Re: Netcat through Squid HTTP Proxy

[James Kearney <jamesjohnkearney () gmail com>]

Henderson, Dennis K. wrote:

> It seems like he was looking for information on how to prevent this.
>
> You can configure squid to only allow tunneling on certain ports like
> 443 and 80. You'll have to figure out what your safe ports are to
> prevent legitimate traffic from being impacted. 
>
> I usually make sure the usual ports like ssh, telnet, irc are not
> allowed.
>
> Cheers
>
> Dennis 
>
>  

although of course, they may just have the sshd running on 443... or be 
using a httptunnel client and server etc etc... stopping someone getting 
out when they are already inside is v difficult - what if they tunnel 
over dns/write a custom server and client over port 80 etc?
I would think that generally if the individual knows enough to try 
tunneling ssh over https, then they probably can put an ssh server on 
443, or using some transport mechanism over http.

Of course thats not to say that you should not block the connect options 
for ssh/imap/whatever... but don't assume this will stop anyone getting out.

maybe you could have a tcpdump dumping the open and close connections 
for https connect on port 443, and record the amount of usuage/time it 
is used, and it may indicate someone using a shell through the https 
proxy or something like that?

- jk