Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Stop SSH over HTTPS ?

Hi guys,

I have Cisco ASA-SSM-20 deployed INLINE.

I can cut any traffic without any problems except SSHv2 over HTTP or HTTPS.

Implementation ? - http://dag.wieers.com/howto/ssh-http-tunneling/

Easy, you can make an HTTPS tunnel, then SSH over HTTPS and after that LOCAL PORT FORWARDING so you can get in the company from home ;)

How I can deny souch connection ?? Any signature ? Any ideas or Cisco can't help in this case.

Best regards,

CD

9 REPLIES
Gold

Re: Stop SSH over HTTPS ?

I assume you have the AIP-SSM-20?

Take a look at signature 11233-0 and -1 and -2, which are for SSH Over Non-standard Ports. These seem to do a good job detecting SSH tunnels and I haven't seen a false positive yet.

It's worth nothing too, that there a many, many more tools that can tunnel through a forwarding proxy without using SSH. SSH is just a little more ubiquitous.

Community Member

Re: Stop SSH over HTTPS ?

Are activated but without any result.

Please see the log on the SSH session taken from SSM-20.

The SSH is v1.99 running on the server SIDE.

The SSM-20 can't see notihing ! Any ideas ??

Rgds,

CD

Gold

Re: Stop SSH over HTTPS ?

Interesting. In the very first data packet, I see:

000-1.99-0000000_3.9p1

000-2.0-0000000_3.9p1

I expect to see something like:

SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT

SSH-1.99-OpenSSH_3.9p1

In the above session, I was using SecureCRT and connecting to an OpenSSH server.

In your case, whatever client and server is being used appears to replace any references to SSH and the server type with zeroes...perhaps intentionally to bypass IDS/IPS? or actually, it might be a pretty clever hack to prevent others from connecting to your SSH server because I think a standard SSH client will fail to connect if versions don't match. I'll have to test that.

In any event, look at the first data packet after the handshake and modify/build a signature based on it. You might consider a meta signature to prevent false positives. bear in mind that someone capable of changing the source and recompiling both the server and the client can set this to whatever they want:

perhaps look for "diffie-hellman" in one signature and "ssh" in another?

Gold

Re: Stop SSH over HTTPS ?

I created a signature that fires on "diffie-hellman.*ssh". I've attached a snapshot. Not seeing any false positives yet. One thing to note; I created a new signature variable called "TUNNEL_PORTS" that contains all the ports our outbound PROXIES allow tunnels for. You should do the same. There is a significant problem with the original signature in that it only looks at the default #WEBPORTS variable. This variable is really designed for clear text HTTP so doesn't contain port 443, etc. It feels wrong using a ".*" in the regex without some sort of match limit, so you may want to tune once you verify that it works.

BTW, this is on a sensor appliance not an ASA....so YMMV in terms of how you create a matching sig.

Community Member

Re: Stop SSH over HTTPS ?

Hi,

thank you for the support. I will create the signature and see the result.

By the way how you are defining the variable $TUNNEL_PORTS to match more then 1 port and not to create same signature for more then 1 port.

Rgds,

CD

Gold

Re: Stop SSH over HTTPS ?

I don't have an ASA but my understanding is that functionality is similar. Just use a comma or carriage return to separate the ports.

443,8443,9443,etc

or

443

8443

9443

etc

Gold

Re: Stop SSH over HTTPS ?

btw, I'm curious. Do you know anything about this SSH tunnel you're seeing? I'm just wanting to know if someone manually updated source and then recompiled to create this effect or if there is some os or version of ssh that already does this out of the box.

Gold

Re: Stop SSH over HTTPS ?

btw, In the first data packet (from the client) I just see:

SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT

The "SSH-1.99-OpenSSH_3.9p1" is in the reply from the server.

Community Member

Re: Stop SSH over HTTPS ?

Hi,

yes now I can stop this SSH connection over 443 ;) thanks

Attached is an output of the event log of the the IPS.

Now coming back to the SSH - is a modify version on the server side (delete banners from the SSH daemon, key authentification plus some sort of compresion build on)

The SSH server and SSH client are running on Windows platform with CYGWIN.

Rgds,

CD

1284
Views
0
Helpful
9
Replies
CreatePlease to create content