[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] OT But is a Cobalt/Security issue
- Subject: RE: [cobalt-security] OT But is a Cobalt/Security issue
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Thu, 17 Jan 2002 10:04:01 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
John Bailey wrote (after Render-Vue):
> > Is this true then that they can't check or are they
> > basically saying we can't be bothered cause there's
> > too much going through and it's doesn't justify the
> > man hours to check it your wee problems.
>
> I think that's entirely down to the config of the proxy.
More than likely, yes. I used to work for the JANET Web Cache Service in the
UK - see http://wwwcache.ja.net - which, in a randomly sampled week in
January 2000 shipped 3.1TB - yes, Terabytes! - of data, comprising 294
million different objects. That's a lot of logging.
We were actually forced by the terms of reference for the project to log
*everything*, and process those logs for a service level agreement. ISTR we
kept logs for three months, which required a couple of machines with massive
amounts of storage just to archive them. Most ISPs do not need to do this,
since due to privacy laws they are only permitted to keep logs for a short
period and then not divulge anything to third parties.
John however does make a pertinent note, that properly configured proxies
*should* pass an X- header with the source IP in them. Again, for privacy
reasons (and logistical ones too) many do not. It is not written in any
standard, nor is it a requirement AFAIK in law anywhere. At least, nowehere
I've come across is particularly proscriptive about proxies, apart from
perhaps China!
What Chae brings up is a perennial problem for all webserver administrators:
just when do you bother to report things?
It's worth figuring out your own thresholds for things. One formmail attempt
from one address I would ignore, several hundred would have me on the phone
to the source ISP pretty damned quickly. DoS attacks (and I'm talking real
ones here, fragmented ICMP floods for example which saturate lines)
generally have me on the phone to my upstreams to filter it.
Unfortunately there are thousands of people out there trying to anonymise
themselves, for whatever reason. All the readers of this list better get
used to the fact that there will ALWAYS be anomalies in your
webserver/mailserver/system logs. It's just a matter of how to interpret
them, and that's an exercise for each individual or organisation to decide
upon.
Personally? Every day I ignore more and more. The more you see, the less
anomalous it becomes - and it then becomes easier to pick out the *real*
odd, nasty or generally unpleasant behaviour.
(John: retrieval of etc/passwd is often attempted via web pages. It doesn't
often work, unless the webserver software is very badly written, configured
or just old).
Have a good day
Graeme
--
Graeme Fowler
System Administrator
Host Europe Group PLC