Re: ssh tunneling to bypass web proxy rules

[Times Enemy <times () krr org>]

Greetings.

Your various corporate policies should cover this.  If someone is 
intentionally bypassing security implementations, that is not a good 
thing; contact them directly.  If they persist, contact your 
supervisor(s) and their supervisor(s).  If they continue, and you ask 
them how they are doing it, so you can plug the hole, and they refuse to 
cooperate, that is unacceptable; contact hr.

It is neat that you have employees that familiar enough with the network 
to bypass the proxy (not a big feat in itself), but they should be 
willing to better the network/company, rather than gloat in their 
perceived superiority.

If politically possible, disable their ssh account(s).  Heck, talk with 
HR, and see if you can disable all of this individuals accounts, so the 
company can conduct a more thorough investigation, to determine if any 
corporate secrets are being distributed/stolen, or on the mere fact that 
the individual, a "trusted" insider, is refusing to cooperate and is a 
high security threat to the integrity of the entire network/company.  
But yeah, disable their ssh accounts, if you can, at least.

If you would rather, or, in addition to, log everything that user does, 
in the shell especially.  Build a case.  If you have any sort of network 
traffic monitoring station(s), begin a proactive watch for ssh traffic, 
and any sort of anomalies.  If you can, route all traffic to/from that 
box through some sort of IDS or such.  You use the console(s) only to 
avoid any issues your actions may cause.  On the firewall, if it is 
feasible, drop all ssh traffic to/from the box from which the individual 
is redirecting traffic.  I say to/from this box, because it is a known 
point of entry/exit, and you do not want to disturb all network traffic 
if possible.  Also, do keep a detailed log of other network traffic, in 
case other boxes are being used to redirect traffic, or whatever.  
Basically, if this person uses one system, put an transparent 
gateway/bridge (OpenBSD is a nice solution here) between his box and the 
switch, log everything, block whatever you want.

Embrace people who may have a passion for exploration and such, promote 
and encourage their desires to learn more and better systems, but do not 
tolerate individuals who intentionally break things and make no attempt, 
or even flatly refuse to fix them.

.times enemy


William Hile wrote:

> The only way to actually stop this would be to block outbound SSH 
> completely. As long as this person has a shell account that accepts 
> SSH he can tunnel basically anything through there. As far as telling 
> you how that would depend on the SSH client side... there are several 
> ways to do it... But to stop him just block outbound SSH.
>
>
>
> William Hile, CCSA, CCSE
>
> On Sun, 21 Aug 2005, Juan B wrote:
>
> > Hi,
> >
> > Someone told me one can pass web proxy restrictions by
> > tunnling throw ssh to restricted web sites like web
> > mail sites in our corporate network.I really whant to
> > know how he is doing that but I dont know where and
> > how to test it, and he of course doesnt tell.
> >
> > I need to close this hole in the network.
> >
> > can someone give me a hand please.
> >
> > Juan.