On Wed, January 10, 2007 10:11 am, Dave Long wrote: > Is it possible to detect SSH tunnels traveling through a Linux > firewall (iptables). In other words, how do I detect normal ssh > communication versus http traffic going through SSH? > > My initial thoughts were that normal SSH traffic would have a specific > connection and packet rate while other traffic like HTTP going through > SSH would have a much different connection rate. > > Anyway, I would like to know other ideas. >
I'm reasonably certain there's no way to tell. It is, after all, encrypted. It looks like a normal SSH connection, with traffic flowing over it. No way to tell what that traffic is. -- Matthew Walker Kydance Hosting & Consulting LAMP Specialist /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
