[Snort-sigs] deny default outbound (was Reverse shell)
bet at ...654...
Mon Mar 25 12:14:04 EDT 2013
I've enjoyed some limited success by tying opened outbound protocols with
hardened internal clients.
Few apps seem to legitimately need to do their own DNS, a dnscache as part
of the firewall plant seems to go over well.
Not too many more need to do their own SMTP, a postfix or qmail seems to
HTTP is a dumping ground for wickedness, but if you can pick a web browser
that doesn't have a lethally bad security record, and allow only it to pass
directly, and route all others through a proxy, the complaints will
highlight apps that are abusing the protocol to bypass security.
The folks I've met with legitimate need to ssh outbound seen to be more
technically savvy, and a proxy-enabled ssh client plus tight logging seems
to be an adequate compromise.
For other problems, like multimedia chatting, I offer a client installed on
a server in the DMZ, with ssh or vnc access from the inside.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs