ha.ckers.org security lab

SSH Proxy

This article was inspired by RSnake's article on using Trillian behind firewalls, but takes it a few steps further to let you proxy any application that supports proxying.

This tutorial uses OpenBSD as the example, but will work with little to no modification on any UNIX-like system, or even Windows with Cygwin installed, run away now if that frightens you.

The concept is fairly simple, for each service you need to connect through to avoid a restriction, or just don't want anyone to see you will set up an ssh tunnel and proxy it off of your remote server.

On your server (home computer) you'll need both sshd and apache, both are installed by default on OpenBSD, for your OS of choice I'll leave it up to you to figure out how to install them.

Note (stolen from Rsnake's article):
"By "static connection" I mean somewhere that has an IP address that you can connect to that doesn't change, but you can also use a service like DynDNS to make a dynamic connection appear static. If you cannot do port forwarding or cannot host a machine on your broad-band connection, stop now, and find a friend who will let you host a machine at their house."

Step 1. SSHD

edit sshd_conf (usually in /etc/ssh)
add the following line if it is not already there, making sure it is not commented out.

AllowTcpForwarding yes

restart sshd

Step 2. Firewall

You DO have a firewall installed right?
Unless you have specific needs just block all traffic and allow port 22 inbound

OpenBSD comes with PF an excellent firewall that does just about everything you could want.

using pf your pf.conf should look something like this:

ext_if = "rl0"

block log all
pass in quick on $ext_if inet proto tcp from any to ip_of_interface \
port 22 label ssh flags S/SAFR keep state

restart/reload your firewall rules as needed

Step 3. Configure Apache 1.3 to proxy

NOTE: OpenBSD by default runs httpd chrooted, in order for Apache to resolve hostnames while chrooted you will need to create a /var/www/etc directory, and copy resolve.conf into it.

mkdir /var/www/etc
cp /etc/resolve.conf /var/www/etc

Open httpd.conf in your favorite editor
find the proxy section and uncomment or add:

Listen 127.0.0.1:8080
LoadModule proxy_module /usr/lib/apache/modules/libproxy.so

<IfModule mod_proxy.c>

ProxyRequests On
AllowCONNECT 443 5050 5190

<Directory proxy:*>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
ProxyVia On

</IfModule>

start or restart apache

Note the AllowCONNECT, for each service that supports proxying you will need to add the associated port, the above example includes SSL connections, AIM and Yahoo IM.

On the computer you will be connecting from you will need to create a new file in your .ssh directory. It will contain an alias for the host you want to connect to, in this case your home computer, the address of the home computer, your username used for ssh on your home computer, and some port forwarding statements. Do not use root for the username.

~/.ssh/config should look something like this:


Host alias_for_somehost

HostName somehost.com (or an IP address)
User username
Compression yes
LocalForward 22 somehostontheothersideofthebastion:22
LocalForward 25 somemailserver:25
LocalForward 143 someimapserver:143
LocalForward 8080 127.0.0.1:8080

Now you just have to connect:

(Note: Rembrant sent an alternate connection method and correctly pointed out that the source ports should be greater than 1024 if using a UNIX host as the client, see his email here)

remotecomputer$ ssh alias_for_somehost
password:

somehost$

Note: you must leave this session open as long as you are proxying an application

Now that you are logged in all of the ports defined in ~/.ssh/config will be forwarded from your work computer, or whatever to your home computer. In the example above you can now directly connect to somehostontheothersideofthebastion simply by sshing to localhost on your computer, it's convenient for scp'ing to a machine behind the proxy server you just set up without double copying it.

You can set your mail client to use localhost as its mail server for outgoing and incoming mail.

And now you can surf all those warez sites from work by setting your proxy to localhost port 8080, same with IM, or any other application that allows itself to be proxied, just make sure you add the port to the AllowCONNECT line in httpd.conf

If you find this useful or confusing, let me know.



Back to http://ha.ckers.org/