[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SSh Tunnel Over Squid


I have a GW that gives access to uncontrolled users by means of a proxy SQUID that supports protocols HTTP and HTTPS. Beside this and the DHCPD the rest is closed strictly.

A few days ago, I detected a SSH running on the port 80 of a remote computer (on the Internet), which a very skilful user of my network was accessing. I thought then that this user was making a tunnel over the proxy.

Meticulously controlling the traffic of this user's ip/mac, I am almost sure that right now this user is making a tunnel over the SQUID with the protocol HTTPS using the CONNECT method (since I have this method deactivated on the SQUID for the HTTP.)

I have thought of various ways to stop this traffic:

1- Deny the user's IP from inside my network. However, I don’t think this is the correct solution, because if the user wanted to, he could just set another IP with another Mac if it’s necessary and start making the tunnel again.

2- Deny the external IP to which the user connects (even if it was only association IP and port 443). However, I don’t think this is a good solution either because he could just store the SSH daemon on a different computer.

3- Deny the CONNECT method of the HTTPS, which as far as I know would prevent making the tunnel. But, this option has the negative consequence of not being able to use the HTTPS (which is essential).

4- Detection of tunnels on HTTPS inside of the GW. I think this is the correct option, because it is possible that more tunnels will be made, and that I will not be aware of their existence.

Searching for methods or tools to detect tunnels, I found the "tcpstatflow", which supposedly does what I need. However, in a reduced testing environment I have not been able to detect some tunnels made with PUTTY, and there are more ways to make them. Also, I have thought about using the patch l7- filter and seeing if I detect the SSH traffic in other strange ports, although according to the web, it consumes too many resources because of the type of analysis that it makes of the string "^ssh-[12]\.[0-9]".

My question is: Have you ever had this problem? How did you solve it? Is there an effective way to detect and deny SSH tunnels on HTTPS?

My intention is to get rid of this traffic in an automatic way, leaving only legitimate connections.

Best regards and thanks for your help!

Reply to: