Need help with security issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2010 07:08 AM - edited 03-11-2019 10:17 AM
I have a security incident were someone is using putty to get around our internet filter. What they are doing is tunneling through on port 8080 and 443 to an outside server that acts as a proxy. I can't block port 8080 or 443 for this group of users becuase they still need to get to the internet. I can't block the public IP addess that they are tunneling to becuase they will just change the address. Does anyone have any ideas that may help me. Thanks for any help you might provide.
Jason
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2010 08:15 AM
Interesting issue:
What you can do is use auth-proxy to authenticate that user. As soon as he authenticates he will allowed to open that port. If it is one ip address that does it then I believe it is fine. The authenticated user will not need to reauthenticate until the authentication expires.
I hope it helps.
PK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2010 08:48 AM
I don't think that will be an option for us to authenticate as there are over 65,000 of these types of users who we would not be able to force them to authenticate. Below is an internet site that discusses how to use this method to get around a firewall/internet filter.
To use this method, you need the following;
Alternatively, if you don't meet the prereqs or don't want to leave your computer on all day, you can try HTTP-Tunnel, a commerical alternative that lets you do everything here and more. | |
Please notice the title of this page starts "How To Bypass Most Firewall Restrictions... I say most because the method I describe here will not work for everyone, even if you meet the pre-requisites above. If any of the following are true for you, you probably can't use this method successfully;
If either of the 2 lines above apply to you, your network administrator is working hard because they are using a "pessimistic" blocking strategy. In other words, they have decided to block everything, and probably only allow specific access. The problem with that strategy however, is that it requires much more work and maintenance than using an "optimistic" strategy, in which they allow access to everything and block only certain "things". | |
Before we start installing and configuring software, you need to find out the following things;
The easiest way to get your IP Addresses is to go to www.whatismyip.com at home and at work. Write down the numbers. | |
We're going to be using 2 fairly simple pieces of software; an SSH Server and an SSH Client. | |
The OpenSSH installer comes in a zip file. Unzip the file, then run setupssh.exe. Choose to install both the Client and the Server. It will ask you to install into C:\Program Files\OpenSSH. If you choose to install into a different location, that fine, but be aware I will use the above path in this document. | |
OpenSSH for Windows uses Windows' user database for login authentication. That mean you must have a User name and Password setup to login to your home computer. If you don't, you have 2 choices. 1, set a password on your Windows account, or 2, create a new local account that you will use to login from SSH. I know a lot of people out there don't use logins or passwords on their home computer, but if you're using NT, 2000, or XP, the functionality is there, even if you don't use it.
You should now have a new local Windows user on your home machine. Remember the Login name and password for later. | |
We want to configure your SSH server to allow access using User name and Passwords, and to listen on port 443 instead of port 22.
Now open a command prompt. Change to C:\Program Files\OpenSSH\bin. We are going to create a user and group database from your Windows user database. Type the following; | |
On your home computer, open a command prompt. To start your SSH server, type the following: | |
If you have a wired or wireless router at home (Linksys, D-Link, Netgear, etc) | |
Some routers call it port forwarding and others call it virtual servers, but the setup is very similar no matter what brand you use. You will need to configure your router to route port 443 to the computer where you're running the SSH server. I not going to go into details, but there is usually a browser based interface directly to the router, which will have a page to setup virtual servers. Configure it to forward port 443 to your SSH server computer, port 443. | |
Copy putty.exe to somewhere on your hard drive at work. c:\ will do fine, or anywhere else you want. Your desktop is convenient but kind of obvious. If you don't have permissions to write files to your hard drive, just copy putty.exe and shunnel.bat to a floppy disk or burn them onto a CD. Take the disk to work and run Putty from the appropriate drive. putty -D 8080 -P 443 -ssh homeIP
Save the file as shunnel.bat in the same directory that you saved putty.exe. | |
At work, simply double click shunnel.bat to initiate the shunnel. A Putty window will popup asking for a login name and password. Type the user name and password you created above on the Windows account. If it works, you will be presented with a DOS prompt waiting for a command. This is actually a command prompt to your HOME machine. You can use it if you want, but as long as this command prompt is open, your tunnel is alive. To close the tunnel, type exit or close the window. | |
If you are very familiar with SSH and know what you are doing, you can set this up so you don't have to enter a password each time you create the shunnel. You have to install OpenSSH as your SSH client and then setup key based authentication by creating a public and private key on your work computer. Install the public key on the SSH server on your home computer. Thanks to Robert W. for this suggestion. I may go into more detail on how do set this up in the future. | |
Now we have to configure Internet Explorer at work to use a SOCKS proxy server. |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2010 09:03 AM
You can auth proxy one ip address only going to one port if you want.
Wouldn't that solve the problem?
If not there has to be something in the middle that will inspect authenticate the application, I don't see any other way.
PK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2010 09:19 AM
Jason
As PK says, you are going to need something to intercept and inspect the application traffic if you are not prepared to authenticate.
Sometimes though a technical solution is not always either available or the best solution. You seem to have an idea of which group of users it might be. Are you not able to narrow it down any more to maybe a specific user or couple of users ?
Have you outlined the issues with bypassing the firewall and presented this to your line manager ?
Jon
