Talk With an Expert

SSH and Intrusion Detection

SSH and Intrusion Detection (PDF, 1.99MB)Published: 17 Mar, 2002
Created by
Heather Larrieu

Widespread use of the SSH protocol greatly reduces the risk of remote computer access by encoding the transmission of clear text usernames and passwords. Prior to the use of SSH, packet sniffing, which allows malicious users to watch for the login process in the clear text packet traffic on a network segment, was an easy method for a malicious user to gain unauthorized access to a machine. Unfortunately, use of SSH might allow a malicious user to bypass intrusion detection systems because of its encrypting of the data payload and its ability to tunnel protocols. This paper outlines the role and issues with the use of the SSH protocol, types and methods of intrusion detection, and proposes techniques and an architecture for an intrusion detection system that uses the SSH daemon as a sensor.

SSH and Intrusion Detection