In most cases, tools such as Nmap, MassCAN, and Pnscan are used to perform a large number of Internet-based scans, and Netcat is used to listen on ports and establish webshell connections. Cloud Firewall can be used to identify and control the unauthorized installation of the tools.
Impacts
This section describes the impacts of the installation of unauthorized tools.
Unauthorized operations performed by an employee of an enterprise
After an employee of an enterprise downloads and installs an unauthorized tool, the employee can use the tool to perform asset mapping on the enterprise, disclose the network topology of the enterprise, and perform other unauthorized operations.
Attacks
After an attacker intrudes into an internal network, the attacker can run the
yumandapt-getcommands to install unauthorized tools. The attacker can use the tools to implement lateral movement, insert webshells, and steal data based on the mapping of the network topology.Spreading of worms and trojans
After worms or other viruses compromise your host, unauthorized tools are downloaded and installed on the host by using scripts. If the tools are used to perform Internet-based scans, various hosts can be compromised.
Operations in the Cloud Firewall console
If you want to disable the installation of unauthorized tools for your Elastic Compute Service (ECS) instance, you can log on to the Cloud Firewall console, choose , and click Customize in the Basic Protection section. In the Customize Basic Protection Policies dialog box, change the mode of some or all related rules to Block. This prevents or minimizes the preceding impacts in an efficient manner.