Block SSH over non standard port

salil_arora · ‎2024-03-25

Hi team
Is there a way to Block SSH over proxy on non standard port on R81.20?
Pre R81 we had a IPS protection "SSH over non standard ports" that was blocking this access however it seems like R81 onwards this protection is no longer supported as per attached picture
Looking forward to your reply

CheckPointerXL · ‎2024-04-16

maybe protocol signature needed?

G_W_Albrecht · ‎2024-04-16

If you define a rule for incoming SSH traffic on port 22, all other SSH could be dropped. If you know the used port, you could also use the procedure to configure DPI from https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/... :

1

In SmartConsole, from the right panel, select Objects > Services.

2

Right-click on the TCP, and then choose NEW TCP.

3

Enter a name for the new TCP service:

Select General > Protocol as SSH2.
Choose Match By > Customize to new port, and then set the port.

For example, 22222

Now add a rule to block this traffic and install policy.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

salil_arora · ‎2024-04-16

Thank you for this information, will give this is a go!
Appreciate your help

PhoneBoy · ‎2024-04-16

This IPS protection should not be necessary if you strictly control ports used for outbound communication.
Having said that, R80 protections should also work in R81.x releases.

Bob_Zimmerman · ‎2024-04-16

It sounds to me like the question is mostly "How do we prevent ports we intentionally allow out for other protocols from being used for SSH tunneling instead?". I don't know of a good option, particularly on ports which don't have a predefined service object with a protocol signature.

For example, let's say some vendor tells me I need to connect to their application over port 12345, and that it uses a binary protocol rather than HTTP or HTTPS. I can't use HTTPS Inspection to intercept TLS and verify it's really HTTP inside, since it isn't expected to be. There's not a predefined service object for port 12345 or for this vendor's binary protocol, so I can't enforce a given protocol signature on all traffic over the port.

salil_arora · ‎2024-04-16

Thank you for sharing your information,appreciate it

salil_arora · ‎2024-04-16

Thank you for the information PhoneBoy
The IPS protection "SSH over non standard Ports" has been depreciated and no longer works on R81.x(as per attached screenshot)

PhoneBoy · ‎2024-04-17

Are you simply going by what it says on that screen or did you actually try to use this protection and it failed?
As I said, R80 protections work on R81.
If you're concerned if it's supported or not, TAC will likely confirm it is.

salil_arora · ‎2024-04-17

We have seen an example where we could SSH on non standard port(8080) despite of having this IPS protection which made us believe this IPS protection doesn't work on gateways running R81.20

PhoneBoy · ‎2024-04-18

Is it something you can easily reproduce?
That's worthy of a TAC case, as it confirmation about whether this signature is supported: https://help.checkpoint.com

Are you a member of CheckMates?

Block SSH over non standard port