Recommendation .- Prevent SSH Tunnel through Port 443/80

[ArminF]

Hello,
i would like to ask for recommendations on blocking SSH to the outside tunneled through port 443 or 80.
As these ports are common and usually open.

Info:
Edit '/etc/ssh/sshd_config' file
Use following configuration for port:
Port 22
Port 443
Restart ssh using 'service sshd restart'

Now i would be able to connect to the outside world using a Web port.

Is there a way to prevent that on the firewall?
- IDS
- Proxy

Thank you for your input!
best wishes Armin

[seed]

Suricata could be the solution for this task. There is already a rule that should do the trick:

Should come with "emerging-policy":

Code: [Select]

emerging-policy.rules:#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

In other words: Rule SID "2001982" from "emerging-policy.rules" named "ET POLICY SSHv2 Client KEX Detected on Unusual Port"

[ArminF]

Thank you Seed!

Would that mean that Suricata would need to run on the internal interfaces?
There i do run Zenarmor right now.

cheers A

[ArminF]

hm..
just checked and re-downloaded    ET telemetry/emerging-policy
But was not able to find "ET POLICY SSHv2 Client KEX Detected on Unusual Port" / SID 2001982.

Running OPNsense 21.7.7-amd64

Any idea?
Would be good if i could block that somehow.

thanks
armin

[seed]

"ET open/emerging-policy" should be available in your Intrusion Detection rule tab.

Would that mean that Suricata would need to run on the internal interfaces?

Thats how i run it in my setup. But you could run Suricata also on your WAN interface....if its not a PPPoE interface since Suricata wont run in IPS mode on an (PPPoE)WAN.

[ArminF]

Morning Seed,
thanks for your help. Much appreciated.

Yes and i did activate/enable it and downloaded the data.
But when i check on rules tab for ssh or sid 2001982 i cannot find it.

I think i did the right actions.
Any clue?

cheers Armin

[ArminF]

OK, but i am confused.

You wrote ET Open - so i went install plugins and installed ET open as well.
 I had ET Telemetry with a token.

But there i can't find ET open/emerging-policy. There is a ET open/emerging-inappropriate.
And i got an ET telemetry/emerging-policy but this does not seem to carry the ssh detection.

Installed as plugin
os-etpro-telemetry   1.6_1   50.3KiB   OPNsense   ET Pro Telemetry Edition   -> with token
os-intrusion-detection-content-et-open   1.0.1   1.53KiB   OPNsense   IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition