Double hopping

I'd like to be able to detect and prevent double hopping.

For example, a user is logged into host-A. From host-A they log into
host-B. From host-B, they log into host-C. How do I detect this double
hopping and how can I prevent it?

The user may use telnet or ssh. I don't want to install a wrapper for
telnet and ssh nor mess with syslog configuration. I'd like to rely on the
native tools available on a standard UNIX system. If possible, I'd like to
gather as many details as possible when the situation occurs - eg hostname,
username, source and destination hostnames.

Adrian Casey
Alice Springs Linux User Group
www.aslug.org.au

Adrian Casey wrote:
> I'd like to be able to detect and prevent double hopping.
>
> For example, a user is logged into host-A. From host-A they log into
> host-B. From host-B, they log into host-C. How do I detect this double
> hopping and how can I prevent it?
>
> The user may use telnet or ssh. [...]

I can't think of a way to do it, but that probably is more of a
reflection on my ignorance and lack of imagination than on the problem
itself.

The only place I can imagine this being done is on host-B. But first
let me mention a possible host-C trick which may work some of the time.
If users are using SSH and have the DISPLAY environment set and are
using SSH with X forwarding set then you can see on host-C whether the
content of DISPLAY corresponds to the host they are connecting from.
From a mismatch you can fairly confidently conclude that your "double
hopping" is going on. But lack of a mismatch tells you nothing.

On host-B you could simply check to see whether anyone running telnet or
ssh on on a locally or remotely connected tty. This could probably be
done just through a clever grep of ps output.

However, this would still be very easy for users to defeat. All they
need to do is make a copy of telnet or ssh and call it something else.

So instead you would need to look for a user on a ssh/telnet created tty
who have an established outgoing connection with destination port 22 or
15. I don't know how to begin formulating the command but lsof would be
the first standard Unix tool I would look at to get that sort of
information.

Sorry to not be more specific. Let's hope that someone more familiar
with these tools responds.

-j

In comp.os.linux.networking Adrian Casey <(E-Mail Removed)>:
> I'd like to be able to detect and prevent double hopping.

> For example, a user is logged into host-A. From host-A they log into
> host-B. From host-B, they log into host-C. How do I detect this double
> hopping and how can I prevent it?

Why would you want this? What's the problem with doing so?

Hint:

man sshd_config

"AllowUsers/AllowGroups" and "DenyUsers/DenyGroups" is what you
are looking for.

> The user may use telnet or ssh. I don't want to install a wrapper for
> telnet and ssh nor mess with syslog configuration. I'd like to rely on the
> native tools available on a standard UNIX system. If possible, I'd like to

Use ssh only, telnet is insecure and depreciated.

> gather as many details as possible when the situation occurs - eg hostname,
> username, source and destination hostnames.

Enhance sshd login until it meets your needs.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 51: Cosmic ray particles crashed through the hard
disk platter

Adrian Casey wrote:
> I'd like to be able to detect and prevent double hopping.
>
> For example, a user is logged into host-A. From host-A they log into
> host-B. From host-B, they log into host-C. How do I detect this double
> hopping and how can I prevent it?
>
> The user may use telnet or ssh. I don't want to install a wrapper for
> telnet and ssh nor mess with syslog configuration. I'd like to rely on the
> native tools available on a standard UNIX system. If possible, I'd like to
> gather as many details as possible when the situation occurs - eg hostname,
> username, source and destination hostnames.

You could try looking where the ssh/telnet connection has come from and
only allow connections from host-A or not host-B. Disable ssh/telnet on
Host-B or only allow access to the ssh/telnet command when your logged
in locally?

Thanks
Mark

Michael Heiming wrote:

> In comp.os.linux.networking Adrian Casey <(E-Mail Removed)>:
>> I'd like to be able to detect and prevent double hopping.
>
>> For example, a user is logged into host-A. From host-A they log into
>> host-B. From host-B, they log into host-C. How do I detect this double
>> hopping and how can I prevent it?
>
> Why would you want this? What's the problem with doing so?
Let's say I run a small network of machines and I'm having trouble with
sendmail on host-A. I have a consultant who maintains my systems from time
to time. He has accounts on all my systems. I ask him to take a look at
host-A to see if he can see what is going on. While he's on host-A, he
decides to hop over to host-B (using ssh, of course). I didn't ask him to
look at host-B. Host-B happens to run my online ordering system and I'm
very nervous about anyone logging onto it.
>
> Hint:
>
> man sshd_config
>
> "AllowUsers/AllowGroups" and "DenyUsers/DenyGroups" is what you
> are looking for.
Good suggestion. However, my network is quite large and I would rather not
have to edit the sshd_config file for every remote access request on any
given node. Although this could be automated I suppose.
>
>> The user may use telnet or ssh. I don't want to install a wrapper for
>> telnet and ssh nor mess with syslog configuration. I'd like to rely on
>> the
>> native tools available on a standard UNIX system. If possible, I'd like
>> to
>
> Use ssh only, telnet is insecure and depreciated.
Unfortunately, some of my systems are old clunky boxes which don't support
ssh :-(
>
>> gather as many details as possible when the situation occurs - eg
>> hostname, username, source and destination hostnames.
>
> Enhance sshd login until it meets your needs.
I shall indeed look into this.

Thanks.
Adrian.
>

Mark Broadbent wrote:

> Adrian Casey wrote:
>> I'd like to be able to detect and prevent double hopping.
>>
>> For example, a user is logged into host-A. From host-A they log into
>> host-B. From host-B, they log into host-C. How do I detect this double
>> hopping and how can I prevent it?
>>
>> The user may use telnet or ssh. I don't want to install a wrapper for
>> telnet and ssh nor mess with syslog configuration. I'd like to rely on
>> the
>> native tools available on a standard UNIX system. If possible, I'd like
>> to gather as many details as possible when the situation occurs - eg
>> hostname, username, source and destination hostnames.
>
> You could try looking where the ssh/telnet connection has come from and
> only allow connections from host-A or not host-B. Disable ssh/telnet on
> Host-B or only allow access to the ssh/telnet command when your logged
> in locally?
I can't disable telnet and ssh because people need to be able to connect
remotely to these systems. The difficulty is in looking at where the
connections come from. What is the best way to do this?

Thanks for your response.
Adrian.

>
> Thanks
> Mark

Jeffrey Goldberg wrote:

> Adrian Casey wrote:
>> I'd like to be able to detect and prevent double hopping.
>>
>> For example, a user is logged into host-A. From host-A they log into
>> host-B. From host-B, they log into host-C. How do I detect this double
>> hopping and how can I prevent it?
>>
>> The user may use telnet or ssh. [...]
>
> I can't think of a way to do it, but that probably is more of a
> reflection on my ignorance and lack of imagination than on the problem
> itself.
>
> The only place I can imagine this being done is on host-B. But first
> let me mention a possible host-C trick which may work some of the time.
> If users are using SSH and have the DISPLAY environment set and are
> using SSH with X forwarding set then you can see on host-C whether the
> content of DISPLAY corresponds to the host they are connecting from.
> From a mismatch you can fairly confidently conclude that your "double
> hopping" is going on. But lack of a mismatch tells you nothing.
The DISPLAY variable is local to the shell only; I have no way of looking
at the DISPLAY variable for another users' session. If I provided a
modified login script, I could check the DISPLAY variable. However, it is
too easy to circumvent.
>
> On host-B you could simply check to see whether anyone running telnet or
> ssh on on a locally or remotely connected tty. This could probably be
> done just through a clever grep of ps output.
>
> However, this would still be very easy for users to defeat. All they
> need to do is make a copy of telnet or ssh and call it something else.
Correct.
>
> So instead you would need to look for a user on a ssh/telnet created tty
> who have an established outgoing connection with destination port 22 or
> 15. I don't know how to begin formulating the command but lsof would be
> the first standard Unix tool I would look at to get that sort of
> information.
I'm now looking at netstat which, at the moment looks promising.

Thanks for your response.
Adrian.
>
> Sorry to not be more specific. Let's hope that someone more familiar
> with these tools responds.
>
> -j

I'm looking at using netstat. Specifically, "netstat -a -p". This gives me
the PID of all ESTABLISHED tcp connections. I'm experimenting with a
python script which sorts through the output of netstat and looks at the
PID using 'ps -ef' to determine which command is being run.

I think it will be possible to trace each PID back to a connection in the
netstat output and work out if double hopping is occuring.

Cheers.
Adrian.

Adrian Casey wrote:

> I'd like to be able to detect and prevent double hopping.
>
> For example, a user is logged into host-A. From host-A they log into
> host-B. From host-B, they log into host-C. How do I detect this double
> hopping and how can I prevent it?
>
> The user may use telnet or ssh. I don't want to install a wrapper for
> telnet and ssh nor mess with syslog configuration. I'd like to rely on
> the
> native tools available on a standard UNIX system. If possible, I'd like
> to gather as many details as possible when the situation occurs - eg
> hostname, username, source and destination hostnames.
>
> Adrian Casey
> Alice Springs Linux User Group
> www.aslug.org.au

Adrian Casey wrote:
> Mark Broadbent wrote:
>
>
>>Adrian Casey wrote:
>>
>>>I'd like to be able to detect and prevent double hopping.
>>>
>>> ...
>>>
>>You could try looking where the ssh/telnet connection has come from and
>>only allow connections from host-A or not host-B. Disable ssh/telnet on
>>Host-B or only allow access to the ssh/telnet command when your logged
>>in locally?
>
> I can't disable telnet and ssh because people need to be able to connect
> remotely to these systems. The difficulty is in looking at where the
> connections come from. What is the best way to do this?

It can be done from the shell using 'who' or you can look where the
connection originated (try netstat).

Thanks
Mark

In comp.os.linux.networking Adrian Casey <(E-Mail Removed)>:
> Michael Heiming wrote:

>> In comp.os.linux.networking Adrian Casey <(E-Mail Removed)>:
>>> I'd like to be able to detect and prevent double hopping.
>>
>>> For example, a user is logged into host-A. From host-A they log into
>>> host-B. From host-B, they log into host-C. How do I detect this double
>>> hopping and how can I prevent it?
>>
>> Why would you want this? What's the problem with doing so?
> Let's say I run a small network of machines and I'm having trouble with
[..]
> Good suggestion. However, my network is quite large and I would rather not
> have to edit the sshd_config file for every remote access request on any
> given node. Although this could be automated I suppose.
[..]

First your network is small, a few lines below it's rather large?

Say it's the story with the consultant, simply disable his login
on host B, until you want him to login in there. But then, we
don't know.

>> Use ssh only, telnet is insecure and depreciated.
> Unfortunately, some of my systems are old clunky boxes which don't support
> ssh :-(

openssh compiles on almost anything you happen to have a C
compiler.

>>> gather as many details as possible when the situation occurs - eg
>>> hostname, username, source and destination hostnames.
>>
>> Enhance sshd login until it meets your needs.

Ops, logging of course, should be in the fine manual 'man
sshd_config' how to go about it.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 175: OS swapped to disk