Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: ArminF on January 26, 2022, 03:12:49 PM

Title: Recommendation .- Prevent SSH Tunnel through Port 443/80
Post by: ArminF on January 26, 2022, 03:12:49 PM
Hello,
i would like to ask for recommendations on blocking SSH to the outside tunneled through port 443 or 80.
As these ports are common and usually open.

Info:
Edit '/etc/ssh/sshd_config' file
Use following configuration for port:
Port 22
Port 443
Restart ssh using 'service sshd restart'

Now i would be able to connect to the outside world using a Web port.

Is there a way to prevent that on the firewall?
- IDS
- Proxy

Thank you for your input!
best wishes Armin
Title: Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
Post by: seed on January 26, 2022, 03:47:16 PM
Suricata could be the solution for this task. There is already a rule that should do the trick:

Should come with "emerging-policy":

Code Select
emerging-policy.rules:#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)


In other words: Rule SID "2001982" from "emerging-policy.rules" named "ET POLICY SSHv2 Client KEX Detected on Unusual Port"

Title: Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
Post by: ArminF on January 26, 2022, 09:44:40 PM
Thank you Seed!

Would that mean that Suricata would need to run on the internal interfaces?
There i do run Zenarmor right now.

cheers A
Title: Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
Post by: ArminF on January 26, 2022, 10:07:01 PM
hm..
just checked and re-downloaded    ET telemetry/emerging-policy
But was not able to find "ET POLICY SSHv2 Client KEX Detected on Unusual Port" / SID 2001982.

Running OPNsense 21.7.7-amd64

Any idea?
Would be good if i could block that somehow.

thanks
armin
Title: Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
Post by: seed on January 27, 2022, 09:29:43 AM
"ET open/emerging-policy" should be available in your Intrusion Detection rule tab.


QuoteWould that mean that Suricata would need to run on the internal interfaces?

Thats how i run it in my setup. But you could run Suricata also on your WAN interface....if its not a PPPoE interface since Suricata wont run in IPS mode on an (PPPoE)WAN.
Title: Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
Post by: ArminF on January 27, 2022, 09:43:26 AM
Morning Seed,
thanks for your help. Much appreciated.

Yes and i did activate/enable it and downloaded the data.
But when i check on rules tab for ssh or sid 2001982 i cannot find it.

I think i did the right actions.
Any clue?

cheers Armin
Title: Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
Post by: ArminF on January 27, 2022, 09:59:47 AM
OK, but i am confused.

You wrote ET Open - so i went install plugins and installed ET open as well.
I had ET Telemetry with a token.

But there i can't find ET open/emerging-policy. There is a ET open/emerging-inappropriate.
And i got an ET telemetry/emerging-policy but this does not seem to carry the ssh detection.

Installed as plugin
os-etpro-telemetry   1.6_1   50.3KiB   OPNsense   ET Pro Telemetry Edition   -> with token
os-intrusion-detection-content-et-open   1.0.1   1.53KiB   OPNsense   IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
Text only | Text with Images