RE: [suse-security] forcing connection (newbie
Hi,
-----Original Message----- From: crjljaktjorb@spammotel.com [mailto:crjljaktjorb@spammotel.com]
question)?
Hi Mario,
It can be possible to do that, if the Firewall is configured to allow SSH connects to the outside. If i would be your firewall administrator, that would not be possible :). actually, it it not possible!
Yeah, i know you can configure ssh to use port 80. So as long as you as you "paranoid-proxy"(tm) everything, you arent sure that someone tunnels something over your open ports. Well even with proxy you can't.
But i thought of a httptunnel wich tunnels a ssh tunnel to HOME which tunnels a ssh connection back to WORK. Because we use M$ Proxy, Linux boxes can not authenticate themselfes. That why i will use cygwin on a windows box. Firewall W 80 ---------|-----------> 80 H O 2200 ---------|-----------> 2200 O R 22 <---------|----------- 23 M K 2200----------|----------> 2200 E 80 ----------|----------> 80 Looks like this could work! One problem to go, i havent read any vpn and tunnel howtos yet. Still to come. Thanks for your help!!!
Mario Ohnewald wrote: --------------------------------------------------
Hello! I work in a tiny company and we have a SuSEfirewall, wich i
can not access
or influence, cause its set up by a 3rd Person.
LINUX_HOME FIREWALL LINUX_WORK ------------> | Traffic from LINUX_WORK to external is allowed.
I´m root on LINUX_HOME and LINUX_WORK. Can i somehow force a ssh connection from LINUX_WORK to LINUX_HOME (the other way is not possible due to the firewall) so that i can connect from HOME to WORK?
I guess its not possbile, but worth to ask ;)
Cheers, Mario
Hi... be sure to speak about these things with your (firewall)admin. There is a reason that the firewall is there. I can promise you, that if you would do a similar thing in "my" network, and i find out what youre doing, you would be in serious trouble. Probably that would mean a pink slip for you too (aside from me taring and feathering you and sending you down the floor while whirling a nine tailed cat over your head). Again: There is a reason that the firewall is there, doing what you are planning to do, endangers your internal network, your companies data and so possibly money. I suggest you talking to your admin if you need some connection from work to home, there are possible VPN solutions to solve that problem. peace Tom Mario Ohnewald wrote:
But i thought of a httptunnel wich tunnels a ssh tunnel to HOME which tunnels a ssh connection back to WORK. Because we use M$ Proxy, Linux boxes can not authenticate themselfes. That why i will use cygwin on a windows box.
Firewall W 80 ---------|-----------> 80 H O 2200 ---------|-----------> 2200 O R 22 <---------|----------- 23 M K 2200----------|----------> 2200 E 80 ----------|----------> 80
Hi Tom, Thanks for your hints!
-----Original Message----- From: Thomas Seliger [mailto:CRJLJAKTJORB@spammotel.com]
Hi...
be sure to speak about these things with your (firewall)admin.
I havent asked him yet, but i am 1000000% sure that he is totally fine with that.
There is a reason that the firewall is there. I can promise you, that if you would do a similar thing in "my" network, and i find out what youre doing, you would be in serious trouble. Probably that would mean a pink slip for you too (aside from me taring and feathering you and sending you down the floor while whirling a nine tailed cat over your head).
Again: There is a reason that the firewall is there, doing what you are planning to do, endangers your internal network, your companies data and so possibly money. I suggest you talking to your admin if you need some connection from work to home, there are possible VPN solutions to solve that problem.
I pretty much know what i am about to do, and i do not want to make up a backdoor, as soon as it worked i will tell the admins and leave it, and look forward to something else. I am just curius, and not insane! Regards, Mario
peace Tom
Mario Ohnewald wrote:
But i thought of a httptunnel wich tunnels a ssh tunnel to HOME which tunnels a ssh connection back to WORK. Because we use M$ Proxy, Linux boxes can not authenticate themselfes. That why i will use cygwin on a windows box.
Firewall W 80 ---------|-----------> 80 H O 2200 ---------|-----------> 2200 O R 22 <---------|----------- 23 M K 2200----------|----------> 2200 E 80 ----------|----------> 80
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
the next question would be, what can we do against that? Is it even possible to avoid http tunnels? Would this be the point where you have to keep an (close) eye on the clients?
-----Original Message----- From: Thomas Seliger [mailto:CRJLJAKTJORB@spammotel.com]
Hi...
be sure to speak about these things with your (firewall)admin. There is a reason that the firewall is there. I can promise you, that if you would do a similar thing in "my" network, and i find out what youre doing, you would be in serious trouble. Probably that would mean a pink slip for you too (aside from me taring and feathering you and sending you down the floor while whirling a nine tailed cat over your head).
Again: There is a reason that the firewall is there, doing what you are planning to do, endangers your internal network, your companies data and so possibly money. I suggest you talking to your admin if you need some connection from work to home, there are possible VPN solutions to solve that problem.
peace Tom
Mario Ohnewald wrote:
But i thought of a httptunnel wich tunnels a ssh tunnel to HOME which tunnels a ssh connection back to WORK. Because we use M$ Proxy, Linux boxes can not authenticate themselfes. That why i will use cygwin on a windows box.
Firewall W 80 ---------|-----------> 80 H O 2200 ---------|-----------> 2200 O R 22 <---------|----------- 23 M K 2200----------|----------> 2200 E 80 ----------|----------> 80
On Wednesday, October 02, 2002 01:30:06 PM +0200 Mario Ohnewald
On Wed, 2 Oct 2002 13:30:06 +0200
"Mario Ohnewald"
the next question would be, what can we do against that? Is it even possible to avoid http tunnels? Would this be the point where you have to keep an (close) eye on the clients?
httptunnel generates ALOT of hits in your proxy logs. * I have assumed you are running a proxy here, because if you weren't you would simply use a ssh server bound on port 80 or even better a socks5 server bound on port 80 on a machine outside the firewall. (This is the reason why application level firewalls are important) If you are running any sort of statistics analysis over your proxy logs, you will easily see httptunnel (and other similar programs) due to the huge number of hits to the same IP. -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."
participants (4)
-
Mario Ohnewald
-
Michael Salmon
-
Peter Nixon
-
Thomas Seliger