Re: Detecting a Tunnel Over SSH?

--- On Thu, 7/16/09, Gary Huntress <gary.huntress@xxxxxxxxx> wrote:

What I would like to know is, how is the tunnel
detected?   I've
always assumed that once my ssh session is made that every
would be completely encrypted, even the headers of the
packets.  So even if the tunnel used GRE (or whatever)
it would be
encrypted too.   Clearly that's not the

So, how is my tunnel detected?   And no I'm
not going to keep trying,
this is a fireable offense!

Gary H.

The tunnel will be visible netstat and/or lsof on the ssh server. With netsat, you won't see who is tunneling. But with lsof it would show up:

root@thug:/home/user01# lsof -ni |grep 11111
sshd 21716 user01 10u IPv4 16978115 TCP> (ESTABLISHED)

root@thug:/home/user01# netstat -an |grep 11111


If it's not permitted, why don't they simply deny it in sshd_config ?

#AllowTcpForwarding no

Relevant Pages