IDS mailing list archives
Re: ssh and ids
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 22 Jun 2004 16:43:49 -0500
On Tue, 2004-06-22 at 16:35, Bamm Visscher wrote:
Real quick point. Don't assume the backdoor is going to be listening on the server. It's a simple task to instead install a backdoor that makes an outbound connection to a central server that lets the attacker issue commands on the compromised host. This comm channel could be encrypted (reverse ssh) or even use a http proxy.
Heya Bamm, I'm aware of that. As I said, a firewall even can detect the outbound connection to the "central server". The question about finding the listing port was just to highlight that an attacker may (should?) not hit that listening port when a properly configured firewall denies kthat connection. How does your internal IDS pick up that port when no packets can get to it? That was my point. Periodic port sweeps with tools like nmap might be the answer.
With that said, I agree that prevention (Firewalls, IPS, regular audits, patch management, etc), is an important factor in network defense. But I think the thread here is meant to be focused on detection.
Right. My point was that firewalls can detect this as well. I believe we underestimate the wealth of information hidden in firewalls logs. And they can prevent too :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: ssh and ids, (continued)
- Re: ssh and ids Adam Powers (Jun 21)
- Re: ssh and ids Martin Roesch (Jun 21)
- Re: ssh and ids Tony Carter (Jun 22)
- Re: ssh and ids Jason (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Martin Roesch (Jun 23)
- Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Gary Flynn (Jun 21)
- Re: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Bamm Visscher (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 22)
- RE: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids David W. Goodrum (Jun 22)
- RE: ssh and ids Thierry Evangelista (Jun 23)
- Re: ssh and ids David W. Goodrum (Jun 23)