Re: SSh Tunnel Over Squid
Not an answer and non-technical:
What is your motivation for actually stopping this tunneling? What harm does
it do to your network, both from a juristidical and a technical
I am asking out of interest, as I could easily be that fellow behind your
gateway, merely wanting to do some secure communication -- something which
your setup to a large extent prevents me from.
Please elaborate -- what is the cause?
Regards, Anders Breindahl/skrewz.
On Friday 13 May 2005 15:08, Pablo Navas wrote:
> I have a GW that gives access to uncontrolled users by means of a proxy
> SQUID that supports protocols HTTP and HTTPS. Beside this and the DHCPD
> the rest is closed strictly.
> A few days ago, I detected a SSH running on the port 80 of a remote
> computer (on the Internet), which a very skilful user of my network was
> accessing. I thought then that this user was making a tunnel over the
> Meticulously controlling the traffic of this user's ip/mac, I am almost
> sure that right now this user is making a tunnel over the SQUID with the
> protocol HTTPS using the CONNECT method (since I have this method
> deactivated on the SQUID for the HTTP.)
> I have thought of various ways to stop this traffic:
> 1- Deny the user's IP from inside my network. However, I don’t think
> this is the correct solution, because if the user wanted to, he could
> just set another IP with another Mac if it’s necessary and start making
> the tunnel again.
> 2- Deny the external IP to which the user connects (even if it was only
> association IP and port 443). However, I don’t think this is a good
> solution either because he could just store the SSH daemon on a
> different computer.
> 3- Deny the CONNECT method of the HTTPS, which as far as I know would
> prevent making the tunnel. But, this option has the negative consequence
> of not being able to use the HTTPS (which is essential).
> 4- Detection of tunnels on HTTPS inside of the GW. I think this is the
> correct option, because it is possible that more tunnels will be made,
> and that I will not be aware of their existence.
> Searching for methods or tools to detect tunnels, I found the
> "tcpstatflow", which supposedly does what I need. However, in a reduced
> testing environment I have not been able to detect some tunnels made
> with PUTTY, and there are more ways to make them. Also, I have thought
> about using the patch l7- filter and seeing if I detect the SSH traffic
> in other strange ports, although according to the web, it consumes too
> many resources because of the type of analysis that it makes of the
> string "^ssh-\.[0-9]".
> My question is: Have you ever had this problem? How did you solve it? Is
> there an effective way to detect and deny SSH tunnels on HTTPS?
> My intention is to get rid of this traffic in an automatic way, leaving
> only legitimate connections.
> Best regards and thanks for your help!