresses electroniques a cibler avec des pourriels, voici une liste d'adresses pourries.