Firewall Wizards mailing list archives
RE: ssh holes? trojans?
From: <havoc () chipsworld llamas net>
Date: Tue, 19 Sep 2000 20:34:53 -0400 (EDT)
I find it difficult to believe that instead of implementing good security measures you just monitor the traffic going through the firewall. I believe one of your duties should be to enforce good network skills and habits; allowing telnet and disallowing ssh certainly isn't helping. Perhaps you should look into a product that interacts with your gateway/firewall to search email, ftp, and http. There are certain products which can scan mail attachments and ftp xfers for viruses and also scan the subject/body of emails for prohibited texts such as 'resume' or 'sex'. I wouldn't allow telnet out (or in) of my network because of the insecurities of cleartext passwords. If users are sshing, telneting, or whatever to their home machine, and you (as your company) have a problem with it (or your corporate security policy forbids it) -- perhaps you should not allow this traffic, period. To answer your question about trojoaned ssh daemons. You bet there are plenty out there. I have my own precompiled daemon that I install on, lets just say questionable, machines. Perhaps you aren't looking to the right location for the code-- but it's definately out there. IMHO, drop the ssh proxy idea. -havoc -----Original Message----- From: Gregory Hicks [mailto:ghicks () cadence com] Sent: Monday, September 18, 2000 6:28 PM To: firewall-wizards () nfr net Subject: [fw-wiz] ssh holes? Trojans? We have a requirement to monitor, for legal reasons, everything that goes off the company network. Recently, we closed access to port 22 (ssh). The reasoning was that we could monitor things like ftp, telnet, mail, et al because when these data streams crossed the firewall, they were '...in the clear (unencrypted).' And yes, I know that ssh can be tunneled on any other port... With ssh, the data stream is encrypted at the users workstation and tunnels 'through' the firewall so we never get a chance to monitor it. In addition, there have been 'strange' networks (like the internet) showing up on our network monitoring facilities. (None now, but there may be again.) Unfortunately, we have not been able to 'catch' anyone 'in the act' as it were... Users have been infected with viruses that no-one else in the company 'catches'. Anyway, we now believe that these 'occurrances' were caused when users connected their home machines with their office workstations and 'stuff' on the home net crossed over to the corporate interface. Now then, what we would like to do is to set up an ssh 'proxy' inside the DMZ so that whatever is passed to the sshd on the proxy host crosses our monitoring hosts 'in the clear'. Does anyone know of such a beast? Has anyone used it? I only found an unfinished section of C code... After hearing from another source (an employee discussed our 'new' policy with their SO at home), we 'heard' that there are ssh 'trojans'... Any truth to the rumor? I haven't been able to find any info on this. Assist appreciated in advance. Regards, Gregory Hicks _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: ssh holes? trojans? havoc (Sep 20)