This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
salil_arora
Contributor
‎2024-03-25 08:21 PM

Block SSH over non standard port

Hi team
Is there a way to Block SSH  over proxy on non standard port on R81.20?
Pre R81 we had a IPS protection "SSH over non standard ports" that was blocking this access however it seems like R81 onwards this protection is no longer supported as per attached picture
Looking forward to your reply

ssh over nopn standard port.PNG
Preview file
53 KB
10 Replies
CheckPointerXL
Advisor
Advisor
‎2024-04-16 01:11 AM

maybe protocol signature needed?

G_W_Albrecht
Legend Legend
Legend
‎2024-04-16 02:33 AM

If you define a rule for incoming SSH traffic on port 22, all other SSH could be dropped. If you know the used port, you could also use the procedure to configure DPI from https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/... :

1

In SmartConsole, from the right panel, select Objects > Services.

2

Right-click on the TCP, and then choose NEW TCP.

3

Enter a name for the new TCP service:

  1. Select General > Protocol as SSH2.

  2. Choose Match By > Customize to new port, and then set the port.

    For example, 22222

Now add a rule to block this traffic and install policy.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
salil_arora
Contributor
‎2024-04-16 07:15 PM
In response to G_W_Albrecht

Thank you for this information, will give this is a go!
Appreciate your help

 

 
0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-16 08:49 AM

This IPS protection should not be necessary if you strictly control ports used for outbound communication.
Having said that, R80 protections should also work in R81.x releases. 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-04-16 10:47 AM
In response to PhoneBoy

It sounds to me like the question is mostly "How do we prevent ports we intentionally allow out for other protocols from being used for SSH tunneling instead?". I don't know of a good option, particularly on ports which don't have a predefined service object with a protocol signature.

For example, let's say some vendor tells me I need to connect to their application over port 12345, and that it uses a binary protocol rather than HTTP or HTTPS. I can't use HTTPS Inspection to intercept TLS and verify it's really HTTP inside, since it isn't expected to be. There's not a predefined service object for port 12345 or for this vendor's binary protocol, so I can't enforce a given protocol signature on all traffic over the port.

0 Kudos
salil_arora
Contributor
‎2024-04-16 07:18 PM
In response to Bob_Zimmerman

Thank you for sharing your information,appreciate it

0 Kudos
salil_arora
Contributor
‎2024-04-16 07:17 PM
In response to PhoneBoy

Thank you for the information PhoneBoy
The IPS protection "SSH over non standard Ports" has been depreciated and no longer works on R81.x(as per attached screenshot)

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-17 05:40 AM
In response to salil_arora

Are you simply going by what it says on that screen or did you actually try to use this protection and it failed?
As I said, R80 protections work on R81.
If you're concerned if it's supported or not, TAC will likely confirm it is.

0 Kudos
salil_arora
Contributor
‎2024-04-17 04:56 PM
In response to PhoneBoy

We have seen an example where we could SSH on non standard port(8080) despite of having this IPS protection which made us believe this IPS protection doesn't work on gateways running R81.20

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-18 05:50 AM
In response to salil_arora

Is it something you can easily reproduce?
That's worthy of a TAC case, as it confirmation about whether this signature is supported: https://help.checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top