Re: Detecting a Tunnel Over SSH?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- On Thu, 7/16/09, Gary Huntress <gary.huntress@xxxxxxxxx> wrote:

> 
> What I would like to know is, how is the tunnel
> detected?   I've
> always assumed that once my ssh session is made that every
> packet
> would be completely encrypted, even the headers of the
> tunneled
> packets.  So even if the tunnel used GRE (or whatever)
> it would be
> encrypted too.   Clearly that's not the
> case.
> 
> So, how is my tunnel detected?   And no I'm
> not going to keep trying,
> this is a fireable offense!
> 
> Gary H.

The tunnel will be visible netstat and/or lsof on the ssh server.  With netsat, you won't see who is tunneling.  But with lsof it would show up:

root@thug:/home/user01# lsof -ni |grep 11111
sshd    21716  user01   10u  IPv4 16978115       TCP 10.26.0.111:38272->10.26.0.211:11111 (ESTABLISHED)

root@thug:/home/user01# netstat -an |grep 11111

tcp        0      0 10.26.0.111:38272      10.26.0.211:11111      ESTABLISHED 

If it's not permitted, why don't they simply deny it in sshd_config ?

#AllowTcpForwarding no




      


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux