Port 22 (SSH) Outbound Question

Viewing 5 reply threads
  • Author
    Posts
    • #4988
      Dengar13
      Participant

      Hello all:

      I am trying to think of any concerns I might have allowing this port outbound.  We are trying to stay within HIPAA compliance and have this particular server in our HIPAA DMZ.  We only want to allow SSH outbound and will most likely lock it down to a specific IP address range(s).

      I don’t think this should or will be a concern, but I wanted to get your collective thoughts and think of anything evil that could crop up and I know you all won’t let me down on that.  😛

      Thanks all in advance!

    • #31521
      ziggy_567
      Participant

      As with anything you allow out of your firewall, you are opening a possible covert channel. Just because port 22 is usually SSH, doesn’t mean that it has to be. I don’t believe this would be a huge concern, though. Most automated malware is going to use port 80 or 53 for C2 which is probably open out as well.

      If you are opening port 22 out for only specific IPs, as long as there is a valid business need for that hole, I’d say your taking the necessary precautions. If only one IP needed it and you just opened the firewall for that port completely out of convenience, then I’d say you might want to reconsider.

    • #31522
      Ketchup
      Participant

      SSH supports tunneling.  With tunneling you can bypass many of your firewall filters, web proxies, content filtering engines, etc.  This is especially true because SSH traffic is encrypted.  I usually recommend restricting outbound SSH to just a few trusted individuals. 

    • #31523
      salil
      Participant

      As others have pointed out keeping outbound access to well known IP addresses is the way to go. Here is a nice link showing use of openssh for tunneling.

      http://packetheader.blogspot.com/2009/01/installing-openssh-on-windows-via.html

      One thing to keep in mind is this applies to all ports and not just SSH since you could change the SSH port from the default 22 to whichever outbound port is open.

    • #31524
      What90
      Participant

      If you lock SSH down to the server making the connection to only a defined and audited list of servers, that satisfies most compliance and audit requirements.

      Deny root/admin from using SSH and only your server can initiate the SSH connection, that should get you all the ticks in the right boxes 🙂

    • #31525
      Dengar13
      Participant

      Great points/advice all.  This helped a ton!  Thanks!

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?