SSH Deep Packet Inspection - Custom Threat Prevention

You can use the SSH Deep Packet Inspection ("SSH DPI") feature to decrypt and encrypt SSH traffic and let the Threat Prevention solution protect against advanced threats, bots, and other malware.

  • Block SSH attacks

  • Block the transmission of viruses through SCP and SFTP protocols

  • PreventClosed UserCheck rule action that blocks traffic and files and can show a UserCheck message. brute force password cracking of SSH/SFTP servers

  • Prevent the dangerous use of SSH Port forwarding

  • Prevent using simple passwords like "password" when connecting to SSH/SFTP

  • Prevent using vulnerable cryptography

  • Prevent using vulnerable SSH clients and servers

  • Prevent using port 22 for other protocols except for SSH

Note - Currently, these blades are supported: Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). and Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE..

SSH DPI Architecture

Similar to HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi., SSH DPI works as the man-in-the-middle.

SSH_CLIENT <=> Security Gateway <=> SSH_SERVER

Note - All TCP traffic should pass through the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

Enabling SSH Deep Packet Inspection on the Security Gateway

  1. On the Security Gateway, Run:

    cpssh_config ion

  2. Run this command:

    fw fetch local

    Or install the Access Control policy in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

Disabling SSH Deep Packet Inspection on the Security Gateway

On the Security Gateway, run:

cpssh_config ioff

Viewing SSH DPI Status

On the Security Gateway, run:

cpssh_config istatus

Note - All SSH inspection settings will be saved after Security Gateway reboot.

Configuring SSH Deep packet Inspection

Add an inspected SSH server

Note - The Security Gateway introduces the Server to the Client with a new public key.

Step

Instructions

1

Copy the SSH server's public key to the Security Gateway

Note - In Linux, the key on the Security Gateway is /etc/ssh/ssh_host_rsa_key.pub

2

On the Gateway, run this command:

cpssh_config -s -g SERVER_NAME -e /PATH/TO/RSA/KEY/THAT/YOU/COPIED.pub

For example:

If your ssh sever host is my_ssh_server_host.com, and you copy the key to /home/admin/mykey.pub, then you must run this command:

cpssh_config -s -g my_ssh_server_host.com -e /home/admin/mykey.pub

3

Repeat steps 1 and 2 for every SSH server to be added.

Note - The Security Gateway introduces the Server to the Client with the original public key.

Step

Instructions

1

Copy the SSH server's public and private key to the Security Gateway.

Note - The keys on the Security Gateway are:

  • /etc/ssh/ssh_host_rsa_key.pub

  • /etc/ssh/ssh_host_rsa_key

2

Run this command:

cpssh_config -s -a <SERVER_NAME> -e </PATH/TO/RSA/KEY/THAT/YOU/COPIED>.pub -i </PATH/TO/RSA/PRIVATE_KEY/THAT/YOU/COPIED>.pub

For example:

If your ssh sever host is my_ssh_server_host.com and you copy the keys to /home/admin/mykey.pub, then you must run this command:

cpssh_config -s -a my_ssh_server_host.com -e /home/admin/mykey.pub -i /home/admin/mykey

3

Repeat steps 1 and 2 for every SSH server to be added.

On the Security Gateway, run:

cpssh_config -w Global -y Port_fowarding_Enabled -u 0

Step

Instructions

1

In SmartConsole, from the right panel, select Objects > Services.

2

Right-click on the TCP, and then choose NEW TCP.

3

Enter a name for the new TCP service:

  1. Select General > Protocol as SSH2.

  2. Choose Match By > Customize to new port, and then set the port.

    For example, 22222

4

Install the Access Control Policy.

Step

Instructions

1

In SmartConsole, enable the IPS Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. in the Security Gateway object.

2

Enable the IPS Software Blade in the corresponding Threat Prevention policy.

3

Install Threat Prevention Policy.

Step

Instructions

1

In SmartConsole, enable the Anti-Virus Software Blade in the Security Gateway object.

2

Enable Anti-Virus Software Blade in the corresponding Threat Prevention policy.

3

Install Threat Prevention Policy.

SSH Deep Packet Inspection Settings

cpssh_config -q

On the Security Gateway, run:

cpssh_config -w KeyExchange

On the Security Gateway, run:

cpssh_config -w Cipher

On the Security Gateway, run:

cpssh_config -w Mac

On the Security Gateway, run:

cpssh_config -w Hostkey

On the Gateway, run:

cpssh_config -w Cipher -y <OPTION> -u <VALUE>

For example, to disable aes128-cbc:

cpssh_config -w Cipher -y aes128-cbc -u 0

Client Authorization (authorization by keys - without passwords)

Step

Instructions

1

Configure the SSH server to do the authorization through keys.

This is done by copying the public key from the client to the server in ~/.ssh/authorized_keys/.

For more details, see askubuntu.com.

2

Copy SSH client public and private keys (mykey.pub and mykey) to the Security Gateway.

3

Copy the SSH server public key (serverkey.pub) to the Security Gateway.

4

Run this command:

cpssh_config -c -a <admin_username>@<my_ssh_server> -e /home/admin/mykey.pub -l /home/admin/serverkey.pub -i /home/admin/mykey

Where:

  • admin_username is the username on the SSH server

  • my_ssh_server is the resolvable hostname of IP address of the SSH server

  • mykey.pub and mykey are pairs of client keys

Cluster

Currently, we do not support keys syncing between clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. nodes automatically.

On the Cluster MemberClosed Security Gateway that is part of a cluster., on which the keys were added, run these commands in the Expert mode:

cd /etc/

tar -cvvf ssh.tar ssh

scp ssh.tar admin@<IP_OF_OTHER_CLUSTER_MEMBER>:/tmp

On the other cluster members, run these commands in the Expert mode:

mv -v /tmp/ssh.tar /etc/
cd /etc/

mv -v ssh ssh_backup

tar -xvvf ssh.tar

killall -s HUP cpsshd

Troubleshooting

Connect to an SSH server with the telnet command.

The output should show "SSH-2.0-cpssh"

Example:

$ telnet 172.23.43.29 22
Trying 172.23.43.29...
Connected to 172.23.43.29.
Escape character is '^]'.
SSH-2.0-cpssh

Debugging

  1. Enable the debug flag "cpsshi" in the kernel debug module "fw".

  2. Enable all the debug flags in the kernel debug module "CPSSH".

For instructions on the debugging procedures, see the R81.20 Quantum Security Gateway Guide > Chapter Kernel Debug on Security Gateway.

  1. Create and then run this shell script:

    #!/bin/sh
echo > $FWDIR/log/cpsshd.elg
for PROC in $(pidof cpsshd)
do
    fw debug $PROC on ALL=6
done
tail -f $FWDIR/log/cpsshd.elg

    To stop the output, press the CTRL+C keys.

  2. Replicate the issue, or wait for it to occur.

  3. Disable the User Space logs with this command:

    for PROC in $(pidof cpsshd) ; do fw debug $PROC off ALL=6 ; done

  4. Examine the log files:

    $FWDIR/log/cpsshd.elg*