[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] tor using SSH

> 	Wed, 23 Mar 2011 11:54:37 -0400 (EDT)
> From: cmeclax-sazri <cmeclax-sazri@xxxxxxxxxxxxxxxx>

> Telling ssh traffic from Tor traffic on port 22 is easy. The ssh connection 
> begins with an exchange of ssh version numbers in the clear, then a list of 
> ciphers. Connecting to a Tor port and sending an SSH version will result in a 
> closed connection.
> cmeclax


I have dredged up a rule for iptables to detect <ssh> traffic regardless 
of the  port number used. . .  data packet will always have "SSH-" as 
the 1st 4 chars.

This rule will examine packets which are:
from an established connection; 
what we want is within the first 255 bytes of data; 
has a data packet length of between 46 and 375 bytes; 
and the "u32" shifting/masking trickery extracts those 
1st 4 chars looking for "SSH-".  
If we find one of these, we DROP it.

iptables -A INPUT -p tcp \! -f -m connbytes --conbytes 0:255 -m state 
                -m length --length 46:375 -m u32 --u32 "o<<22&0x3C@ 12>>
26&0x3C@ \
                0=0x5353482D" -j DROP

We are testing this at the moment.  Thanks go to Bill Stearns. 

tor-talk mailing list