Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to restrict remote forwarding ports in SSH2?

from [Derek Martin] Network Security [Permanent Link]
Subject: Re: How to restrict remote forwarding ports in SSH2?
Date: Fri, 24 Nov 2006 17:40:09 -0500 
On Thu, Nov 23, 2006 at 06:26:03PM +0100, Alexander Tampermeier wrote:

When using remote port forwarding: Is there a way to restrict the client in
the number of remote forwarding ports? In other words: I want the client to
be restricted, so that he can only remote-forward "ssh
-R15555:localhost:15000" and no other port on the server except 15000.
Without such a restriction the client would be able to "redirect" arbitrary
host-ports to where ever he likes.


If I understand what you're asking, it's probably worth pointing out
that it's already possible to do this kind of port redirection in
general with TCP/IP without dealing with SSH's port redirection...
there's not much you can do to prevent it.  Anyone capable of writing
socket code in C can write a program to redirect any port to anywhere
in maybe a couple of dozen lines.  All that's required to do this is
that the user have access to a machine which can connect to the
host/ports he wants to, and access to a C compiler on some machine
which is capable of producing executables which will run on the target
proxy machine.  This technique can be used to get around your local
port forward limitations, as well, assuming the user has shell access
to the machine.  Anyone who really wants to do this is probably going
to do it whether you explicitly allow it or not.

Someone's probably already written a free program to do this kind of
port redirection, which can be downloaded freely.  It might even have
pre-comiled binaries for your platform(s).  Another way to accomplish
the same thing without writing the code is to use a Linux box that one
has root access to (or similar) to use firewall rules to do network
address / port translation.

Worse yet, these methods of circumventing access will not use
encryption... any traffic they redirect this way will not be encrypted
(unless they're redirecting a service that inherently uses encryption
already).  So you're probably better off not bothering to try to lock
this down... at least, not by restricting SSH's ability to forward
ports.  At least then, you can be sure the traffic will be encrypted.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Attachment: pgp2I987mi0e7.pgp
Description: PGP signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  How to restrict remote forwarding ports in SSH2?, Alexander Tampermeier
Next by Date:  Disabling sshd's account lock check, Brian McNally
Previous by Thread:  How to restrict remote forwarding ports in SSH2?, Alexander Tampermeier
Next by Thread:  Re: How to restrict remote forwarding ports in SSH2?, Mark Senior
Indexes:  [Date] [Thread] [Top] [All Lists]