-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Some of our user here use SSH to the server. But some of them use ssh tunnelling to connect to proxy outside our network which is not allowed. Is there anyway to block this tunneling without blocking ssh traffic? Any help would be appreciated. TIA, edwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFEOx1vkaMcq796kjoRAjUkAJwLcJbRNP2JZ3iBvvGZQ0iSrLbWWwCgoxV9 iZO7NACRMsvZGH6RL9D2slQ= =g10D -----END PGP SIGNATURE-----
M. Edwin wrote:
Hi list,
Some of our user here use SSH to the server. But some of them use ssh tunnelling to connect to proxy outside our network which is not allowed. Is there anyway to block this tunneling without blocking ssh traffic? Any help would be appreciated.
You could filter at the firewall according to addresses. However, there's no way to know what ssh is being used for.
I agree with James: ACLs (ACcess Lists) are the solution to your problem.
You can use iptables to block SSH traffic directed to a specific IP or
subnet.
There are many good articles on the web (just Google for "iptables block
traffic") but you may want to start from the manpage :)
http://www.die.net/doc/linux/man/man8/iptables.8.html
-mw
On 4/11/06, James Knott
M. Edwin wrote:
Hi list,
Some of our user here use SSH to the server. But some of them use ssh tunnelling to connect to proxy outside our network which is not allowed. Is there anyway to block this tunneling without blocking ssh traffic? Any help would be appreciated.
You could filter at the firewall according to addresses. However, there's no way to know what ssh is being used for.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Yes, you can turn off the tunneling in /etc/ssh/sshd_config with the parameter "AllowTcpForwarding no" Please see man:/sshd_config (Type that URL in Konqueror, for a decent formatting of the man page). See comments about this parameter... Jerry On Tuesday 11 April 2006 05.07, M. Edwin wrote:
Hi list,
Some of our user here use SSH to the server. But some of them use ssh tunnelling to connect to proxy outside our network which is not allowed. Is there anyway to block this tunneling without blocking ssh traffic? Any help would be appreciated.
TIA, edwin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry Westrick wrote:
Yes, you can turn off the tunneling in /etc/ssh/sshd_config with the parameter "AllowTcpForwarding no"
Please see man:/sshd_config (Type that URL in Konqueror, for a decent formatting of the man page). See comments about this parameter...
Jerry
Thanks for the suggestion. I try it since yesterday, though not look to the result yet. For James, thanks also for suggestion, but I try to avoid to eliminate specific address from within the firewall. Our user still use ssh for other task to the server though. edwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFEPGEqkaMcq796kjoRApnzAKC5dT1xXklEJHKToCf4AY6Lx8YTIACfSxu/ rh8Yur+l4gmHTW9PoPaoyOE= =51cB -----END PGP SIGNATURE-----
participants (4)
-
James Knott -
Jerry Westrick -
M. Edwin -
Mello