Mailinglist Archive: opensuse (911 mails)

< Previous Next >
Re: [opensuse] Have I been hacked or "visited"? seccheck and rkhunter outputs
On 12/24/2015 11:44 AM, Greg Freemyer wrote:
This is one reason companies are moving to using white lists of
allowed outbound connections. The hope is the command and control
sites won't be on the white list.

Websense is a major player in that market. And a lot of my customers
use it or similar.

Yes, but that only works on dedicated purpose machines with large budgets, and
an IT department that deliver employee smack-downs.

Anything upon which the user is apt to run a web browser can't be filtered
in such a way without resorting to a very tightly controlled proxy server
(which simply moves the problem somewhere further away and harder to manage).

I egress filter email ports, and a few similar things at the firewall, but when
users are talking to big-mailers (google, yahoo, microsoft) it becomes almost
to keep a list of valid destinations up to date. Connection addresses end up
being pools
any you never know what IP the next connection is going to.

Egress filtering is hard, which is exactly why malware almost always attempts
to use outbound connections, and very often uses standard destination ports
(like 80)
and often uses standard protocols.

After all is said and done, more is said than done.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >