--- On Thu, 7/16/09, Gary Huntress <gary.huntress@xxxxxxxxx> wrote:
>
> What I would like to know is, how is the tunnel
> detected? I've
> always assumed that once my ssh session is made that every
> packet
> would be completely encrypted, even the headers of the
> tunneled
> packets. So even if the tunnel used GRE (or whatever)
> it would be
> encrypted too. Clearly that's not the
> case.
>
> So, how is my tunnel detected? And no I'm
> not going to keep trying,
> this is a fireable offense!
>
> Gary H.
The tunnel will be visible netstat and/or lsof on the ssh server. With netsat, you won't see who is tunneling. But with lsof it would show up:
root@thug:/home/user01# lsof -ni |grep 11111
sshd 21716 user01 10u IPv4 16978115 TCP 10.26.0.111:38272->10.26.0.211:11111 (ESTABLISHED)
root@thug:/home/user01# netstat -an |grep 11111
tcp 0 0 10.26.0.111:38272 10.26.0.211:11111 ESTABLISHED
If it's not permitted, why don't they simply deny it in sshd_config ?
#AllowTcpForwarding no
