Dasdan
asked on
block https tunnelling with squid
Hi, how can I block http & https Tunneling with squid? without stopping normal traffic.
Thanks
Thanks
Mal Osborne
You can't. HTTPs is encrypted, Squid therefore cannot tell what is in each packet. If you can identify a lot of HTTPs traffic going to a particular site, you could block it by IP. Kinda cat & mouse game with your users though.
Hi, nice subject
Some things to do :
1) when you know someone is using a https server to tunnel some traffic, you might just want to block its IP. But he'll use another one...
2) If your user is tunneling with SSH on a SSH server running on port 443 (to make squid think it's just allowed https traffic), you have to detect the so-called https server is a SSH server. Just telnet to its IP on port 443, you'll see it (except if your user has recompiled the ssh server to make it answer like a web server... or if he managed to detect it's not coming from him but from someone else and is thus redirecting traffic to a real https server - this guy would be really boring), see :
telnet my.ssh.server 443
Trying 88.x.y.z...
Connected to my.ssh.server.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-5
But again, you'll just have to block the IP.
3) depending on your company, you might remind everyone the rules of your company's internet access, particularily on tunneling stuff, for security concerns. He might stop, knowing he's being watched.
4) if it's a pure stunnel, I don't think you can detect anything. You'll just have some clues about the guy and then can discuss, see point 3
5) maybe an advanced sniffing technique might give the proof it's something tunneled... but what would be the cost of detecting this for every https traffic...
Just a tip: when someones uses internet a lot and just have a few CONNECT hits in squid's log, he's tunneling everything :) that might help analyzing the logs
GOOD LUCK
Some things to do :
1) when you know someone is using a https server to tunnel some traffic, you might just want to block its IP. But he'll use another one...
2) If your user is tunneling with SSH on a SSH server running on port 443 (to make squid think it's just allowed https traffic), you have to detect the so-called https server is a SSH server. Just telnet to its IP on port 443, you'll see it (except if your user has recompiled the ssh server to make it answer like a web server... or if he managed to detect it's not coming from him but from someone else and is thus redirecting traffic to a real https server - this guy would be really boring), see :
telnet my.ssh.server 443
Trying 88.x.y.z...
Connected to my.ssh.server.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-5
But again, you'll just have to block the IP.
3) depending on your company, you might remind everyone the rules of your company's internet access, particularily on tunneling stuff, for security concerns. He might stop, knowing he's being watched.
4) if it's a pure stunnel, I don't think you can detect anything. You'll just have some clues about the guy and then can discuss, see point 3
5) maybe an advanced sniffing technique might give the proof it's something tunneled... but what would be the cost of detecting this for every https traffic...
Just a tip: when someones uses internet a lot and just have a few CONNECT hits in squid's log, he's tunneling everything :) that might help analyzing the logs
GOOD LUCK
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.