Not an answer and non-technical: What is your motivation for actually stopping this tunneling? What harm does it do to your network, both from a juristidical and a technical point-of-view?
I am asking out of interest, as I could easily be that fellow behind your gateway, merely wanting to do some secure communication -- something which your setup to a large extent prevents me from. Please elaborate -- what is the cause? Regards, Anders Breindahl/skrewz. On Friday 13 May 2005 15:08, Pablo Navas wrote: > Hi, > > I have a GW that gives access to uncontrolled users by means of a proxy > SQUID that supports protocols HTTP and HTTPS. Beside this and the DHCPD > the rest is closed strictly. > > A few days ago, I detected a SSH running on the port 80 of a remote > computer (on the Internet), which a very skilful user of my network was > accessing. I thought then that this user was making a tunnel over the > proxy. > > Meticulously controlling the traffic of this user's ip/mac, I am almost > sure that right now this user is making a tunnel over the SQUID with the > protocol HTTPS using the CONNECT method (since I have this method > deactivated on the SQUID for the HTTP.) > > I have thought of various ways to stop this traffic: > > > 1- Deny the user's IP from inside my network. However, I don’t think > this is the correct solution, because if the user wanted to, he could > just set another IP with another Mac if it’s necessary and start making > the tunnel again. > > 2- Deny the external IP to which the user connects (even if it was only > association IP and port 443). However, I don’t think this is a good > solution either because he could just store the SSH daemon on a > different computer. > > 3- Deny the CONNECT method of the HTTPS, which as far as I know would > prevent making the tunnel. But, this option has the negative consequence > of not being able to use the HTTPS (which is essential). > > 4- Detection of tunnels on HTTPS inside of the GW. I think this is the > correct option, because it is possible that more tunnels will be made, > and that I will not be aware of their existence. > > > Searching for methods or tools to detect tunnels, I found the > "tcpstatflow", which supposedly does what I need. However, in a reduced > testing environment I have not been able to detect some tunnels made > with PUTTY, and there are more ways to make them. Also, I have thought > about using the patch l7- filter and seeing if I detect the SSH traffic > in other strange ports, although according to the web, it consumes too > many resources because of the type of analysis that it makes of the > string "^ssh-[12]\.[0-9]". > > My question is: Have you ever had this problem? How did you solve it? Is > there an effective way to detect and deny SSH tunnels on HTTPS? > > My intention is to get rid of this traffic in an automatic way, leaving > only legitimate connections. > > Best regards and thanks for your help!
