Monitor traffic of remote login machine (through ssh local port forwarding) in Ubuntu [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 8 years ago.

Improve this question

I have started sshd in my computer (Ubuntu-12.10) to let other PC (let pc2) connect in my guest account through local port forwarding.

Now how can I monitor the traffic of that pc2 from my PC i.e. which website he/she is opening or what data he/she is downloading and other traffic which is passing through my computer?

Answer 1

You cannot 'see' the traffic arriving from pc2, because ssh encrypts it. However, you will be able to see the outbound portion of any tunnelled traffic when it is being used, because this is generated by the local sshd.

Using the lsof command, look at what happens when the user from pc2 connects to you with ssh. lsof -i TCP|grep pc2 will show you something like this :-

sshd      14466     root    3u  IPv4 327724762      0t0  TCP pc1:ssh->pc2:40781 (ESTABLISHED)
sshd      19170 pc2user     3u  IPv4 327724762      0t0  TCP pc1:ssh->pc2:40781 (ESTABLISHED)

The first line represents the sshd service itself, and the second line represents the portion of sshd that is running the pc2 user's connection (Privilege Separation is used by default with Ubuntu and hopefully everyone else by now).

From this view, you can't see any port forwarding, because it isn't yet being used. But we can use process ID (PID) of the pc2user's ssh session, which is 19170 here. We can now use lsof again to see what that process is doing. lsof -p 19170 -a -i TCP

COMMAND   PID     USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
sshd    19170 pc2user    3u  IPv4 327724762      0t0  TCP pc1:ssh->pc2:40785 (ESTABLISHED)

That should give you the same output as the second line above; but when the user starts to use the port forwarding tunnel they have declared, you will see it form from this PID ...

COMMAND   PID     USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
sshd    19170 pc2user    3u  IPv4 327724762      0t0  TCP pc1:ssh->pc2:40785 (ESTABLISHED)
sshd    19170 pc2user   10u  IPv4 327873368      0t0  TCP localhost:55678->google.com:http (ESTABLISHED)

As soon as you detect this second connection, you are able to start collecting the network traffic for it, by specifying either end of the connection: here, we'll use the localhost end :-

tcpdump -i lo src port 55678

Now that you have seen how traffic tunneled over ssh is visible, you might want a more automatic way to trap it. iptables allows us to match all the traffic that comes from a specific user using the Owner Match facility -- see http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#OWNERMATCH

All the outbound network traffic from pc2user's ssh connection will be owned by pc2user -- you can use iptables to log all of this somewhere, or decide what to allow/reject, or do something else, like push all the HTTP traffic into a specific proxy that you set up.

You might also need to look at the authorized_keys file for ps2user, where you can control what port forwarding the user is allowed to ask for in the first place with permitopen="host:port" statements. man sshd will help you there.

Answer 2

The point of Secure Socket Shell is to encrypt the traffic between connecting entities. It actually implements a protocol level form of encryption. This is one of the benefits to it's utilization.

The thing to note that about your SSH, is how it in itself works.

Though it has a primary goal to secure data, the easiest way to correlate a connection through SSH is like a series of tubes. These tubes contain a start, a end.

When you create this tunnel your specifying an address and port, which will reply once it has properly given a handshake.

If you have a machine behind a firewall you'll need the machine to physically connection to the outside world, by exposing the "Entry" point of the "Remote" side of the connection.

Obviously a benefit for this port being exposed is more items will begin to appear through plain old text, which blatantly exposes any data.

Now there are different tools to monitor such information:

• Network and Protocol Analyzers
• Proxy Servers

Proxy Servers: This lovely methodology is designed to take any traffic that hits your network; filter, monitor, and then pass it off. So in a sense you'll be able to monitor all incoming and outgoing traffic request.

The connection itself may be secure which will hide transmission, but the Proxy will still expose the destination or incoming request.

Network and Protocol Analyzers: These are designed to be configured to monitor network traffic, so they will target each port and protocol that is geared toward three things:

• Server
• Client
• Router

The goal will be to monitor all Network packets that are sent from the machine, so once that packet is populated it will move down the OSI Model. Now the benefit of these analyzers, is they will expose all the required information from an IP to another. With these Bits exposed partially.

For penetration testing a common tactic is to poison the routers tables, once they are exposed it makes it very easy to intercept these packets then reinject them with different information.

Here are some Network and Protocol Analyzers:

• Nagios XI
• Wireshark

A Proxy:

• Nginx

Security Utilities:

• Open Wall, Security site with some security software utilities that may apply.
• Antionline, Blackhat - Those forums have a lot of viable information.
• Owl Security Software
• SSHD
• FreeBSD --> Has some built in SSH logging utilities built into it.

There are a lot of information to go about doing this, I took a some what kinder approach then Satish, but you can use different variations of a attacks to obtain information as well. Another thing you may want to try is Penetration Testing. Some of those utilities will also accommodate your request.

Hopefully that helps at least point you in the right direction.

Answer 3

Short answer you cannot. The whole point of ssh is to have a secure (encrypted) connection. The only way is to have the guest account monitored through your root account on pc1. You have do that with having the guest configured to use a proxy for example for internet connection and you have access to the logs of the proxy.

But there are easier ways to do stuff like these.

Answer 4

If you really willing to do that then there is a only way to do is Man-In-The-Middle (MITM) attack. while ssh session is encrypted you can't see the traffic using sniffer so somehow you have to put attacker machine between your computer and PC2 so you can easily sniff traffic. There are some tool available which will help you to implement MITM attack.

MITM SSH

Decrypt SSH2 Session using libssl Vulnerability