[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] OT Hosting company scanning my Cobalt

> > My question is, is it normal practice for hosting companies
> > to do this sort of thing without first consulting the owners
> > of the machines?
>
> My host was doing something similar and I added the IP to the deny file.

I have had some experience in this area. I currently host at 2 different
data centers, both of which have cause me problems with their
monitoring/scanning programs.

Data center 1 and I went a few rounds (including conference calls between VP
of Operations and the data center manager) after they shut down my box
twice. The first time I had only had the server for a few months when I got
up one morning and found it dead. I called the data center and they tell me
they shut it down at 2:30am as it was infected with Trinoo and was attacking
others. I finally convinced the guy it was patched and it wasn't likely, and
he turned it back on. I let him go through it and he agrees. It appears that
PortSentry (or something) was causing it to show as an open port in their
scan or something. They never checked bandwidth usage to see that I wasn't
attacking anyone (I didn't have any REAL traffic on the box at the time).

Then on Easter Sunday, they did it to me again. This time, however, I
couldn't convince the tech to turn it back on until they got an engineer in
to verify it was clean. This time it took them until the afternoon to get it
back on - I was still fighting with the guys during Easter dinner at my
parent's. I was beside myself. If they simply looked at my bandwidth usage,
they would see I wasn't attacking anybody. Needless to say it got pretty
nasty in the wake of that one. Long story short, the data center guy and I
rewrote their corporate security policies (and we included a clause that
says "don't shut down Rick's box without talking to the data center manager
first"). Things have been fine since. :)

Data center 2 and I went a round less than a week ago, a day after
installing the SHP patch. Their automated monitoring system (which they
previously swore wasn't monitoring my system) got locked out as a port scan.
Thus, it triggered an alert. The (new) tech tried to ping my box then
traceroute it. Of course both failed as I don't allow them on my box. She
immediately sent me an email telling me my server was down and that she was
going to reboot it for me. How nice - NOT! Despite my quick call to the data
center, it got reboot anyhow. If she had bothered to actually try to surf to
any of the IPs, they would have worked fine (I was actually in the admin
console at the time of the first email).

So, my experience says that if they are doing a good job of the scanning and
know what the heck they are doing, its probably not a bad thing. But
realistically, they will screw up eventually and the result will equal
downtime for you. What I think IS important is that you realize/detect they
are doing it so a) you don't freak out and b) you know your detection
systems are working. IMHO, though, I would prefer them not to do anything as
it is possible that they could inadvertantly crash your box. Especially if
the new tech is running the scans. If they found something and prevented me
from geting hacked, I guess I would be happy. By the same token, if you need
them in the first place, you probably aren't doing enough to protect your
box anyhow. Get yourself a linux box with nmap and nessus installed (VERY
easy), hook it up to your home network and scan yourself once in a while.
Maybe some of the other tools out there. Know what the hackers are doing and
the tools they are using - it will be invaluable to you - guaranteed!

Another thing that is a must for dealing with the above (I learned this on
Easter Sunday) is to have Tripwire or some file integrity software in place
such that you can determine/prove quickly/reliably whether or not your box
is compromised. It may save a few hours in getting it back on when they turn
you off.

My 2 cents.
Rick