.

Port 22 (SSH) Outbound Question

<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Thu Apr 29, 2010 2:55 pm

Port 22 (SSH) Outbound Question

Hello all:

I am trying to think of any concerns I might have allowing this port outbound.  We are trying to stay within HIPAA compliance and have this particular server in our HIPAA DMZ.  We only want to allow SSH outbound and will most likely lock it down to a specific IP address range(s).

I don't think this should or will be a concern, but I wanted to get your collective thoughts and think of anything evil that could crop up and I know you all won't let me down on that.  :P

Thanks all in advance!
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 379

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Apr 29, 2010 3:02 pm

Re: Port 22 (SSH) Outbound Question

As with anything you allow out of your firewall, you are opening a possible covert channel. Just because port 22 is usually SSH, doesn't mean that it has to be. I don't believe this would be a huge concern, though. Most automated malware is going to use port 80 or 53 for C2 which is probably open out as well.

If you are opening port 22 out for only specific IPs, as long as there is a valid business need for that hole, I'd say your taking the necessary precautions. If only one IP needed it and you just opened the firewall for that port completely out of convenience, then I'd say you might want to reconsider.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Apr 29, 2010 4:16 pm

Re: Port 22 (SSH) Outbound Question

SSH supports tunneling.  With tunneling you can bypass many of your firewall filters, web proxies, content filtering engines, etc.  This is especially true because SSH traffic is encrypted.  I usually recommend restricting outbound SSH to just a few trusted individuals. 
~~~~~~~~~~~~~~
Ketchup
<<

sachitre

Newbie
Newbie

Posts: 22

Joined: Sat Jan 09, 2010 7:55 am

Post Thu Apr 29, 2010 8:28 pm

Re: Port 22 (SSH) Outbound Question

As others have pointed out keeping outbound access to well known IP addresses is the way to go. Here is a nice link showing use of openssh for tunneling.

http://packetheader.blogspot.com/2009/0 ... s-via.html

One thing to keep in mind is this applies to all ports and not just SSH since you could change the SSH port from the default 22 to whichever outbound port is open.
CISSP, GPEN, CCNA
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Thu Apr 29, 2010 10:59 pm

Re: Port 22 (SSH) Outbound Question

If you lock SSH down to the server making the connection to only a defined and audited list of servers, that satisfies most compliance and audit requirements.

Deny root/admin from using SSH and only your server can initiate the SSH connection, that should get you all the ticks in the right boxes :-)
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Fri Apr 30, 2010 7:50 pm

Re: Port 22 (SSH) Outbound Question

Great points/advice all.  This helped a ton!  Thanks!
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software