Re: ssh and ids
From: Frank Knobbe (frank_at_knobbe.us)
Date: 06/22/04
- Previous message: Drew Copley: "RE: ssh and ids"
- Maybe in reply to: Runion Mark A FGA DOIM WEBMASTER(ctr): "ssh and ids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Bamm Visscher <bamm.visscher@gmail.com> Date: Tue, 22 Jun 2004 16:43:49 -0500
On Tue, 2004-06-22 at 16:35, Bamm Visscher wrote:
> Real quick point. Don't assume the backdoor is going to be listening
> on the server. It's a simple task to instead install a backdoor that
> makes an outbound connection to a central server that lets the
> attacker issue commands on the compromised host. This comm channel
> could be encrypted (reverse ssh) or even use a http proxy.
Heya Bamm,
I'm aware of that. As I said, a firewall even can detect the outbound
connection to the "central server". The question about finding the
listing port was just to highlight that an attacker may (should?) not
hit that listening port when a properly configured firewall denies kthat
connection. How does your internal IDS pick up that port when no packets
can get to it? That was my point. Periodic port sweeps with tools like
nmap might be the answer.
> With that said, I agree that prevention (Firewalls, IPS, regular
> audits, patch management, etc), is an important factor in network
> defense. But I think the thread here is meant to be focused on
> detection.
Right. My point was that firewalls can detect this as well. I believe we
underestimate the wealth of information hidden in firewalls logs. And
they can prevent too :)
Cheers,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Drew Copley: "RE: ssh and ids"
- Maybe in reply to: Runion Mark A FGA DOIM WEBMASTER(ctr): "ssh and ids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
