From: James Kearney (jamesjohnkearney@gmail.com)
Date: Tue Apr 19 2005 - 11:19:52 EDT
Henderson, Dennis K. wrote:
>It seems like he was looking for information on how to prevent this.
>
>You can configure squid to only allow tunneling on certain ports like
>443 and 80. You'll have to figure out what your safe ports are to
>prevent legitimate traffic from being impacted.
>
>I usually make sure the usual ports like ssh, telnet, irc are not
>allowed.
>
>Cheers
>
>Dennis
>
>
>
although of course, they may just have the sshd running on 443... or be
using a httptunnel client and server etc etc... stopping someone getting
out when they are already inside is v difficult - what if they tunnel
over dns/write a custom server and client over port 80 etc?
I would think that generally if the individual knows enough to try
tunneling ssh over https, then they probably can put an ssh server on
443, or using some transport mechanism over http.
Of course thats not to say that you should not block the connect options
for ssh/imap/whatever... but don't assume this will stop anyone getting out.
maybe you could have a tcpdump dumping the open and close connections
for https connect on port 443, and record the amount of usuage/time it
is used, and it may indicate someone using a shell through the https
proxy or something like that?
- jk
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:19 EDT