14

if someone were to set up an ssh tunnel to/from work or home, is there a way to prevent future SSH tunneling traffic?

I understand that websense can block traffic, but users who use ssh tunneling can bypass websense or other similar products because it can't decrypt or look further in the packet to tell the difference between legitimate or illegitimate traffic.

from some reading and research, I found that some things you can do are the following: - turn off SSH altogether; not allowed at all - restrict ssh access to only users who need them for access and deny everyone else ssh access - create a custom protocol to blacklist or whitelist ssh traffic by destination (assuming the lists are mangeable) - review logs for ssh traffic, review the destination IPs and check if they resolve to legitimate or allowable devices or not, or check whether there's more regular internet traffic than tunneling traffic and you can deny/blacklist that IP

But I was wondering, besides these options, would it be possible to circumvent the above options through a man-in-the-middle attack?

Or is there another option to block ssh tunneling traffic or even some network device that can filter/block this traffic?

thanks for the help.

user1609
  • 385
  • 1
  • 4
  • 10
  • by the way, here's some links that help explain ssh tunneling: http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/ http://www.revsys.com/writings/quicktips/ssh-faster-connections.html http://alvinalexander.com/unix/edu/putty-ssh-tunnel-firefox-socks-proxy/1-putty-ssh-tunnel-introduction.shtml and some that explain about not being able to block ssh tunneling, except for the above options: http://community.websense.com/forums/p/11004/28405.aspx – user1609 Jun 09 '13 at 20:37

3 Answers3

13

Preventing outbound ssh connections, and thus any tunnels, would require a complete blockade of outbound connections via deep packet inspection. Looking at ports will be 100% useless. You have to look at the actual packet payload to know it's SSH. (this is what websense is doing.)

The only other option is setting up a "proxy" host. Lock down the configuration so the ssh client and server will not allow tunneling, then allow only that machine to make outbound ssh connections -- of course, this includes securing the system as well, otherwise people can run whatever ssh software they want.

Ricky
  • 31,438
  • 2
  • 43
  • 84
  • thanks for the comment. so from all the options, this sounds like a better approach. appreciate the help. – user1609 Jun 10 '13 at 14:13
9

There is another method, if you're merely looking at stopping people from using SSH as a proxy workaround why not rate limit it to say 20kB/sec or so, that ends up painful enough for web, but imperceptible for console use.

If you wanted to allow file transfers at normal speed this wouldn't be an option though.

LapTop006
  • 1,743
  • 11
  • 24
  • interesting point and good to think about. thanks for sharing this. – user1609 Jun 10 '13 at 14:14
  • 1
    This would also rate-limit any "scp" traffic as well, which might not go over too well depending on how often people need to copy files. – Ricky Jun 10 '13 at 21:35
6

If you control the SSH server and the firewall then you can control access by blocking access to whatever port the SSH server is using (22 by default). Unless the port has previously been opened, then inbound connections are likely to be blocked anyway, although you'll probably found that outbound connections will be allowed. With the right design and planning, you can control access in as fine or rough grained a way as you like.

If you don't control the SSH server then you can't guarantee the port it's using so it will be far harder to filter based on port alone.

If you need to allow everyone access to an SSH server while they are in your network, but only a select few when outside of it, port knocking is a neat read.

A J Rossington
  • 690
  • 4
  • 13
  • 1
    thanks for sharing. found some links about port knocking. it's an interesting concept, first time i heard about it. for anyone interested, here's what i'm reading on so far for this feature: http://www.portknocking.org/ and http://bsdly.blogspot.com/2012/04/why-not-use-port-knocking.html – user1609 Jun 09 '13 at 21:01