Recommendation .- Prevent SSH Tunnel through Port 443/80

ArminF · January 26, 2022, 03:12:49 PM

Hello,
i would like to ask for recommendations on blocking SSH to the outside tunneled through port 443 or 80.
As these ports are common and usually open.

Info:
Edit '/etc/ssh/sshd_config' file
Use following configuration for port:
Port 22
Port 443
Restart ssh using 'service sshd restart'

Now i would be able to connect to the outside world using a Web port.

Is there a way to prevent that on the firewall?
- IDS
- Proxy

Thank you for your input!
best wishes Armin

seed · January 26, 2022, 03:47:16 PM

Suricata could be the solution for this task. There is already a rule that should do the trick:

Should come with "emerging-policy":

Code Select

emerging-policy.rules:#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

In other words: Rule SID "2001982" from "emerging-policy.rules" named "ET POLICY SSHv2 Client KEX Detected on Unusual Port"

ArminF · January 26, 2022, 09:44:40 PM

Thank you Seed!

Would that mean that Suricata would need to run on the internal interfaces?
There i do run Zenarmor right now.

cheers A

ArminF · January 26, 2022, 10:07:01 PM

hm..
just checked and re-downloaded ET telemetry/emerging-policy
But was not able to find "ET POLICY SSHv2 Client KEX Detected on Unusual Port" / SID 2001982.

Running OPNsense 21.7.7-amd64

Any idea?
Would be good if i could block that somehow.

thanks
armin

seed · January 27, 2022, 09:29:43 AM

"ET open/emerging-policy" should be available in your Intrusion Detection rule tab.

QuoteWould that mean that Suricata would need to run on the internal interfaces?

Thats how i run it in my setup. But you could run Suricata also on your WAN interface....if its not a PPPoE interface since Suricata wont run in IPS mode on an (PPPoE)WAN.

ArminF · January 27, 2022, 09:43:26 AM

Morning Seed,
thanks for your help. Much appreciated.

Yes and i did activate/enable it and downloaded the data.
But when i check on rules tab for ssh or sid 2001982 i cannot find it.

I think i did the right actions.
Any clue?

cheers Armin

ArminF · January 27, 2022, 09:59:47 AM

OK, but i am confused.

You wrote ET Open - so i went install plugins and installed ET open as well.
I had ET Telemetry with a token.

But there i can't find ET open/emerging-policy. There is a ET open/emerging-inappropriate.
And i got an ET telemetry/emerging-policy but this does not seem to carry the ssh detection.

Installed as plugin
os-etpro-telemetry 1.6_1 50.3KiB OPNsense ET Pro Telemetry Edition -> with token
os-intrusion-detection-content-et-open 1.0.1 1.53KiB OPNsense IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition

Recommendation .- Prevent SSH Tunnel through Port 443/80

ArminF

January 26, 2022, 03:12:49 PM

seed

January 26, 2022, 03:47:16 PM #1

ArminF

January 26, 2022, 09:44:40 PM #2

ArminF

January 26, 2022, 10:07:01 PM #3

seed

January 27, 2022, 09:29:43 AM #4 Last Edit: January 27, 2022, 09:33:19 AM by seed

ArminF

January 27, 2022, 09:43:26 AM #5

ArminF

January 27, 2022, 09:59:47 AM #6