7 Dec
2012
7 Dec
'12
6:05 a.m.
On 2012/12/07 4:19 AM, Andy Smith wrote:
I was thinking that if customers saw how often these
things happen
to people very much like themselves then it might help remove some
of the "yeah I've heard of that but it will never happen to me"
mindset that we all regrettably can fall into.
You could also consider creating another mailing list. Perhaps
"security(a)bitfolk.com" or "compromise(a)bitfolk.com"?
Whether you do this or use users@, I would definitely be interested,
even though most of these won't affect me[1].
It might look something like this:
Today at around 04:30 we became aware of a customer VPS
initiating an abnormal amount of outbound SSH connections (~200
per second). The VPS's network access was suspended and customer
contacted.
It was later determined that a user account on the VPS had been
accessed starting 3 days ago, via an SSH dictionary attack. The
attacker installed another copy of the SSH dictionary attack
software and set it going. We do not believe that root access
was obtained.
The amount of detail would vary because we may only
become aware of
a compromise when the customer's VPS itself starts perpetrating
abusive activity, and then we rely on the customer to investigate
why that is.
Of course.
No identifying information regarding the affected
customer would be
shared. We already share non-identifying information similar to the
above to peers within the industry to aid deterrence and detection
of future abuses.
Of course :)
Would this sort of posting be welcomed or would it be
unwelcome
noise? If the consensus is that it would be unwelcome noise then I
may create a new list specifically for it, but I would rather not do
so as then that is just another list that we have to raise awareness
of.
I would welcome it.
https://lists.bitfolk.com/mailman/listinfo/announce
http://lists.bitfolk.com/lurker/list/announce.html
(just 19 threads this year)
Heh. Even our company's announce lists have got 100s of mails this year.
Some 1000s.
[1] I allow incoming :1194UDP (openvpn) and :80TCP(web) publicly on my
vps. Without the static openvpn key you can't do anything but browse the
single domain hosted on it. All other access happen via a VPN tunnel.
That said every service is still secured as if it was public (SSH only
via authorized_keys, etc). So even if openvpn gets compromised you still
need to get through that.