On Thu, Apr 5, 2018 at 7:13 AM, Jan Bergner <jan.bergner@xxxxxxxxxxx> wrote: > Hello all. > > First of all, I want to extend my sincere thanks to all the people who > came to the rescue so quickly. > > In any case, there is obviously room for clarification on my part, so I > will try to describe the situation we had in more detail. > > In short: > Employees used the openssh-*client* from *within* our company network to > create a *reverse* SSH tunnel, using an *external* SSH-Server. We > control the Clients but not the servers. > So, we wanted to restrict our *Clients*. How difficult would it be to leave a scheduled security check to look for "ssh[ \t].*-R.*" expressions with "pgrep", and file a security abuse report if such processes are seen? It could be worked around, but should catch the most blatant abusers.so they can be notified of inappropriate behavior. I'm not sure what is available for you if you're using OpenBSD or BSD based operating systems, but for Linux RedHat had a bug report for SELinux at https://bugzilla.redhat.com/show_bug.cgi?id=656813 explaining how they'd accidentally disabled port forwarding with SELinux. Perhaps that could help you? Nico Kadel-Garcia <nkadel@xxxxxxxxx> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev