DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th July 2013
pttymuth's Avatar
pttymuth pttymuth is offline
Port Guard
 
Join Date: Jul 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default Prevent SSH tunneling through port 80

Hi All,

I'm interested in stopping SSH connections from traveling through port 80. I'm not interested in doing this because I want to prevent my users from enjoying SSH connections. I have no users. Rather, I'm imagining a scenario where a rootkitted host is attempting to covertly connect to the outside world.

Of course SSH or even other traffic could be tunneled through various protocols. This is a huge problem and SSH though port 80 is one small portion of it. If anyone has ideas of how to stop the aforementioned, please share them here. Many tools and guides exist on tunneling SSH through port 80, even through HTTP proxies.

Apparently SSL connections can be decrypted and inspected by the proxy combination Squid+SslBump. I'm not familiar with Squid - yet. It would be cool if somehow decrypted traffic could be identified as either legitimate HTTPS traffic or malicious.
Reply With Quote
  #2   (View Single Post)  
Old 15th July 2013
pttymuth's Avatar
pttymuth pttymuth is offline
Port Guard
 
Join Date: Jul 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

I would really like to post the link to that Squid+SslBump but since I've less than 5 posts, the forum rules won't allow me to post links.

Wondering if this post could be mirrored on the FreeBSD / NetBSD security forum areas.

Hopefully an Administrator can comment.
Reply With Quote
  #3   (View Single Post)  
Old 15th July 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by pttymuth View Post
I would really like to post the link to that Squid+SslBump but since I've less than 5 posts, the forum rules won't allow me to post links.
Welcome!

Although we have automated the five post limit as a spam preventative, Administrators watch most posts of newcomers, & will silently enable link activation if it is clear that the poster has community-oriented intentions. Your account has already been modified.

We recognize that instituting this five post limit can be annoying for newcomers, but it is lifted after the fifth post. Spam has been a significant problem on vBulletin-based form sites, & this is the less than optimal solution we have settled upon.
Quote:
Wondering if this post could be mirrored on the FreeBSD / NetBSD security forum areas.
While I understand your point, creating a Unix-style link in vBulletin is not possible. Duplication would be a far more confusing solution as thread continuity would be lost. A better solution is to move the thread to a *BSD-neutral subforum (which I have done...).
Quote:
Hopefully an Administrator can comment.
Done.
Reply With Quote
  #4   (View Single Post)  
Old 15th July 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by pttymuth View Post
I'm interested in stopping SSH connections from traveling through port 80.
Perhaps jggimi may have other thoughts, but pf(4) doesn't do layer 7 (application-level) filtering -- the ability to look into packets is quite limited.
Reply With Quote
  #5   (View Single Post)  
Old 15th July 2013
pttymuth's Avatar
pttymuth pttymuth is offline
Port Guard
 
Join Date: Jul 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

Thank you, ocicat! Great work.

I suppose I'll need to stand up a Squid+SslBump implementation. Perhaps Squid 'rules' can be applied to the decrypted traffic to validate it as pure HTTP and block / log it otherwise.

I'll post progress on this as it's made.
Reply With Quote
  #6   (View Single Post)  
Old 15th July 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Hello, and welcome!

I know little of tools like SSLBump. I understand the desire to control one's own systems, but deploying an intentional MITM attack against SSL as some sort of IDS seems like squashing a bug with an RPG. We are, of course, discussing a rootkit of the future.

And with a compromised system you've got many more worries than just choking off one C&C access path.

I wonder if Snort or another IDS can detect this type of usage. I don't use 'em any more, myself, as they seem to have way too many useless false positives.

Last edited by jggimi; 15th July 2013 at 04:44 PM. Reason: typo, clarity
Reply With Quote
  #7   (View Single Post)  
Old 15th July 2013
pttymuth's Avatar
pttymuth pttymuth is offline
Port Guard
 
Join Date: Jul 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

Snort is deployed where I work. It takes a lot of additional glue and duct tape in order for it to function cleanly.

Under my alias ejr2122, I was just saying on the FreeBSD Forums:

Quote:
HIDS / IDS / IPS are all great.

One of these tools could be made to detect what looks like suspicious SSL connection initiations. When the detection occurs, perhaps it could start a MITM attack to inspect it first. It would i.e. be an SSL gateway / proxy.
I've been in the cybersecurity industry for only a few months now and have already seen successful and unsuccessful rootkit infection attempts on some servers. In a couple cases, attackers attempted to download special Perl scripts to the server. These Perl scripts would start an IRC session with some C&C server. Subroutines were defined in the Perl script for various system functions.

While IRC like many protocols can be caught by IDS analysis, SSL encrypted traffic is difficult. SSH through port 80 seemed like the most common-place example of SSL traffic network admins might want to catch.
Reply With Quote
  #8   (View Single Post)  
Old 15th July 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

I think you'd want to check port 443, as that is where SSL traffic will normally be found.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
prevent root ssh access carpman FreeBSD Security 7 18th December 2009 04:24 PM
SSH tunneling vs. OpenVPN revzalot OpenBSD Security 8 31st May 2009 06:45 AM
Prevent users from using proxy bichumo General software and network 8 20th April 2009 01:00 PM
SSH on port 443 maxrussell General software and network 4 6th April 2009 05:16 AM
Songbird port maxrussell FreeBSD Ports and Packages 1 2nd March 2009 10:47 AM


All times are GMT. The time now is 12:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick