Blog

Be alerted to outbound SSH connections to new machines from our servers

Goal: Be alerted to outbound SSH connections to new machines from our servers

When an attacker breaks into a server, usually the first thing they do is download their toolkit. To avoid intrusion detection systems, it is not uncommon for the attacker to use SSH. This gives them an encrypted session which cannot be easily monitored.

You can take precautions to prevent this transfer by implementing an outbound firewall rule that prevents outbound SSH sessions.

As an added measure of safety, you can also monitor the SSH files to detect when outbound SSH sessions are generated to unknown systems. This way any previously approved systems will not generate an alert, but new ones will.

Description: Outbound ssh connection to new machine

Monitor:
/etc/ssh/ssh_known_hosts
/root/.ssh/known_hosts
/home/*/.ssh/known_hosts

Related Posts