Re: Detecting a Tunnel Over SSH?




--- On Thu, 7/16/09, Gary Huntress <gary.huntress@xxxxxxxxx> wrote:


What I would like to know is, how is the tunnel
detected?   I've
always assumed that once my ssh session is made that every
packet
would be completely encrypted, even the headers of the
tunneled
packets.  So even if the tunnel used GRE (or whatever)
it would be
encrypted too.   Clearly that's not the
case.

So, how is my tunnel detected?   And no I'm
not going to keep trying,
this is a fireable offense!

Gary H.

The tunnel will be visible netstat and/or lsof on the ssh server. With netsat, you won't see who is tunneling. But with lsof it would show up:

root@thug:/home/user01# lsof -ni |grep 11111
sshd 21716 user01 10u IPv4 16978115 TCP 10.26.0.111:38272->10.26.0.211:11111 (ESTABLISHED)

root@thug:/home/user01# netstat -an |grep 11111

tcp 0 0 10.26.0.111:38272 10.26.0.211:11111 ESTABLISHED

If it's not permitted, why don't they simply deny it in sshd_config ?

#AllowTcpForwarding no








Relevant Pages