Difference between revisions of "SSH/Socks5 Proxy"
(Created page with " Category:SSH Category:Proxy") |
|||
| Line 1: | Line 1: | ||
{{DISPLAYTITLE: SSH Socks5 Proxy}} |
|||
Creating a proxy with SSH to a server one has full control over in order to get content that is restricted to a certain coutry or region. |
|||
== Prerequisites == |
|||
* A server runnning SSH with a global address. |
|||
* Full control on the server to create users a.k.a root access. |
|||
* SSH client that understands the <tt>-D</tt> option e.g. [http://www.openssh.com/ OpenSSH] or [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html PuTTY]. |
|||
* A web browser capable of using a Socks5 proxy. e.g. [https://www.mozilla.org/en-US/firefox/new/?utm_source=firefox-com&utm_medium=referral Firefox] |
|||
* A proxy switcher like [http://getfoxyproxy.com/ FoxyProxy] [optional]. |
|||
== Howto == |
|||
=== Server Setup === |
|||
The first thing do do is create a restricted or jailed users. Although the jailed users is more secure a restricted user is used as it is more universally applicable. |
|||
=== User Creation === |
|||
The assumption is that this is Linux server on other Unix-like hosts the commands need to be adjusted. The user's home directory will be located under <tt>/var/restricted</tt> which is probably not present and has to be created first. The user's name is for this example going to be <tt>socks5</tt>. |
|||
mkdir -p /var/restricted |
|||
useradd -d /var/restricted/socks5 -u 25002 -s /bin/rbash socks5 |
|||
To make this users truly restricted a few things need to be put in place and changed. First password authentication is not recommended here hence the <tt>.ssh</tt> directory. Further a <tt>.hushlogin</tt> for faster logins without the <tt>motd</tt>. And a few tools running a while loop while the connection is open to prevent timeouts. Using <tt>rbash</tt> prevents this users from using any binaries not in the path and the user can't change directories. |
|||
chmod 500 /var/restricted/socks5 |
|||
mkdir /var/restricted/socks5/.ssh |
|||
chown socks5 /var/restricted/socks5/.ssh |
|||
chmod 100 /var/restricted/socks5/.ssh |
|||
touch /var/restricted/socks5/.huslogin |
|||
chown root:root /var/restricted/socks5/.hushlogin |
|||
chmod 444 /var/restricted/socks5/.hushlogin |
|||
Additionally the login profile and the bin directory with the necessary binaries are created. |
|||
cat <<PROFILE > /var/restricted/socks5/.bash_profile |
|||
PATH="\${HOME}/bin" |
|||
export PATH |
|||
PROFILE |
|||
chown root:root /var/restricted/socks5/.bash_profile |
|||
chmod 444 /var/restricted/socks5/.bash_profile |
|||
mkdir /var/restricted/socks5/bin |
|||
chown root:root /var/restricted/socks5/bin |
|||
chmod 555 /var/restricted/socks5/bin |
|||
cd /var/restricted/socks5/bin |
|||
ln -s /bin/date |
|||
ln -s /bin/true |
|||
ln -s /bin/sleep |
|||
Copy the public ssh key to the <tt>/var/restricted/socks5/.ssh/authorized_keys</tt> file. See <tt>man ssh-keygen</tt> for more information how to achieve this. Finally adjust the permission of the <tt>authorized_keys</tt> file. |
|||
cat <span class="input">id_rsa.pub</span> >> /var/restricted/socks5/.ssh/authorized_keys |
|||
chown socks5:root /var/restricted/socks5/.ssh/authorized_keys |
|||
chmod 400 /var/restricted/socks5/.ssh/authorized_keys |
|||
[[Category:SSH]] |
[[Category:SSH]] |
||
Revision as of 13:52, 14 September 2014
Creating a proxy with SSH to a server one has full control over in order to get content that is restricted to a certain coutry or region.
Prerequisites
- A server runnning SSH with a global address.
- Full control on the server to create users a.k.a root access.
- SSH client that understands the -D option e.g. OpenSSH or PuTTY.
- A web browser capable of using a Socks5 proxy. e.g. Firefox
- A proxy switcher like FoxyProxy [optional].
Howto
Server Setup
The first thing do do is create a restricted or jailed users. Although the jailed users is more secure a restricted user is used as it is more universally applicable.
User Creation
The assumption is that this is Linux server on other Unix-like hosts the commands need to be adjusted. The user's home directory will be located under /var/restricted which is probably not present and has to be created first. The user's name is for this example going to be socks5.
mkdir -p /var/restricted useradd -d /var/restricted/socks5 -u 25002 -s /bin/rbash socks5
To make this users truly restricted a few things need to be put in place and changed. First password authentication is not recommended here hence the .ssh directory. Further a .hushlogin for faster logins without the motd. And a few tools running a while loop while the connection is open to prevent timeouts. Using rbash prevents this users from using any binaries not in the path and the user can't change directories.
chmod 500 /var/restricted/socks5 mkdir /var/restricted/socks5/.ssh chown socks5 /var/restricted/socks5/.ssh chmod 100 /var/restricted/socks5/.ssh touch /var/restricted/socks5/.huslogin chown root:root /var/restricted/socks5/.hushlogin chmod 444 /var/restricted/socks5/.hushlogin
Additionally the login profile and the bin directory with the necessary binaries are created.
cat <<PROFILE > /var/restricted/socks5/.bash_profile
PATH="\${HOME}/bin"
export PATH
PROFILE
chown root:root /var/restricted/socks5/.bash_profile
chmod 444 /var/restricted/socks5/.bash_profile
mkdir /var/restricted/socks5/bin
chown root:root /var/restricted/socks5/bin
chmod 555 /var/restricted/socks5/bin
cd /var/restricted/socks5/bin
ln -s /bin/date
ln -s /bin/true
ln -s /bin/sleep
Copy the public ssh key to the /var/restricted/socks5/.ssh/authorized_keys file. See man ssh-keygen for more information how to achieve this. Finally adjust the permission of the authorized_keys file.
cat id_rsa.pub >> /var/restricted/socks5/.ssh/authorized_keys
chown socks5:root /var/restricted/socks5/.ssh/authorized_keys
chmod 400 /var/restricted/socks5/.ssh/authorized_keys