Detecting SSH tunnels on a linux firewall

Corey Edwards tensai at
Wed Jan 10 10:30:01 MST 2007

On Wed, 2007-01-10 at 10:11 -0700, Dave Long wrote:
> Is it possible to detect SSH tunnels traveling through a Linux
> firewall (iptables).  In other words, how do I detect normal ssh
> communication versus http traffic going through SSH?
> My initial thoughts were that normal SSH traffic would have a specific
> connection and packet rate while other traffic like HTTP going through
> SSH would have a much different connection rate.

If you knew the traffic pattern for the user when not using a tunnel, I
am certain you could detect aberrations to that using some nifty math
equations. I barely squeaked by statistics (the second time) so don't
ask me for answers on that one. There have been reasonably successful
attempts to recover passwords based on their pattern of occurrence in an
ssh stream.

If you have access to either the client or server, you could also hack
the source code to log information about tunneled traffic and then
replace the pristine ssh client or daemon with your trojan horse.

If you're looking at the daemon end, you could rig up a packet sniffer
to look for http traffic leaving the box and correlate the source ports
with the process that is bound to that port. Whenever that process is
sshd, you know that the http traffic was tunneled (or sshd has stolen
your credit card and is buying designer hand bags on Amazon). Even on a
client machine, you could probably rig something up listening to the
loopback interface.


More information about the PLUG mailing list