Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 8 Sep 2002 21:43:20 +0200
From:      Paul Schenkeveld <fb-net@psconsult.nl>
To:        freebsd-net@FreeBSD.ORG
Subject:   Re: protocol inspection (tunneling ssh over http proxy)
Message-ID:  <20020908214320.A35988@psconsult.nl>
In-Reply-To: <3D7B9491.9090305@inode.at>; from mbretter@inode.at on Sun, Sep 08, 2002 at 08:18:57PM %2B0200
References:  <Pine.BSF.4.21.0209080153490.50002-100000@InterJet.elischer.org> <3D7B9491.9090305@inode.at>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 08, 2002 at 08:18:57PM +0200, Michael Bretterklieber wrote:
> Hi,
> 
> I'm already running squid as proxy. But if I allow only port 80, then no
> https works. Also if they let run there sshd on port 80 on a server 
> somewhere then this doesen't prevent ssh-tunneling over http.
> 
> I attached the tcpdump of a tunnel'd ssh-connection over http.
> 
> 192.168.201.1 is my gateway with squid and an adsl internet connection 
> (mpd).
> 192.168.201.12 is my bad boy, wich uses Putty for tunneling ssh over http.
> 
> I think, I can nothing do to break the tunnel.

With http, packet inspection you could stop your squid from tunneling
ssh connections but as https is end to end encrypted you cannot prevent
anyone from abusing your proxy for a tunnel if you let connections to
port 443 through without inspection.

So if you cannot stop them, you could discourage the abuse.

With dummynet you could introduce a little packet delay.  This does not
hurt too much for downloading pages, the main purpose of http[s] but
really makes interactive abuse of your proxy with ssh inconvenient.

Further, two properties of http[s] are that there is a small request
from the client to the server usually followed by much more data coming
back from the server to the client.  So if we find a way to slow down or
break the connection if more than a certain amount of data flows from
client to server (allow for a request plus form data here) or break
the connection if no data flows from server to client for some time
the abuse of your proxy becomes very inattractive.

The bottom line is: "data is data so if you let anything through
someone can always find a way to abuse this for other data".
Think about implementing IP on top of SMTP email.  Not very fast
but it can bypass many firewalls :-)
So if we cannot completely block them, at least make their abuse
inattractive.

My ¤ 0.02 (close to $ 0.02 now).

Paul Schenkeveld

> Or am I wrong?
> 
> bye,
> 
> Julian Elischer schrieb:
> > Run a squid (or apache) proxy for web access,
> > and then ONLY allow port 80 traffic from the proxy.
> > 
> > 
> > On Sun, 8 Sep 2002, Michael Bretterklieber wrote:
> > 
> > 
> >>Hi,
> >>
> >>the problem is that they use not port 22 for the ssh connection, they 
> >>use port 80 or 443.
> >>
> >>I need some software that gurantees that over the http-port flows only 
> >>http and not someting else.
> >>
> >>bye,
> >>
> >>Mike Nowlin schrieb:
> >>
> >>>>We have problems in our company, that some users, wich have not directly
> >>>>access to the internet, let ssh tunnel over our http-proxy. Extending
> >>>>ssh for tunneling is very easy (see Putty or corkscrew) and its also not
> >>>>a problem for them to let on another machine sshd run on port 443 or 80.
> >>>>
> >>>>At the moment I have no idea how to prevent the users from tunneling ssh
> >>>>over http.
> >>>
> >>>
> >>>You mean that they're opening connections via SSH through the proxy to
> >>>remote machines on port 22, then using the SSH tunnel capability to
> >>>allow connections back to their machine over the tunnel?  (Sorry, I'm a
> >>>bit brain-fried right now.)  If so, can't you restrict the proxy to not
> >>>allow remote requests out to port 22?
> >>>
> >>>mike
> >>>
> >>>To Unsubscribe: send mail to majordomo@FreeBSD.org
> >>>with "unsubscribe freebsd-net" in the body of the message
> >>>
> >>>
> >>
> >>-- 
> >>--
> >>--------------------------------------
> >>E-mail: Michael.Bretterklieber@jawa.at
> >>----------------------------
> >>JAWA Management Software GmbH
> >>Liebenauer Hauptstr. 200
> >>A-8041 GRAZ
> >>Tel: ++43-(0)316-403274-12
> >>Fax: ++43-(0)316-403274-10
> >>GSM: ++43-(0)676-93 96 698
> >>homepage: http://www.jawa.at
> >>--------- privat -----------
> >>E-mail:   mbretter@inode.at
> >>homepage: http://www.inode.at/mbretter
> >>--------------------------------------
> >>
> >>
> >>
> >>To Unsubscribe: send mail to majordomo@FreeBSD.org
> >>with "unsubscribe freebsd-net" in the body of the message
> >>
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-net" in the body of the message
> > 
> > 
> 
> -- 
> --
> --------------------------------------
> E-mail: Michael.Bretterklieber@jawa.at
> ----------------------------
> JAWA Management Software GmbH
> Liebenauer Hauptstr. 200
> A-8041 GRAZ
> Tel: ++43-(0)316-403274-12
> Fax: ++43-(0)316-403274-10
> GSM: ++43-(0)676-93 96 698
> homepage: http://www.jawa.at
> --------- privat -----------
> E-mail:   mbretter@inode.at
> homepage: http://www.inode.at/mbretter
> --------------------------------------
> 

> 20:26:48.173534 arp who-has 192.168.201.1 tell 192.168.201.12
> 20:26:48.173664 arp reply 192.168.201.1 is-at 0:d0:c9:6:36:17
> 20:26:48.173912 192.168.201.12.1052 > 192.168.201.1.8080: S 667310761:667310761(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 20:26:48.174163 192.168.201.1.8080 > 192.168.201.12.1052: S 2509983361:2509983361(0) ack 667310762 win 65535 <mss 1460>
> 20:26:48.174432 192.168.201.12.1052 > 192.168.201.1.8080: . ack 1 win 17520 (DF)
> 20:26:48.177539 192.168.201.12.1052 > 192.168.201.1.8080: P 1:62(61) ack 1 win 17520 (DF)
> 20:26:48.179034 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.231527 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.232300 192.168.201.1.8080 > 192.168.201.12.1052: P 1:40(39) ack 62 win 65535 (DF)
> 20:26:48.232667 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.278087 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.278599 192.168.201.1.8080 > 192.168.201.12.1052: P 40:65(25) ack 62 win 65535 (DF)
> 20:26:48.278873 192.168.201.12.1052 > 192.168.201.1.8080: . ack 65 win 17456 (DF)
> 20:26:48.279144 192.168.201.12.1052 > 192.168.201.1.8080: P 62:96(34) ack 65 win 17456 (DF)
> 20:26:48.279727 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.322659 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.335569 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.336202 192.168.201.1.8080 > 192.168.201.12.1052: P 65:341(276) ack 96 win 65535 (DF)
> 20:26:48.339715 192.168.201.12.1052 > 192.168.201.1.8080: P 96:252(156) ack 341 win 17180 (DF)
> 20:26:48.340348 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.430412 192.168.201.1.8080 > 192.168.201.12.1052: . ack 252 win 65535 (DF)
> 20:26:48.440204 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.450436 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
> 20:26:48.465797 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.466296 192.168.201.1.8080 > 192.168.201.12.1052: P 341:353(12) ack 252 win 65535 (DF)
> 20:26:48.466844 192.168.201.12.1052 > 192.168.201.1.8080: P 252:280(28) ack 353 win 17168 (DF)
> 20:26:48.467375 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.506635 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.520410 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
> 20:26:48.539219 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.539693 192.168.201.1.8080 > 192.168.201.12.1052: P 353:365(12) ack 280 win 65535 (DF)
> 20:26:48.541095 192.168.201.12.1052 > 192.168.201.1.8080: P 280:420(140) ack 365 win 17156 (DF)
> 20:26:48.541702 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.601571 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.608883 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.609419 192.168.201.1.8080 > 192.168.201.12.1052: P 365:505(140) ack 420 win 65535 (DF)
> 20:26:48.620417 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
> 20:26:48.700597 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.769277 192.168.201.12.1052 > 192.168.201.1.8080: P 420:448(28) ack 505 win 17016 (DF)
> 20:26:48.769871 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.819178 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.819734 192.168.201.1.8080 > 192.168.201.12.1052: P 505:549(44) ack 448 win 65535 (DF)
> 20:26:48.830412 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
> 20:26:48.910589 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:48.950742 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:48.951278 192.168.201.1.8080 > 192.168.201.12.1052: P 549:561(12) ack 448 win 65535 (DF)
> 20:26:48.951550 192.168.201.12.1052 > 192.168.201.1.8080: . ack 561 win 16960 (DF)
> 20:26:48.952201 192.168.201.12.1052 > 192.168.201.1.8080: P 448:484(36) ack 561 win 16960 (DF)
> 20:26:48.952700 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:49.006404 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:49.006939 192.168.201.1.8080 > 192.168.201.12.1052: P 561:573(12) ack 484 win 65535 (DF)
> 20:26:49.007384 192.168.201.12.1052 > 192.168.201.1.8080: P 484:496(12) ack 573 win 16948 (DF)
> 20:26:49.007904 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:49.071772 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:49.072345 192.168.201.1.8080 > 192.168.201.12.1052: P 573:649(76) ack 496 win 65535 (DF)
> 20:26:49.090412 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
> 20:26:49.170596 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:49.187993 192.168.201.12.1052 > 192.168.201.1.8080: . ack 649 win 16872 (DF)
> 20:26:49.199686 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:49.200327 192.168.201.1.8080 > 192.168.201.12.1052: P 649:741(92) ack 496 win 65535 (DF)
> 20:26:49.210420 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
> 20:26:49.290606 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:49.388285 192.168.201.12.1052 > 192.168.201.1.8080: . ack 741 win 16780 (DF)
> 20:26:49.446457 10.0.0.138 > 10.0.0.1: [|gre] (gre encap)
> 20:26:51.501002 192.168.201.12.1052 > 192.168.201.1.8080: P 496:516(20) ack 741 win 16780 (DF)
> 20:26:51.501625 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:51.548928 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:51.560418 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
> 20:26:51.600417 192.168.201.1.8080 > 192.168.201.12.1052: . ack 516 win 65535 (DF)
> 20:26:51.680241 192.168.201.12.1052 > 192.168.201.1.8080: P 516:536(20) ack 741 win 16780 (DF)
> 20:26:51.680783 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:51.728029 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:51.728571 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:51.770436 192.168.201.1.8080 > 192.168.201.12.1052: . ack 536 win 65535 (DF)
> 20:26:51.846470 10.0.0.138 > 10.0.0.1: [|gre] (gre encap)
> 20:26:51.848759 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:51.849334 192.168.201.1.8080 > 192.168.201.12.1052: P 741:781(40) ack 536 win 65535 (DF)
> 20:26:51.849692 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:51.991997 192.168.201.12.1052 > 192.168.201.1.8080: . ack 781 win 16740 (DF)
> 20:26:51.999972 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:52.000418 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:52.146729 10.0.0.138 > 10.0.0.1: [|gre] (gre encap)
> 20:26:53.344206 192.168.201.12.1052 > 192.168.201.1.8080: P 536:556(20) ack 781 win 16740 (DF)
> 20:26:53.344864 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:53.395861 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:53.396440 192.168.201.1.8080 > 192.168.201.12.1052: P 781:817(36) ack 556 win 65535 (DF)
> 20:26:53.397799 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:53.398320 192.168.201.1.8080 > 192.168.201.12.1052: P 817:837(20) ack 556 win 65535 (DF)
> 20:26:53.398607 192.168.201.12.1052 > 192.168.201.1.8080: . ack 837 win 16684 (DF)
> 20:26:53.398750 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:53.398877 192.168.201.12.1052 > 192.168.201.1.8080: P 556:568(12) ack 837 win 16684 (DF)
> 20:26:53.399159 192.168.201.12.1052 > 192.168.201.1.8080: F 568:568(0) ack 837 win 16684 (DF)
> 20:26:53.399327 192.168.201.1.8080 > 192.168.201.12.1052: . ack 569 win 65535 (DF)
> 20:26:53.400119 192.168.201.1.8080 > 192.168.201.12.1052: F 837:837(0) ack 569 win 65535 (DF)
> 20:26:53.400414 192.168.201.12.1052 > 192.168.201.1.8080: . ack 838 win 16684 (DF)
> 20:26:53.400948 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:53.401188 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:53.466508 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:53.467045 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
> 20:26:53.475462 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
> 20:26:53.490434 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020908214320.A35988>