SSh Tunnel Over Squid
Hi,
I have a GW that gives access to uncontrolled users by means of a proxy
SQUID that supports protocols HTTP and HTTPS. Beside this and the DHCPD
the rest is closed strictly.
A few days ago, I detected a SSH running on the port 80 of a remote
computer (on the Internet), which a very skilful user of my network was
accessing. I thought then that this user was making a tunnel over the
proxy.
Meticulously controlling the traffic of this user's ip/mac, I am almost
sure that right now this user is making a tunnel over the SQUID with the
protocol HTTPS using the CONNECT method (since I have this method
deactivated on the SQUID for the HTTP.)
I have thought of various ways to stop this traffic:
1- Deny the user's IP from inside my network. However, I don’t think
this is the correct solution, because if the user wanted to, he could
just set another IP with another Mac if it’s necessary and start making
the tunnel again.
2- Deny the external IP to which the user connects (even if it was only
association IP and port 443). However, I don’t think this is a good
solution either because he could just store the SSH daemon on a
different computer.
3- Deny the CONNECT method of the HTTPS, which as far as I know would
prevent making the tunnel. But, this option has the negative consequence
of not being able to use the HTTPS (which is essential).
4- Detection of tunnels on HTTPS inside of the GW. I think this is the
correct option, because it is possible that more tunnels will be made,
and that I will not be aware of their existence.
Searching for methods or tools to detect tunnels, I found the
"tcpstatflow", which supposedly does what I need. However, in a reduced
testing environment I have not been able to detect some tunnels made
with PUTTY, and there are more ways to make them. Also, I have thought
about using the patch l7- filter and seeing if I detect the SSH traffic
in other strange ports, although according to the web, it consumes too
many resources because of the type of analysis that it makes of the
string "^ssh-[12]\.[0-9]".
My question is: Have you ever had this problem? How did you solve it? Is
there an effective way to detect and deny SSH tunnels on HTTPS?
My intention is to get rid of this traffic in an automatic way, leaving
only legitimate connections.
Best regards and thanks for your help!
Reply to: