if someone were to set up an ssh tunnel to/from work or home, is there a way to prevent future SSH tunneling traffic?
I understand that websense can block traffic, but users who use ssh tunneling can bypass websense or other similar products because it can't decrypt or look further in the packet to tell the difference between legitimate or illegitimate traffic.
from some reading and research, I found that some things you can do are the following:
– turn off SSH altogether; not allowed at all
– restrict ssh access to only users who need them for access and deny everyone else ssh access
– create a custom protocol to blacklist or whitelist ssh traffic by destination (assuming the lists are mangeable)
– review logs for ssh traffic, review the destination IPs and check if they resolve to legitimate or allowable devices or not, or check whether there's more regular internet traffic than tunneling traffic and you can deny/blacklist that IP
But I was wondering, besides these options, would it be possible to circumvent the above options through a man-in-the-middle attack?
Or is there another option to block ssh tunneling traffic or even some network device that can filter/block this traffic?
thanks for the help.
Best Answer
Preventing outbound ssh connections, and thus any tunnels, would require a complete blockade of outbound connections via deep packet inspection. Looking at ports will be 100% useless. You have to look at the actual packet payload to know it's SSH. (this is what websense is doing.)
The only other option is setting up a "proxy" host. Lock down the configuration so the ssh client and server will not allow tunneling, then allow only that machine to make outbound ssh connections -- of course, this includes securing the system as well, otherwise people can run whatever ssh software they want.