This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
melcu
Contributor
Contributor
‎2025-04-03 09:40 AM

SSH, SCP and SFTP traffic

Hi mates,

Like usual I come to you with 'stupid' questions 🙂

One of my customers has a problem: their users figured out that they can copy data by running SCP servers on well known ports. For example one users was running SCP on port 10443  which was allowed by a more broad security policy and another one on port 8443 which was my mistake allowed by one miss configured security policy.

So my approach was to enable and use App Control blade with "OpenSSH" application customized to use only ssh and ssh_version_2.  Just after this rule, another one with a cloned obiect of OpenSSH this time cutomized with "any" service.

This one fixed the issue.  SSH is very strict in sources and destinations and therefore is not an issue.  What the rule did was to block any other ssh/scp connection on different port and protocol other that 22 (which is by default not allowed).

But this one also broke the legit SCP/SFTP connections as the firewall sees those connections on tcp/22 but they have no signature to match "OpenSSH" application. And here is where I got stuck and I would really appreciate some help or guidance.

 

 

 

0 Kudos
(1)
1 Reply
PhoneBoy
Admin
Admin
‎2025-04-03 09:47 AM

Is the "legitimate" SCP/SFTP to specific servers?
Then create a specific rule for those servers allowing access using ssh_version_2 before the App Control rule you created.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events