How to track users who use ssh port forward for port scanning?

P

pcdesign2021-08-14 11:59:22

linux

pcdesign, 2021-08-14 11:59:22

For example, the ssh user created a dynamic socket, like
ssh -D 1080 remote.host

And then launched it on the local machine, for example, something like this
nmap host --proxy socks4://127.0.0.1:1080

Is there an option to track and stop such things?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

K

ky0, 2021-08-14
@ky0

Suppress with SSH server settings . You can try on firewall .

P

pfg21, 2021-08-14
@pfg21

there is an option directly on demand
https://man.openbsd.org/sshd#no-port-forwarding
i.e. enter this option into authorized_keys by the necessary user and any portforwarding is broken by it :)
i.e. at the beginning of the format line in it,
ssh-rsa AB*****123== [email protected]
enter

no-port-forwarding ssh-rsa AB*****123== [email protected]

hemorrhagic will be if the user did not register his name in the comment of the key.
but new users will also have to enter a port-forwarding ban.
as an option, in the return line, enter the prohibition of portforwarding to everyone in the sshd config, and allow portforwarding to the necessary users in authorized_keys.
------
track the script of ssh users by ssh logs, search by the record about the creation of port forwarding.
and shoot them the fuck or ban them for a couple of days or something else to use - such shit must be nipped in the bud.