Real client IP from SSH via Reverse Proxy
While X-Forwarded-For HTTP headers work great for IP Manager to capture real client IPs from reverse-proxy'd HTTP, using similar technology for SSH connections is not currently possible to my knowledge.
We use Citrix ADCs for reverse proxy and after following their documentation for TCP/IP header insertion in TCP payload, I found that Cerberus denies connections made with this feature enabled and generates the error "Connection is not an SSH 2.0 connection". Remove the header insertion and connections come through just fine, except that the real client IP is not known by Cerberus and instead it records/evaluates the reverse proxy's IP.
This creates security issues, as we can't functionally utilize block lists or auto-blocking rules.
-
Hello, Jason.
The X-FORWARDED-FOR header in HTTPS allows the firewall to keep its IP in the packet source field, but still inform Cerberus that the connection originated from a different client.
Unfortunately, FTP and SFTP have no such headers or standard capability to convey that the connection originated elsewhere. It's up to the firewall/network device to use the client IP for the source port when it forwards the connection on.
You could get the source IP for client connections for SFTP and FTPS if your device supported that option. It's really all up to the device. Cerberus doesn't have any control over what source IP address the proxy decides to use.0 -
Hi Dana,
Cerberus seems to be actively rejecting TCP packets with the header insertion change which would inform it of the true client IP -- so perhaps this is more of a bug or incompatibility issue with Citrix ADC specifically.
0 -
Jason, I created a feature request for cerberus to release a separate proxy agent, to fix a similar problem to what you are seeing. https://support.cerberusftp.com/hc/en-us/community/posts/360003390000-Cerberus-DMZ-Proxy-Agent
1
Please sign in to leave a comment.
Comments
3 comments