Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
Detecting a Tunnel Over SSH?
gary.huntress at gmail
Jul 16, 2009, 3:37 PM
Post #1 of 4 (3377 views)
Permalink
Hi,

Let me start right off by saying I am not trying to circumvent the
security policy of my office, even though this will sound like that's
what I'm trying to do. My office recently instituted a very strict
firewall policy which forbids tunneling traffic.

Prior to that, I would use putty from my XP desktop to reach a server
in our DMZ. I would have an ssh session open for hours and I would
often tunnel traffic to administer a sybase database. With the new
policy I can still establish and maintain an ssh session for as long
as I want but my connection is instantly closed if I try to tunnel.

What I would like to know is, how is the tunnel detected? I've
always assumed that once my ssh session is made that every packet
would be completely encrypted, even the headers of the tunneled
packets. So even if the tunnel used GRE (or whatever) it would be
encrypted too. Clearly that's not the case.

So, how is my tunnel detected? And no I'm not going to keep trying,
this is a fireable offense!

Gary H.
Re: Detecting a Tunnel Over SSH? [ In reply to ]
mangoo at wpkg
Jul 17, 2009, 9:00 AM
Post #2 of 4 (3217 views)
Permalink
Gary Huntress wrote:
> Hi,
>
> Let me start right off by saying I am not trying to circumvent the
> security policy of my office, even though this will sound like that's
> what I'm trying to do. My office recently instituted a very strict
> firewall policy which forbids tunneling traffic.
>
> Prior to that, I would use putty from my XP desktop to reach a server
> in our DMZ. I would have an ssh session open for hours and I would
> often tunnel traffic to administer a sybase database. With the new
> policy I can still establish and maintain an ssh session for as long
> as I want but my connection is instantly closed if I try to tunnel.
>
> What I would like to know is, how is the tunnel detected? I've
> always assumed that once my ssh session is made that every packet
> would be completely encrypted, even the headers of the tunneled
> packets. So even if the tunnel used GRE (or whatever) it would be
> encrypted too. Clearly that's not the case.
>
> So, how is my tunnel detected? And no I'm not going to keep trying,
> this is a fireable offense!

Packet size?

With normal SSH session, packet size will be usually small.

Contrary, if you send lots of data through the tunnel, packet sizes will
be large.


--
Tomasz Chmielewski
http://wpkg.org
Re: Detecting a Tunnel Over SSH? [ In reply to ]
joseph85750 at yahoo
Jul 17, 2009, 9:50 AM
Post #3 of 4 (3209 views)
Permalink
--- On Thu, 7/16/09, Gary Huntress <gary.huntress@gmail.com> wrote:

>
> What I would like to know is, how is the tunnel
> detected?   I've
> always assumed that once my ssh session is made that every
> packet
> would be completely encrypted, even the headers of the
> tunneled
> packets.  So even if the tunnel used GRE (or whatever)
> it would be
> encrypted too.   Clearly that's not the
> case.
>
> So, how is my tunnel detected?   And no I'm
> not going to keep trying,
> this is a fireable offense!
>
> Gary H.

The tunnel will be visible netstat and/or lsof on the ssh server. With netsat, you won't see who is tunneling. But with lsof it would show up:

root@thug:/home/user01# lsof -ni |grep 11111
sshd 21716 user01 10u IPv4 16978115 TCP 10.26.0.111:38272->10.26.0.211:11111 (ESTABLISHED)

root@thug:/home/user01# netstat -an |grep 11111

tcp 0 0 10.26.0.111:38272 10.26.0.211:11111 ESTABLISHED

If it's not permitted, why don't they simply deny it in sshd_config ?

#AllowTcpForwarding no
Re: Detecting a Tunnel Over SSH? [ In reply to ]
gary.huntress at gmail
Jul 17, 2009, 6:17 PM
Post #4 of 4 (3225 views)
Permalink
Thanks for all the feedback everyone. I got my answer today. One
thing I should have clarified is that the server in the DMZ is behind
my own firewall. I control it and there are no other processes on it
monitoring for tunnels.

But the answer is really simple. I connect outbound on port 22 to my
dmz host, but what I did NOT know is that it is via an SSH proxy and
that is how they detected the tunnel. The admin (who happens to be a
SANS presenter) explained everything to me :)

closed issue. Thanks for the help :)

Gary Huntress

On Fri, Jul 17, 2009 at 6:13 PM, Rob Wilcox<robertwilcox@gmail.com> wrote:
> Did the office install a strict egress/ingress ruleset or a proxy that may
> be blocking your tunnel port?  I only suggest this as I have to assume you
> are initiating the tunnel on a different port than 22/tcp.
>
> -Rob
>
> On Thu, Jul 16, 2009 at 6:37 PM, Gary Huntress <gary.huntress@gmail.com>
> wrote:
>>
>> Hi,
>>
>> Let me start right off by saying I am not trying to circumvent the
>> security policy of my office, even though this will sound like that's
>> what I'm trying to do.   My office recently instituted a very strict
>> firewall policy which forbids tunneling traffic.
>>
>> Prior to that, I would use putty from my XP desktop to reach a server
>> in our DMZ.   I would have an ssh session open for hours and I would
>> often tunnel traffic to administer a sybase database.   With the new
>> policy I can still establish and maintain an ssh session for as long
>> as I want but my connection is instantly closed if I try to tunnel.
>>
>> What I would like to know is, how is the tunnel detected?   I've
>> always assumed that once my ssh session is made that every packet
>> would be completely encrypted, even the headers of the tunneled
>> packets.  So even if the tunnel used GRE (or whatever) it would be
>> encrypted too.   Clearly that's not the case.
>>
>> So, how is my tunnel detected?   And no I'm not going to keep trying,
>> this is a fireable offense!
>>
>> Gary H.
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal