|

SSH (Secure Shell)

Detecting a Tunnel Over SSH?

View: New views

4 Messages — Rating Filter: Alert me

	Detecting a Tunnel Over SSH? by Simusid :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Hi, Let me start right off by saying I am not trying to circumvent the security policy of my office, even though this will sound like that's what I'm trying to do. My office recently instituted a very strict firewall policy which forbids tunneling traffic. Prior to that, I would use putty from my XP desktop to reach a server in our DMZ. I would have an ssh session open for hours and I would often tunnel traffic to administer a sybase database. With the new policy I can still establish and maintain an ssh session for as long as I want but my connection is instantly closed if I try to tunnel. What I would like to know is, how is the tunnel detected? I've always assumed that once my ssh session is made that every packet would be completely encrypted, even the headers of the tunneled packets. So even if the tunnel used GRE (or whatever) it would be encrypted too. Clearly that's not the case. So, how is my tunnel detected? And no I'm not going to keep trying, this is a fireable offense! Gary H.
	Re: Detecting a Tunnel Over SSH? by mangoo :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Gary Huntress wrote: > Hi, > > Let me start right off by saying I am not trying to circumvent the > security policy of my office, even though this will sound like that's > what I'm trying to do. My office recently instituted a very strict > firewall policy which forbids tunneling traffic. > > Prior to that, I would use putty from my XP desktop to reach a server > in our DMZ. I would have an ssh session open for hours and I would > often tunnel traffic to administer a sybase database. With the new > policy I can still establish and maintain an ssh session for as long > as I want but my connection is instantly closed if I try to tunnel. > > What I would like to know is, how is the tunnel detected? I've > always assumed that once my ssh session is made that every packet > would be completely encrypted, even the headers of the tunneled > packets. So even if the tunnel used GRE (or whatever) it would be > encrypted too. Clearly that's not the case. > > So, how is my tunnel detected? And no I'm not going to keep trying, > this is a fireable offense! Packet size? With normal SSH session, packet size will be usually small. Contrary, if you send lots of data through the tunnel, packet sizes will be large. -- Tomasz Chmielewski http://wpkg.org
	Re: Detecting a Tunnel Over SSH? by Joseph Spenner :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message --- On Thu, 7/16/09, Gary Huntress <gary.huntress@...> wrote: > > What I would like to know is, how is the tunnel > detected? I've > always assumed that once my ssh session is made that every > packet > would be completely encrypted, even the headers of the > tunneled > packets. So even if the tunnel used GRE (or whatever) > it would be > encrypted too. Clearly that's not the > case. > > So, how is my tunnel detected? And no I'm > not going to keep trying, > this is a fireable offense! > > Gary H. The tunnel will be visible netstat and/or lsof on the ssh server. With netsat, you won't see who is tunneling. But with lsof it would show up: root@thug:/home/user01# lsof -ni \|grep 11111 sshd 21716 user01 10u IPv4 16978115 TCP 10.26.0.111:38272->10.26.0.211:11111 (ESTABLISHED) root@thug:/home/user01# netstat -an \|grep 11111 tcp 0 0 10.26.0.111:38272 10.26.0.211:11111 ESTABLISHED If it's not permitted, why don't they simply deny it in sshd_config ? #AllowTcpForwarding no
	Re: Detecting a Tunnel Over SSH? by Simusid :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Thanks for all the feedback everyone. I got my answer today. One thing I should have clarified is that the server in the DMZ is behind my own firewall. I control it and there are no other processes on it monitoring for tunnels. But the answer is really simple. I connect outbound on port 22 to my dmz host, but what I did NOT know is that it is via an SSH proxy and that is how they detected the tunnel. The admin (who happens to be a SANS presenter) explained everything to me :) closed issue. Thanks for the help :) Gary Huntress On Fri, Jul 17, 2009 at 6:13 PM, Rob Wilcox<robertwilcox@...> wrote: > Did the office install a strict egress/ingress ruleset or a proxy that may > be blocking your tunnel port? I only suggest this as I have to assume you > are initiating the tunnel on a different port than 22/tcp. > > -Rob > > On Thu, Jul 16, 2009 at 6:37 PM, Gary Huntress <gary.huntress@...> > wrote: >> >> Hi, >> >> Let me start right off by saying I am not trying to circumvent the >> security policy of my office, even though this will sound like that's >> what I'm trying to do. My office recently instituted a very strict >> firewall policy which forbids tunneling traffic. >> >> Prior to that, I would use putty from my XP desktop to reach a server >> in our DMZ. I would have an ssh session open for hours and I would >> often tunnel traffic to administer a sybase database. With the new >> policy I can still establish and maintain an ssh session for as long >> as I want but my connection is instantly closed if I try to tunnel. >> >> What I would like to know is, how is the tunnel detected? I've >> always assumed that once my ssh session is made that every packet >> would be completely encrypted, even the headers of the tunneled >> packets. So even if the tunnel used GRE (or whatever) it would be >> encrypted too. Clearly that's not the case. >> >> So, how is my tunnel detected? And no I'm not going to keep trying, >> this is a fireable offense! >> >> Gary H. > >