Detecting ssh tunnelling through a proxy server

Why tunnel SSH through a proxy server?An attacker could use this technique as an initial reverse connection or to enhance their capability once they have a foothold on a system. It allows an attacker to create an outbound connection using secure-shell (SSH) protocol utilising a proxy server to bypass firewall restrictions that would prevent native ssh port (TCP Port 22) reaching the Internet. Once an outbound connection via SSH is established a reverse tunnel can be created to provide the attacker access back into the environment using a graphical interface such as RDP or VNC.Tunnel out using a proxy serverSetup the tunnelThe Squid Proxy is configured to use the CONNECT method for HTTPS (SSL/TLS) only by default as it could not otherwise relay the encrypted protocol. The use of the CONNECT method is considered unsafe and generally the only port it would be configured for is 443So one thing the attacher must do, is to configure the end point SSH server to listen on port 443.Creating th…