On Wed, 2007-01-10 at 10:11 -0700, Dave Long wrote: > Is it possible to detect SSH tunnels traveling through a Linux > firewall (iptables). In other words, how do I detect normal ssh > communication versus http traffic going through SSH? > > My initial thoughts were that normal SSH traffic would have a specific > connection and packet rate while other traffic like HTTP going through > SSH would have a much different connection rate.
If you knew the traffic pattern for the user when not using a tunnel, I am certain you could detect aberrations to that using some nifty math equations. I barely squeaked by statistics (the second time) so don't ask me for answers on that one. There have been reasonably successful attempts to recover passwords based on their pattern of occurrence in an ssh stream. If you have access to either the client or server, you could also hack the source code to log information about tunneled traffic and then replace the pristine ssh client or daemon with your trojan horse. If you're looking at the daemon end, you could rig up a packet sniffer to look for http traffic leaving the box and correlate the source ports with the process that is bound to that port. Whenever that process is sshd, you know that the http traffic was tunneled (or sshd has stolen your credit card and is buying designer hand bags on Amazon). Even on a client machine, you could probably rig something up listening to the loopback interface. Corey /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
