Re: ssh and ids

[Frank Knobbe <frank () knobbe us>]

On Tue, 2004-06-22 at 16:35, Bamm Visscher wrote:
> Real quick point. Don't assume the backdoor is going to be listening
> on the server. It's a simple task to instead install a backdoor that
> makes an outbound connection to a central server that lets the
> attacker issue commands on the compromised host. This comm channel
> could be encrypted (reverse ssh) or even use a http proxy.

Heya Bamm,

I'm aware of that. As I said, a firewall even can detect the outbound
connection to the "central server". The question about finding the 
listing port was just to highlight that an attacker may (should?) not
hit that listening port when a properly configured firewall denies kthat
connection. How does your internal IDS pick up that port when no packets
can get to it? That was my point. Periodic port sweeps with tools like
nmap might be the answer.

> With that said, I agree that prevention (Firewalls, IPS, regular
> audits, patch management, etc), is an important factor in network
> defense. But I think the thread here is meant to be focused on
> detection.

Right. My point was that firewalls can detect this as well. I believe we
underestimate the wealth of information hidden in firewalls logs. And
they can prevent too :) 

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part