Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Function reject.


computers / comp.security.ssh / Is there a quick/simple way to check if ssh has a remote port forwarded?

SubjectAuthor
* Is there a quick/simple way to check if ssh has a remote port forwardeChris Green
`* Re: Is there a quick/simple way to check if ssh has a remote portGrant Taylor
 `* Re: Is there a quick/simple way to check if ssh has a remote portGrant Taylor
  `- Re: Is there a quick/simple way to check if ssh has a remote port forwardeChris Green

1
Subject: Is there a quick/simple way to check if ssh has a remote port forwarded?
From: Chris Green
Newsgroups: comp.security.ssh
Date: Wed, 16 Sep 2020 12:10 UTC
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Is there a quick/simple way to check if ssh has a remote port forwarded?
Date: Wed, 16 Sep 2020 13:10:58 +0100
Lines: 16
Message-ID: <ivb93h-a6ma.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net G/8Q5nJwHC40iaAuFjKhtw0iAr41dwtkbNM4ZxfnJJGWnNsmM=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:kSRxDtN3Tu9ulCsYWzLN7DxXHkM=
User-Agent: tin/2.4.4-20191224 ("Millburn") (Linux/5.4.0-47-generic (x86_64))
View all headers
If I have opened an ssh connection to a remote server is there any way
to check if the session includes remote port forwarding?

It would be easy if the port forwarding had been done from the command
line, e.g. if the command was 'ssh -R 12345:localhost:54321 server'
one could simply use ps or psgrep to see if there's a "-R 12345" in
there.

However I can't see any way to do it if the remote forward has been
done by "RemoteForward 12345 localhost:54321" in the ssh config file.
Is there anything one can check to see the internal configuration of a
running ssh process?

--
Chris Green
·


Subject: Re: Is there a quick/simple way to check if ssh has a remote port forwarded?
From: Grant Taylor
Newsgroups: comp.security.ssh
Organization: TNet Consulting
Date: Wed, 16 Sep 2020 17:34 UTC
References: 1
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.security.ssh
Subject: Re: Is there a quick/simple way to check if ssh has a remote port
forwarded?
Date: Wed, 16 Sep 2020 11:34:48 -0600
Organization: TNet Consulting
Message-ID: <rjtic8$jjq$1@tncsrv09.home.tnetconsulting.net>
References: <ivb93h-a6ma.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 16 Sep 2020 17:35:04 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="20090"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.6.0
In-Reply-To: <ivb93h-a6ma.ln1@esprimo.zbmc.eu>
Content-Language: en-US
View all headers
On 9/16/20 6:10 AM, Chris Green wrote:
If I have opened an ssh connection to a remote server is there any way to check if the session includes remote port forwarding?

I'm not aware of anything reliable.

You might be able to tell after the fact if there are established connections from loopback (as the user that ran the outbound ssh connection) to loopback.

It would be easy if the port forwarding had been done from the command line, e.g. if the command was 'ssh -R 12345:localhost:54321 server' one could simply use ps or psgrep to see if there's a "-R 12345" in there.

That relies on being able to see the command in ps's output.  There are a number of ways that make this unreliable.  Admittedly, many of which are darker grey in color.

However I can't see any way to do it if the remote forward has been done by "RemoteForward 12345 localhost:54321" in the ssh config file.

There is also the fact that you can dynamically alter the port forwarding mid-session.  So yet another way, thus thing you would need to check.

Is there anything one can check to see the internal configuration of a running ssh process?

I think that you would have to enumerate the process space of the other running client ssh processes.  Something that I expect is non-trivial and that OpenSSH is probably going to be hostile and try to protect against.



--
Grant. . . .
unix || die


Subject: Re: Is there a quick/simple way to check if ssh has a remote port forwarded?
From: Grant Taylor
Newsgroups: comp.security.ssh
Organization: TNet Consulting
Date: Wed, 16 Sep 2020 17:38 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.security.ssh
Subject: Re: Is there a quick/simple way to check if ssh has a remote port
forwarded?
Date: Wed, 16 Sep 2020 11:38:23 -0600
Organization: TNet Consulting
Message-ID: <rjtiiv$9ql$1@tncsrv09.home.tnetconsulting.net>
References: <ivb93h-a6ma.ln1@esprimo.zbmc.eu>
<rjtic8$jjq$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 16 Sep 2020 17:38:39 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="10069"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.6.0
In-Reply-To: <rjtic8$jjq$1@tncsrv09.home.tnetconsulting.net>
Content-Language: en-US
View all headers
On 9/16/20 11:34 AM, Grant Taylor wrote:
That relies on being able to see the command in ps's output.  There are a number of ways that make this unreliable.  Admittedly, many of which are darker grey in color.

This is a very good example of where responding to something / defending against something can be very different depending on the intentions behind whom you're trying to detect.

White hat could likely be persuaded to always use the command line options and not do anything to obfuscate them.

Black hat could easily do a number of things to avoid detection. Including running a program on either end to convert between a {TCP,UDP} socket and a Unix socket which can be forwarded through SSH without using port forwarding on either end.



--
Grant. . . .
unix || die


Subject: Re: Is there a quick/simple way to check if ssh has a remote port forwarded?
From: Chris Green
Newsgroups: comp.security.ssh
Date: Wed, 16 Sep 2020 19:50 UTC
References: 1 2 3
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Re: Is there a quick/simple way to check if ssh has a remote port forwarded?
Date: Wed, 16 Sep 2020 20:50:48 +0100
Lines: 28
Message-ID: <ot6a3h-i7fc.ln1@esprimo.zbmc.eu>
References: <ivb93h-a6ma.ln1@esprimo.zbmc.eu> <rjtic8$jjq$1@tncsrv09.home.tnetconsulting.net> <rjtiiv$9ql$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net UJ4Xj/gU+bqDamvxvxrkGwhtVWI3TBqUkr+EpNuFEzztqnFa8=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:m8M5KZ1EU5d+YuDogHlsOJfmiMM=
User-Agent: tin/2.4.4-20191224 ("Millburn") (Linux/5.4.0-47-generic (x86_64))
View all headers
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 9/16/20 11:34 AM, Grant Taylor wrote:
That relies on being able to see the command in ps's output.  There are
a number of ways that make this unreliable.  Admittedly, many of which
are darker grey in color.

This is a very good example of where responding to something / defending
against something can be very different depending on the intentions
behind whom you're trying to detect.

White hat could likely be persuaded to always use the command line
options and not do anything to obfuscate them.

Black hat could easily do a number of things to avoid detection.
Including running a program on either end to convert between a {TCP,UDP}
socket and a Unix socket which can be forwarded through SSH without
using port forwarding on either end.

In this case, if I understand what you mean, it's 'white hat' and
'white hat'. :-)   It's only me running these ssh processes and it's
only me wanting to know about port forwarding.

If it goes wrong the result it pretty benign, I have an ssh that goes
wrong or an unwanted message.

--
Chris Green
·


1
rocksolid light 0.7.2
clearneti2ptor