Great idea
On 2012/12/07 4:19 AM, Andy Smith wrote:You could also consider creating another mailing list. Perhaps
> I was thinking that if customers saw how often these things happen
> to people very much like themselves then it might help remove some
> of the "yeah I've heard of that but it will never happen to me"
> mindset that we all regrettably can fall into.
"security@bitfolk.com" or "compromise@bitfolk.com"?
Whether you do this or use users@, I would definitely be interested,
even though most of these won't affect me[1].
Of course.
> It might look something like this:
>
> Today at around 04:30 we became aware of a customer VPS
> initiating an abnormal amount of outbound SSH connections (~200
> per second). The VPS's network access was suspended and customer
> contacted.
>
> It was later determined that a user account on the VPS had been
> accessed starting 3 days ago, via an SSH dictionary attack. The
> attacker installed another copy of the SSH dictionary attack
> software and set it going. We do not believe that root access
> was obtained.
> The amount of detail would vary because we may only become aware of
> a compromise when the customer's VPS itself starts perpetrating
> abusive activity, and then we rely on the customer to investigate
> why that is.
Of course :)
> No identifying information regarding the affected customer would be
> shared. We already share non-identifying information similar to the
> above to peers within the industry to aid deterrence and detection
> of future abuses.
I would welcome it.
> Would this sort of posting be welcomed or would it be unwelcome
> noise? If the consensus is that it would be unwelcome noise then I
> may create a new list specifically for it, but I would rather not do
> so as then that is just another list that we have to raise awareness
> of.
Heh. Even our company's announce lists have got 100s of mails this year.
> https://lists.bitfolk.com/mailman/listinfo/announce
> http://lists.bitfolk.com/lurker/list/announce.html
>
> (just 19 threads this year)
Some 1000s.
[1] I allow incoming :1194UDP (openvpn) and :80TCP(web) publicly on my
vps. Without the static openvpn key you can't do anything but browse the
single domain hosted on it. All other access happen via a VPN tunnel.
That said every service is still secured as if it was public (SSH only
via authorized_keys, etc). So even if openvpn gets compromised you still
need to get through that.
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users