topic Re: Block SSH over non standard port in Firewall and Security Management

Block SSH over non standard port

salil_arora — Thu, 28 Mar 2024 03:06:43 GMT

Hi team
Is there a way to Block SSH over proxy on non standard port on R81.20?
Pre R81 we had a IPS protection "SSH over non standard ports" that was blocking this access however it seems like R81 onwards this protection is no longer supported as per attached picture
Looking forward to your reply

Re: Block SSH over non standard port

CheckPointerXL — Tue, 16 Apr 2024 08:11:33 GMT

maybe protocol signature needed?

Re: Block SSH over non standard port

G_W_Albrecht — Tue, 16 Apr 2024 09:40:14 GMT

If you define a rule for incoming SSH traffic on port 22, all other SSH could be dropped. If you know the used port, you could also use the procedure to configure DPI from https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/Topics-TPG/Using-SSH-Inspection.htm :

In SmartConsole, from the right panel, select Objects > Services.

Right-click on the TCP, and then choose NEW TCP.

Enter a name for the new TCP service:

Select General > Protocol as SSH2.
Choose Match By > Customize to new port, and then set the port.

For example, 22222

Now add a rule to block this traffic and install policy.

Re: Block SSH over non standard port

PhoneBoy — Tue, 16 Apr 2024 15:49:37 GMT

This IPS protection should not be necessary if you strictly control ports used for outbound communication.
Having said that, R80 protections should also work in R81.x releases.

Re: Block SSH over non standard port

Bob_Zimmerman — Tue, 16 Apr 2024 17:47:47 GMT

It sounds to me like the question is mostly "How do we prevent ports we intentionally allow out for other protocols from being used for SSH tunneling instead?". I don't know of a good option, particularly on ports which don't have a predefined service object with a protocol signature.

For example, let's say some vendor tells me I need to connect to their application over port 12345, and that it uses a binary protocol rather than HTTP or HTTPS. I can't use HTTPS Inspection to intercept TLS and verify it's really HTTP inside, since it isn't expected to be. There's not a predefined service object for port 12345 or for this vendor's binary protocol, so I can't enforce a given protocol signature on all traffic over the port.

Re: Block SSH over non standard port

salil_arora — Wed, 17 Apr 2024 02:15:12 GMT

Thank you for this information, will give this is a go!
Appreciate your help

Re: Block SSH over non standard port

salil_arora — Wed, 17 Apr 2024 02:17:27 GMT

Thank you for the information PhoneBoy
The IPS protection "SSH over non standard Ports" has been depreciated and no longer works on R81.x(as per attached screenshot)

Re: Block SSH over non standard port

salil_arora — Wed, 17 Apr 2024 02:18:41 GMT

Thank you for sharing your information,appreciate it

Re: Block SSH over non standard port

PhoneBoy — Wed, 17 Apr 2024 12:40:03 GMT

Are you simply going by what it says on that screen or did you actually try to use this protection and it failed?
As I said, R80 protections work on R81.
If you're concerned if it's supported or not, TAC will likely confirm it is.

Re: Block SSH over non standard port

salil_arora — Thu, 18 Apr 2024 03:55:33 GMT

We have seen an example where we could SSH on non standard port(8080) despite of having this IPS protection which made us believe this IPS protection doesn't work on gateways running R81.20

Re: Block SSH over non standard port

PhoneBoy — Thu, 18 Apr 2024 12:50:17 GMT

Is it something you can easily reproduce?
That's worthy of a TAC case, as it confirmation about whether this signature is supported: https://help.checkpoint.com