Can network admins notice SSH connections?

edited May 2011 in Tech & Games
I've been using SSH with PuTTY from college for the last week now, and everything's going smoothly. I haven't had anyone come up and ask me what I'm doing, which I kind of expected. Part of the network agreement is to not attempt to bypass firewall restrictions, which this sorta does. Anyway, I have SSH running on port 443 which is the default port for HTTPS. My question is - can the administrators see that I'm connected to a SSH server by looking at my traffic? Or does the fact that I'm using port 443 stop them from telling the difference between normal HTTPS traffic?

Comments

  • OnesanOnesan Acolyte
    edited May 2011
    im a little drunk right now so take what i say with a grain of salt, and stfu about being even slightly pissed at 7 something on a thursday morning mkay?, the answer as a half assed currently unemployed reasonably competent and totally unqualified network admin myself is "maybe".

    If they never have any reason to suspect you id say your safe, obviously your encryption is going to foil any pathetic basic filters they may use on their network, however if they are remotely competent and have reason to suspect you then you would be busted unless you have taken extra measures to protect yourself, im assuming you have a pretty standard ssh server on port 445 whatever your ip or domain is, try telnet onesan.su 22, protip dont do that more than 10 times or so or you will probably get noticed by denyhosts and then automatically added to my publically available shitlist :D

    in fact here
    [Onesan@udongein ~]$ telnet onesan.su 22
    Trying 121.72.236.215 ...
    Connected to onesan.su (121.72.236.215).
    Escape character is '^]'.
    SSH-2.0-OpenSSH_5.2

    Connection closed by foreign host.

    since your running it on port 445 and it would reasonably resemble ordinary encrypted nonsense id say at least till you give them a reason to suspect something your pretty safe, someone even slightly competent who monitored your traffic and noticed long connections to that domain/ip port combo and either telnetted into it and grabbed its welcome message or fired up nmap against it would know what your doing very quickly, well not exactly WHAT you are actually doing but you get my point.

    of course you would need to draw attention to yourself or piss off the wrong netadmin to make someone go and monitor all your traffic for a extended period to do that, well either that or they have some homebrewed abomination of a "security system" that essentially automatically portscans after the fact any port that someone on the network attemtps to connect to and grabs the (if any) welcome message it replies with and checks against a blacklist of suspicous strings and then (presumably) shoots a email off to someone f it gets a hit.

    in reality yes no maybe, depends on how tight your tinfoil hat is feeling at the moment i geuss XD
  • JackJack Regular
    edited May 2011
    I don't know myself so I asked the other users of my shell host:
    (1443 12) (@DanielRichman) Jack-is: before encryption starts there's a handshake
    (1443 21) (@DanielRichman) ssh looks different to https iirc
    (1443 22) (@DanielRichman) they'll know
    (1443 34) ( Danukeru) wait rather > http://www.youtube.com/watch?v=WnLmBV6SRkU&t=24s
    (1443 36) ;;; cypha (~cypha@unaffiliated/cypha) has joined #anapnea
    (1443 40) ( Thibit) I dunno. I'd have to say that I used to be that way myself, but the allure of the soft touch is one that's been around for a
    while now for me. Kind of funny how finding someone suddenly changes that view XD
    (1444 07) ( Danukeru) I fuck an alligator.
    (1445 21) ( Snomi) DanielRichman: could one just not say that you are doing stuff on the shell
    (1445 32) ( Snomi) or is it obvious that you are tunneling?
    (1445 46) ;;; cypha` (~cypha@unaffiliated/cypha) has joined #anapnea
    (1447 11) (@DanielRichman) Snomi: well the answer to his question is yes, they can tell
    (1447 18) ( Snomi) cools
    (1447 20) (@DanielRichman) however once encryption has started they can't
    (1447 24) (@DanielRichman) however they can guess
    (1447 26) ( Snomi) yah
    (1447 31) ( Snomi) depends how much they care
    (1447 34) (@DanielRichman) your typicall ssh connection, ssh+tunneling, and https connections will all look different
    (1447 41) (@DanielRichman) in terms of how much traffic is used, how long it stays open, etc
    (1447 57) ;;; cypha (~cypha@unaffiliated/cypha) has quit (Ping timeout: 246 seconds)
    (1448 05) (@DanielRichman) in reality. noone sits looking at wireshark all day
    (1448 19) ( Tacidsky) DanielRichman: I do.
    (1448 23) ( yrc) Jack-is: In my opinion, a skilled network admin would discover the SSH connection if you use it a lot (socks proxy, X11 forward, file transfers…). First, an “https” links which sends keep-alives at regular intervals is not usual. Next, it is also rather unusual to have big tranfers in upload as well as download. Then the admin having doubts will just nmap -sV -p 443 the target machine, and you’ll be found out. That’s my opinion only; it d
    (1448 26) ( Tacidsky) I keep it open on my 3rd monitor.
    (1448 34) ( narziss) not at wireshark, more likely the visual network graphs in realtime though
  • edited May 2011
    Thanks guys, that really helped :) Not that I'll stop using SSH anytime soon though, I love it.
  • DfgDfg Admin
    edited May 2011
    Yes, if you're luck is really bad, no, if you're network is quite large and you tend to limit your usage and avoid getting labeled as some sort of Tech Guru or l33t.


    I used to pwn everyone by acting like I know something about the systems. This put me on Network Admin watch list and also gave me access to their systems because they tend to leave me incharge when they go out.

    Again, I don't think you will get caught unless they implement some stupid filters and everyone around you starts using the same method to bypass the firewall. They will see spike in traffic usage and then will come down hard core on it.
  • BaconPieBaconPie Regular
    edited May 2011
    Have you tried asking for them to enable SSH through port 22? Why would it be a problem?
  • RemadERemadE Global Moderator
    edited May 2011
    trx100 wrote: »
    Thanks guys, that really helped :) Not that I'll stop using SSH anytime soon though, I love it.

    Turn your box on! ;)
  • edited May 2011
    BaconPie wrote: »
    Have you tried asking for them to enable SSH through port 22? Why would it be a problem?

    Nope, I haven't asked because it goes against certain parts of our network agreement and they wouldn't agree to it anyway. Hell, they don't even let you connect your laptop to the WiFi because they're worried that something will go wrong.

    And RemadE - its up and running, will leave it on all day :thumbsup:
  • RemadERemadE Global Moderator
    edited May 2011
    Schweet. My Uni have let me download over 2TB of data and uploaded over 3TB easily over the year and a half I've been here. Can't imagine they'll do much over SSH. I know more about computers than they do, and trx can tell you, it aint much :o
  • edited May 2011
    Actually, you know a lot more than most people I've met/talked to. You also "have a clue", unlike a lot of people. Trying to explain things about SSH to you was so easy, and you have common sense :thumbsup: The same can't be said for most of the people in my IT class :facepalm:
  • edited May 2011
    yrc in that chatlog is right - it's possible to tell the difference between HTTPS and SSH if you packet-inspect, but in reality most admins wouldn't know the difference, and the ones who would would have no reason to even bother looking into it unless you're thrashing the connection hardcore.

    PS: WHat's the ssh server for?

    Interesting. I use the SSH server so I can tunnel into my home machine and use the internet connection :) I don't really trust the internet connection at college. I've finished college now though, but I'll still use the server for the same purpose.
  • PsyCl0nePsyCl0ne Semo-Regulars
    edited May 2011
    SSH is the way to go if you're out and about doing what ever on social networks, I just wish I could pull together some hardware and have a dedicated SSH server for when I'm out and about.

    Just out of curiosity how do you have your server set up?


    ~PsyCl0ne
  • edited May 2011
    I run the server using my home computer, which I know may be a security risk but I think I've got the security side of things pretty covered. It's a Linux machine running openssh-server, uses key authentication instead of password logins.

    What else would you like to know?
Sign In or Register to comment.