Re: OpenSSH-Client without reverse tunnel ability

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, Apr 5, 2018 at 7:13 AM, Jan Bergner <jan.bergner@xxxxxxxxxxx> wrote:
> Hello all.
>
> First of all, I want to extend my sincere thanks to all the people who
> came to the rescue so quickly.
>
> In any case, there is obviously room for clarification on my part, so I
> will try to describe the situation we had in more detail.
>
> In short:
> Employees used the openssh-*client* from *within* our company network to
> create a *reverse* SSH tunnel, using an *external* SSH-Server. We
> control the Clients but not the servers.
> So, we wanted to restrict our *Clients*.

How difficult would it be to leave a scheduled security check to look
for "ssh[ \t].*-R.*" expressions with "pgrep", and file a security
abuse report if such processes are seen? It could be worked around,
but should catch the most blatant abusers.so they can be notified of
inappropriate behavior.

I'm not sure what is available for you if you're using OpenBSD or BSD
based operating systems, but for Linux RedHat had a bug report for
SELinux at https://bugzilla.redhat.com/show_bug.cgi?id=656813
explaining how they'd accidentally disabled port forwarding with
SELinux. Perhaps that could help you?

Nico Kadel-Garcia <nkadel@xxxxxxxxx>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux