The Ethical Hacker Network - Port 22 (SSH) Outbound Question

Dengar13

Sr. Member

Offline

Posts: 380

Port 22 (SSH) Outbound Question

« on: April 29, 2010, 02:55:34 PM »

Hello all:

I am trying to think of any concerns I might have allowing this port outbound. We are trying to stay within HIPAA compliance and have this particular server in our HIPAA DMZ. We only want to allow SSH outbound and will most likely lock it down to a specific IP address range(s).

I don't think this should or will be a concern, but I wanted to get your collective thoughts and think of anything evil that could crop up and I know you all won't let me down on that. Tongue

Thanks all in advance!


	Logged

A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!

ziggy_567

Sr. Member

Offline

Posts: 361

Re: Port 22 (SSH) Outbound Question

« Reply #1 on: April 29, 2010, 03:02:21 PM »

As with anything you allow out of your firewall, you are opening a possible covert channel. Just because port 22 is usually SSH, doesn't mean that it has to be. I don't believe this would be a huge concern, though. Most automated malware is going to use port 80 or 53 for C2 which is probably open out as well.

If you are opening port 22 out for only specific IPs, as long as there is a valid business need for that hole, I'd say your taking the necessary precautions. If only one IP needed it and you just opened the firewall for that port completely out of convenience, then I'd say you might want to reconsider.


	Logged

--
Ziggy

eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+

Ketchup

Hero Member

Offline

Posts: 1021

Re: Port 22 (SSH) Outbound Question

« Reply #2 on: April 29, 2010, 04:16:58 PM »

SSH supports tunneling. With tunneling you can bypass many of your firewall filters, web proxies, content filtering engines, etc. This is especially true because SSH traffic is encrypted. I usually recommend restricting outbound SSH to just a few trusted individuals.


	Logged

~~~~~~~~~~~~~~
Ketchup

sachitre

Newbie

Offline

Posts: 22

Re: Port 22 (SSH) Outbound Question

« Reply #3 on: April 29, 2010, 08:28:14 PM »

As others have pointed out keeping outbound access to well known IP addresses is the way to go. Here is a nice link showing use of openssh for tunneling.

http://packetheader.blogspot.com/2009/01/installing-openssh-on-windows-via.html

One thing to keep in mind is this applies to all ports and not just SSH since you could change the SSH port from the default 22 to whichever outbound port is open.


	Logged

CISSP, GPEN, CCNA

What90

Full Member

Offline

Posts: 120

Re: Port 22 (SSH) Outbound Question

« Reply #4 on: April 29, 2010, 10:59:19 PM »

If you lock SSH down to the server making the connection to only a defined and audited list of servers, that satisfies most compliance and audit requirements.

Deny root/admin from using SSH and only your server can initiate the SSH connection, that should get you all the ticks in the right boxes :-)


	Logged

http://www.chris-mohan.com

Dengar13

Sr. Member

Offline

Posts: 380

Re: Port 22 (SSH) Outbound Question

« Reply #5 on: April 30, 2010, 07:50:53 PM »

Great points/advice all. This helped a ton! Thanks!


	Logged

A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!

Pages: [1] Go Up

« previous next »