7 Dec
2012
7 Dec
'12
8:37 a.m.
I think the users@ list is sufficiently low volume and the compromise
rate is (I hope) sufficiently low that users@ would be the best place to
do this. If there ends up being enough traffic to warrant a separate
mailing list (heaven forbid), I suggest an announcement on users@ and
the discussion continuing on a separate list would be the way to go.
--
Phil
On 07/12/2012 07:43, Keith Williams wrote:
Great idea
On 7 December 2012 06:05, Peet Grobler <peet(a)peet.za.net
<mailto:peet@peet.za.net>> wrote:
On 2012/12/07 4:19 AM, Andy Smith wrote:
I was thinking that if customers saw how often
these things happen
to people very much like themselves then it might help remove some
of the "yeah I've heard of that but it will never happen to me"
mindset that we all regrettably can fall into.
You could also consider creating another mailing list. Perhaps
"security(a)bitfolk.com <mailto:security@bitfolk.com>" or
"compromise(a)bitfolk.com <mailto:compromise@bitfolk.com>"?
Whether you do this or use users@, I would definitely be interested,
even though most of these won't affect me[1].
It might look something like this:
Today at around 04:30 we became aware of a customer VPS
initiating an abnormal amount of outbound SSH connections (~200
per second). The VPS's network access was suspended and customer
contacted.
It was later determined that a user account on the VPS had been
accessed starting 3 days ago, via an SSH dictionary attack. The
attacker installed another copy of the SSH dictionary attack
software and set it going. We do not believe that root access
was obtained.
The amount of detail would vary because we may
only become aware of
a compromise when the customer's VPS itself starts perpetrating
abusive activity, and then we rely on the customer to investigate
why that is.
Of course.
No identifying information regarding the affected
customer would be
shared. We already share non-identifying information similar to the
above to peers within the industry to aid deterrence and detection
of future abuses.
Of course :)
Would this sort of posting be welcomed or would
it be unwelcome
noise? If the consensus is that it would be unwelcome noise then I
may create a new list specifically for it, but I would rather not do
so as then that is just another list that we have to raise awareness
of.
I would welcome it.
https://lists.bitfolk.com/mailman/listinfo/announce
http://lists.bitfolk.com/lurker/list/announce.html
(just 19 threads this year)
Heh. Even our company's announce lists have got 100s of mails this
year.
Some 1000s.
[1] I allow incoming :1194UDP (openvpn) and :80TCP(web) publicly on my
vps. Without the static openvpn key you can't do anything but
browse the
single domain hosted on it. All other access happen via a VPN tunnel.
That said every service is still secured as if it was public (SSH only
via authorized_keys, etc). So even if openvpn gets compromised you
still
need to get through that.
_______________________________________________
users mailing list
users(a)lists.bitfolk.com <mailto:users@lists.bitfolk.com>
https://lists.bitfolk.com/mailman/listinfo/users
--
Keith Williams
www.PhilsArt.co.uk <http://www.PhilsArt.co.uk>
"Time is an illusion. Lunchtime doubly so." Douglas Adams
He's done it again! www.justgiving.com/France-The-Wrong-Way
<http://www.justgiving.com/France-The-Wrong-Way>
Tailor Made English www.tmenglish.org <http://www.tmenglish.org>
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users