LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-11-2008, 06:36 PM   #1
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Rep: Reputation: 30
How do I prevent SSH tunnels through my squid proxy?


Hi all,

I'm running squid/dansguardian on our corporate firewall, and am now researching the SSH tunneling tools available. We currently only use basic authentication, getting ready to switch to NTLM authentication.

Is there a way to prevent users from tunneling through my squid proxy server? If I can't block it with squid, can I do it with something like snort, fwsnort, etc.?

Thanks
 
Old 06-11-2008, 11:29 PM   #2
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
I don't think you can tunnel ssh through squid. squid is used to proxy http, https and ftp protocols.
 
Old 06-11-2008, 11:33 PM   #3
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
You can google, and find hundreds of sites that explain how to use SSH through a proxy. Here are some of them:

http://www.your-freedom.net/index.php?id=4
http://polishlinux.org/apps/ssh-tunn...ate-firewalls/
http://weyland.be/wrdprss/index.php/...ia-ssh-tunnel/

You can also google, and find NO sites that explain how to prevent them!!! It's driving me nuts.
 
Old 06-11-2008, 11:52 PM   #4
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Extra Info:

Defending against brute force ssh attacks
http://www.astalavista.com/index.php...ws&cmd=details

SSH Proxy
http://ha.ckers.org/ssh_proxy.html

Note: edit sshd_conf AllowTcpForwarding no
 
Old 06-12-2008, 12:10 AM   #5
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by internetSurfer View Post
Extra Info:

Defending against brute force ssh attacks
http://www.astalavista.com/index.php...ws&cmd=details
I have port knocking, so there are NO ports open to the WAN. Thanks though

Quote:
Originally Posted by internetSurfer View Post
SSH Proxy
http://ha.ckers.org/ssh_proxy.html

Note: edit sshd_conf AllowTcpForwarding no
I'm not sure how setting the AllowTcpForwarding to NO on the ssh server on the firewall is going to have any effect, but I will look into it. The user doesn't even have access to the ssh server. My understanding is the user client goes right through the squid proxy, pretending to be a browser. ALL ports are closed to the LAN as well. I'll experiment with that tomorrow (I'm at home right now, gotta get a life heh).

I documented my firewall, here's my how-to:
www.abazaba.org/debian/firewall.html
 
Old 06-12-2008, 01:31 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by drokmed View Post
I'm not sure how setting the AllowTcpForwarding to NO on the ssh server on the firewall is going to have any effect, but I will look into it.
Don't waste your time, it has nothing to do with your problem. I believe he just misunderstood your question or something when he suggested that. A fool-proof solution to your problem is to simply whitelist the websites using Squid ACLs, but I assume you already knew that and it's not feasible, right? Even if you manage to install software which can distinguish between real HTTPS and tunnel/SSH/whatever you're still left with the fact that a user could simply use a real HTTPS site to bypass you.
 
Old 06-12-2008, 02:14 PM   #7
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
I've seen one recommendation, where the HTTPS is throttled way down, very slow, to discourage use of SSH tunneling, Skype, etc. However, I hate that idea. It punishes the innocent to intimidate the guilty.

There's got to be a way. Somebody has already solved this, I'm sure. I'll have to fire up wireshark, run some tests from ssh, corkscrew, proxytunnel, etc., capture the packets, and look for something in common, then create a shorewall/iptables filter to drop it, and log it. If I can do that, I can take it a step further and add a rule to snort or fwsnort, to tear down the session, and ban access to the remote site, and anything else I want.

I fear the solution is a guarded secret, to prevent abusers from finding out how to exploit it. That would be my luck...
 
Old 06-12-2008, 02:30 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
I don't have a clever answer, but to help identify offenders, you could process your access_log files and review the results at regular intervals. There are lots of logfile analysis utilities. (I use calamaris.)

There may be some red flags that you learn to watch for over time, e.g.: Regular access to a single host from a single client IP, access to a host whose reverse lookup turns out to be an ISP dhcp address, etc.

Application layer filtering, as you mentioned, may be another solution.
 
Old 06-12-2008, 02:48 PM   #9
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by anomie View Post
I don't have a clever answer, but to help identify offenders, you could process your access_log files and review the results at regular intervals. There are lots of logfile analysis utilities. (I use calamaris.)
Thanks, I'll check out Calamaris, sounds interesting. I forget the log utility I used to use, lately just checking log files manually. Time for a new log checker
 
Old 06-12-2008, 06:17 PM   #10
beadyallen
Member
 
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209

Rep: Reputation: 36
I've never tried it myself, but the L7-filter iptables module says it supports detection of ssh vs ssl (se here). It'd be worth a try before you try and implement your own packet fingerprints.
But as pointed out, if a user is sophisticated enough to tunnel through the https ports, then they'll just send stuff through proper https instead anyway.

Good luck.
 
Old 06-12-2008, 06:32 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by drokmed View Post
I've seen one recommendation, where the HTTPS is throttled way down, very slow, to discourage use of SSH tunneling, Skype, etc. However, I hate that idea. It punishes the innocent to intimidate the guilty.
Plus the only way for it to work is if everyone is denied any usable bandwidth.

Quote:
I'll have to fire up wireshark, run some tests from ssh, corkscrew, proxytunnel, etc., capture the packets, and look for something in common, then create a shorewall/iptables filter to drop it, and log it.
Nothing at the network layer will help you here. You will need to do this either at the application layer (for example, have your proxy be a man-in-the-middle and then do deep packet inspection), or at the human resources level (AUP, etc). Most likely you will need to use a synergistic combination of techniques, as there is no single one which would provide any reasonably decent level of effectiveness AFAIK (aside from whitelisting).

Last edited by win32sux; 06-12-2008 at 06:46 PM.
 
Old 06-12-2008, 08:07 PM   #12
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by beadyallen View Post
I've never tried it myself, but the L7-filter iptables module says it supports detection of ssh vs ssl (se here). It'd be worth a try before you try and implement your own packet fingerprints.
Fascinating, wasn't aware of that one. Still studying it, very interesting indeed.

Quote:
Originally Posted by beadyallen View Post
But as pointed out, if a user is sophisticated enough to tunnel through the https ports, then they'll just send stuff through proper https instead anyway.
Quote:
Originally Posted by win32sux View Post
Nothing at the network layer will help you here. You will need to do this either at the application layer (for example, have your proxy be a man-in-the-middle and then do deep packet inspection), or at the human resources level (AUP, etc). Most likely you will need to use a synergistic combination of techniques, as there is no single one which would provide any reasonably decent level of effectiveness AFAIK (aside from whitelisting).
I hate to say it, but it seems easier to just prevent HTTPS from the lowest level access group in our organization, mainly temps brought in for data entry, but they still need general Internet access, mainly to google for research purposes, etc. There are way too many subjects researched to utilize white listing. Instead, we're depending on Dansguardian. I have already tweaked Dansguardian to block naughty/non-work related sites, and it is working great. I think this could be an acceptable solution. A trial run blocking HTTPS for the temps might be in order.

I'm thinking if a temp needs HTTPS to pay their electric bill online, or some other need for HTTPS, they can come to me and do it from my desk (or their manager), or better yet, just do that stuff off-hours at home or elsewhere.

For regular employees and above, I guess we'll have to depend on the Acceptable Use Policy, and of course, keep an eye on the log files for abuse. Regular employees will be more concerned about getting reprimanded, so this might have to suffice.

For anyone reading this thread, no I'm not some pig-headed IT jerk trying to play GOD and over-control my position. We have limited bandwidth, and unfortunately too many employees that if allowed, will sit there and chat on myspace, watch youtube, and do all other kinds of non-work activities. Our managers are far too busy to minute manage, and watch what people do. We shouldn't have to. Unfortunately, people are spread out, and our environment is very relaxed, so people tend to goof off when not busy, especially the night shift crowd. Before I implemented Dansguardian, I can't tell you how many times I'd notice people minimizing browsers when they saw me walking by, to hide their goofing off. Many of our employees are young adults that just don't see a problem with it. Our owner expects me to automate the defenses as much as possible. He feels (and I agree) if they can't goof off in the first place, that alone would solve this problem.

I'm going to continue researching the L7 filters, and give feedback here. I think it's worth looking into.

I'm open to your thoughts and suggestions on this. I'd be grateful for any other ideas that could help with this problem.

Thank you all for your feedback
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Through A Squid Proxy, NO CONNECT. EECore Linux - Networking 2 08-14-2008 10:41 AM
squid proxy refuses to connect remote server through ssh yukinK Linux - Networking 10 02-16-2008 09:17 AM
How to prevent concurrent user connection accessing squid proxy? suhas! Linux - Server 1 07-12-2007 06:46 AM
How prevent squid to send Proxy Server Details? sarajevo Linux - Security 2 06-22-2007 03:31 PM
a bit lost with ssh tunnels and proxy yanik Linux - Networking 2 05-31-2006 03:11 PM


All times are GMT -5. The time now is 02:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration