Re: SSh Tunnel Over Squid

To: debian-firewall@lists.debian.org
Subject: Re: SSh Tunnel Over Squid
From: Anders Breindahl <skrewz@skrewz.dk>
Date: Fri, 13 May 2005 19:38:31 +0200
Message-id: <[🔎] 200505131938.35083.skrewz@skrewz.dk>
In-reply-to: <[🔎] 4284A6C8.10406@mondedeu.com>
References: <[🔎] 4284A6C8.10406@mondedeu.com>

Not an answer and non-technical:
What is your motivation for actually stopping this tunneling? What harm does 
it do to your network, both from a juristidical and a technical 
point-of-view?

I am asking out of interest, as I could easily be that fellow behind your 
gateway, merely wanting to do some secure communication -- something which 
your setup to a large extent prevents me from.

Please elaborate -- what is the cause?

Regards, Anders Breindahl/skrewz.


On Friday 13 May 2005 15:08, Pablo Navas wrote:
> Hi,
>
> I have a GW that gives access to uncontrolled users by means of a proxy
> SQUID that supports protocols HTTP and HTTPS. Beside this and the DHCPD
> the rest is closed strictly.
>
> A few days ago, I detected a SSH running on the port 80 of a remote
> computer (on the Internet), which a very skilful user of my network was
> accessing. I thought then that this user was making a tunnel over the
> proxy.
>
> Meticulously controlling the traffic of this user's ip/mac, I am almost
> sure that right now this user is making a tunnel over the SQUID with the
> protocol HTTPS using the CONNECT method (since I have this method
> deactivated on the SQUID for the HTTP.)
>
> I have thought of various ways to stop this traffic:
>
>
> 1- Deny the user's IP from inside my network. However, I don’t think
> this is the correct solution, because if the user wanted to, he could
> just set another IP with another Mac if it’s necessary and start making
> the tunnel again.
>
> 2- Deny the external IP to which the user connects (even if it was only
> association IP and port 443). However, I don’t think this is a good
> solution either because he could just store the SSH daemon on a
> different computer.
>
> 3- Deny the CONNECT method of the HTTPS, which as far as I know would
> prevent making the tunnel. But, this option has the negative consequence
> of not being able to use the HTTPS (which is essential).
>
> 4- Detection of tunnels on HTTPS inside of the GW. I think this is the
> correct option, because it is possible that more tunnels will be made,
> and that I will not be aware of their existence.
>
>
> Searching for methods or tools to detect tunnels, I found the
> "tcpstatflow", which supposedly does what I need. However, in a reduced
> testing environment I have not been able to detect some tunnels made
> with PUTTY, and there are more ways to make them. Also, I have thought
> about using the patch l7- filter and seeing if I detect the SSH traffic
> in other strange ports, although according to the web, it consumes too
> many resources because of the type of analysis that it makes of the
> string "^ssh-[12]\.[0-9]".
>
> My question is: Have you ever had this problem? How did you solve it? Is
> there an effective way to detect and deny SSH tunnels on HTTPS?
>
> My intention is to get rid of this traffic in an automatic way, leaving
> only legitimate connections.
>
> Best regards and thanks for your help!

Reply to:

Follow-Ups:
- Re: SSh Tunnel Over Squid
  - From: Tim Sailer <sailer@bnl.gov>

References:
- SSh Tunnel Over Squid
  - From: Pablo Navas <pablo@mondedeu.com>

Prev by Date: SSh Tunnel Over Squid
Next by Date: Re: SSh Tunnel Over Squid
Previous by thread: SSh Tunnel Over Squid
Next by thread: Re: SSh Tunnel Over Squid
Index(es):
- Date
- Thread