HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 32 guests and 1 member online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Otherarrow Port 22 (SSH) Outbound Question
EH-Net
May 19, 2013, 08:59:36 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Port 22 (SSH) Outbound Question  (Read 5775 times)
0 Members and 1 Guest are viewing this topic.
Dengar13
Sr. Member
****
Offline Offline

Posts: 380



View Profile
« on: April 29, 2010, 02:55:34 PM »
Hello all:

I am trying to think of any concerns I might have allowing this port outbound.  We are trying to stay within HIPAA compliance and have this particular server in our HIPAA DMZ.  We only want to allow SSH outbound and will most likely lock it down to a specific IP address range(s).

I don't think this should or will be a concern, but I wanted to get your collective thoughts and think of anything evil that could crop up and I know you all won't let me down on that.   Tongue

Thanks all in advance!
Logged
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
ziggy_567
Sr. Member
****
Offline Offline

Posts: 361


View Profile
« Reply #1 on: April 29, 2010, 03:02:21 PM »
As with anything you allow out of your firewall, you are opening a possible covert channel. Just because port 22 is usually SSH, doesn't mean that it has to be. I don't believe this would be a huge concern, though. Most automated malware is going to use port 80 or 53 for C2 which is probably open out as well.

If you are opening port 22 out for only specific IPs, as long as there is a valid business need for that hole, I'd say your taking the necessary precautions. If only one IP needed it and you just opened the firewall for that port completely out of convenience, then I'd say you might want to reconsider.
Logged
--
Ziggy


eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #2 on: April 29, 2010, 04:16:58 PM »
SSH supports tunneling.   With tunneling you can bypass many of your firewall filters, web proxies, content filtering engines, etc.   This is especially true because SSH traffic is encrypted.  I usually recommend restricting outbound SSH to just a few trusted individuals. 
Logged
~~~~~~~~~~~~~~
Ketchup
sachitre
Newbie
*
Offline Offline

Posts: 22


View Profile
« Reply #3 on: April 29, 2010, 08:28:14 PM »

As others have pointed out keeping outbound access to well known IP addresses is the way to go. Here is a nice link showing use of openssh for tunneling.

http://packetheader.blogspot.com/2009/01/installing-openssh-on-windows-via.html

One thing to keep in mind is this applies to all ports and not just SSH since you could change the SSH port from the default 22 to whichever outbound port is open.

Logged
CISSP, GPEN, CCNA
What90
Full Member
***
Offline Offline

Posts: 120


View Profile WWW
« Reply #4 on: April 29, 2010, 10:59:19 PM »
If you lock SSH down to the server making the connection to only a defined and audited list of servers, that satisfies most compliance and audit requirements.

Deny root/admin from using SSH and only your server can initiate the SSH connection, that should get you all the ticks in the right boxes :-)
Logged
http://www.chris-mohan.com
Dengar13
Sr. Member
****
Offline Offline

Posts: 380



View Profile
« Reply #5 on: April 30, 2010, 07:50:53 PM »
Great points/advice all.  This helped a ton!  Thanks!
Logged
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.075 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.