Funny SSH issues (well, not funny)

[gfont96]

Hello All,

Using NGXR60 HFA03 on SPLAT.

I have a rule that says host to host ssh & ssh_version2. When attempting to connect. I see one connection successful in the log then I see an alert saying SSH version 1.x not allowed.

Change the service column to an any and SSH then works. Created a new service SSH_port22 identical to the standard ssh service only I ticked the 'match for any' tickbox and now it works.

I thought match for any meant that if a rule and the ANY in the service column that adefined service with match for any would be processed.

Am I going mad, does it mean something else (looked it up in Phoneboys NG book, does it work differently in NGX ?)

If anyone has an explanation I would be most grateful. It works with my custome service just interested in why ?.

I did completely disable SmartDefense and WebIntelligence Settings (not to worry, I am running on a test bed at the moment !)

Thanks again guys,

George

[northlandboy]

A simple question - why would you configure a rule with both ssh and ssh_version2 in the services column? What's the point? What are you trying to achieve?

As for your understanding of "Match for any", that seems pretty much correct.

My configuration has the standard ssh service configured to match for any, so it doesn't seem unreasonable at all for me that sshv1 would be allowed through by a rule with "any" for service. It's the ssh_version_2 service that is not configured to match for any.

Oh and unless you have an outstanding reason for it, why are you using sshv1 anyway, given that it is known broken?

[gfont96]

Hello again,

I put both services in seperate rules to see which is it was picking up on and try to identify which version of SSH may have been installed on the client PC. I only want to use SSHv2.

If I used only ssh_v2 then I would see one accept in the log and then an alert saying SSH version 1.x blocked. The client PC's are definately running version 2 (I am told !, but then I am told a lot which isn't quite true.)

I am just having trouble understanding why creating an identical service, but ticking, the match for any box makes it work.

I am wondering whether part of the SSH communication is version 2 but then either downgrades to version 1 because of the client or the second part (certificate transfer ?) takes place in version 1.

It's no big deal as ticking the match for any seems to make it all work, just interested in why really.

Thanks again for your help.

George

[northlandboy]

Ah, that's slightly different if you were using separate rules - your first post implied you had both services in one rule.

As I recall from last time I looked at this, you'll see the accept at first, when it sees the first SYN. The reject comes a little later, when Check Point's seen enough traffic to determine the version.

I'm not quite clear on what you're not quite understanding with the match for any behaviour. You have also noted the advanced service configuration for the ssh_version_2 service, where the protocol type is set to SSH2? When you create a basic tcp/22 service, it has no extra protocol type, so allows all versions.

Oh and rather than checking the clients, you should check the server configuration. Many clients try ssh v2 first, then fall back to v1. The server should offer v2 only. Some people are still using very old clients that only do v1 though.