[tor-talk] tor using SSH
egf at riskproof.no-ip.org
egf at riskproof.no-ip.org
Wed Mar 23 19:25:46 UTC 2011
> Wed, 23 Mar 2011 11:54:37 -0400 (EDT)
> From: cmeclax-sazri <cmeclax-sazri at ixazon.dynip.com>
>
> Telling ssh traffic from Tor traffic on port 22 is easy. The ssh connection
> begins with an exchange of ssh version numbers in the clear, then a list of
> ciphers. Connecting to a Tor port and sending an SSH version will result in a
> closed connection.
>
> cmeclax
Right.
I have dredged up a rule for iptables to detect <ssh> traffic regardless
of the port number used. . . data packet will always have "SSH-" as
the 1st 4 chars.
This rule will examine packets which are:
from an established connection;
what we want is within the first 255 bytes of data;
has a data packet length of between 46 and 375 bytes;
and the "u32" shifting/masking trickery extracts those
1st 4 chars looking for "SSH-".
If we find one of these, we DROP it.
iptables -A INPUT -p tcp \! -f -m connbytes --conbytes 0:255 -m state
ESTABLISHED \
-m length --length 46:375 -m u32 --u32 "o<<22&0x3C@ 12>>
26&0x3C@ \
0=0x5353482D" -j DROP
We are testing this at the moment. Thanks go to Bill Stearns.
More information about the tor-talk
mailing list