Re: SSh Tunnel Over Squid

To: debian-firewall@lists.debian.org
Subject: Re: SSh Tunnel Over Squid
From: Arnt Karlsen <arnt@c2i.net>
Date: Sat, 14 May 2005 18:39:10 +0200
Message-id: <[🔎] 20050514183910.32540fdf.arnt@c2i.net>
In-reply-to: <[🔎] 20050514151228.GB23953@mentat.greentech.pl>
References: <[🔎] D25195E568E9604CB28E8E7637A1A68B0AF7CF@cosmo.internal.stellar> <[🔎] 20050514151228.GB23953@mentat.greentech.pl>

On Sat, 14 May 2005 17:12:28 +0200, Robert wrote in message 
<[🔎] 20050514151228.GB23953@mentat.greentech.pl>:

> Hi,
> 
> On Sat, May 14, 2005 at 01:54:37PM +0800, Mike Valvasori wrote:
> > Putty (or OpenSSH or alternatives) will also allow you to redirect
> > a local port to one running on a remote host.  It is all too easy
> > to redirect to an FTP server running elsewhere via SSH over HTTP
> > and move sensitive data.  Squid handles this well--if you specify
> > a keepalive it is completely usable for almost any type of traffic,
> > including RDP/ICA sessions where you think the proxy would introduce
> > some sort of latency.
> 
> Hmmm - in case of ftp it seems not so easy... but if you want to send
> something outside and have ssh--why to bother with ftp when you can
> use scp? Or be creative--put WebDAV server somewhere outside for
> example (accessible by https of course) :).
> 
> > I have tried to work out a reasonable way to block this behaviour,
> > but all solutions seem to impact on the usability of the proxy
> > server. Telnetting to the remote port will normally give you an SSH
> > header so maybe some sort of script running regularly, testing
> > connected hosts with remote port 443/80 (based on netstat output
> > perhaps), grepping for SSH and then cutting
> > (http://freshmeat.net/projects/tcpipcutter/) and blocking the remote
> > host would work?  ...until they change the SSH connection header :)
> 
> Or simply they put ssh session inside of ssl tunnel. Perfectly with
> key autharization of both sides, so you even cannot check what
> protocol they are transmitting inside (ppp comes in mind) :). 
> 
> In other words - give me one month, maybe less, and reasons to be
> desperate enough 

..Sissy Boy George dodging Law enforcement and a Death Row verdict 
for coup d'etat, treason, war crimes, nuking China, India, Russia etc?

> and I'll write tunnel for sending ip traffic by http in both
> directions as valid png pictures :) (and I'm guessing someone must
> done something similiar till now).

..a year or 2 back, I saw media rumors claiming al-Qaeda uses hijacked
Microsoft Office bot boxes "as infrastructure" in a similar fashion.

..banning _all_ use of Microsoft Office etc _is_ warranted in the
interest of national security in war, as it would deny al-Qaeda and 
all "other interested parties" the use of Microsoft products "as
infrastructure." 

..now, is the Supreme Commander Up to the Job, or Will Sissy Boy George
the Nepotist Warrior Ace who Flew so High and Far he Missed Vietnam 
and instead Scored 152 Kills on Texan Death Row Inmates, Carry on
Dodging His Own Medicine?

> Sorry for not suggesting any solution, but I simply don't see any good
> enough for preventing all possible kinds of such abuses. For me only
> method is policy for personnel setting what they can do and adequately
> restrictive consequences for breaking it. And... not to strict rules
> on firewall - then most of abuses aren't too clever and easier to
> detect ;).
> 
> Regards, 
>   Robert Tasarz.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;o)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Reply to:

References:
- RE: SSh Tunnel Over Squid
  - From: "Mike Valvasori" <mike.valvasori@stellar.com.au>
- Re: SSh Tunnel Over Squid
  - From: Robert Tasarz <robert.tasarz@greentech.pl>

Prev by Date: Re: SSh Tunnel Over Squid
Next by Date: Problem with iptables Port Forwarding
Previous by thread: Re: SSh Tunnel Over Squid
Next by thread: Re: SSh Tunnel Over Squid
Index(es):
- Date
- Thread