SSH Proxy Server

Notes on how to setup a ssh proxy server that work as a vpn using iptables.

  1. Setup server
  2. Setup client
  3. Notes

Setup server

Check openssh software and setup openssh server. Opessh manual pages:

    ssh(1)
    ssh_config(5)
    sshd(8)
    sshd_config(5)

User using the proxy should not have permissions to run commands, run shell or kill any process. Using system-wide configuration to restrict the user is more reliable than restricting the user on file ~/.ssh/authorized_keys.

AllowGroups admin users gitolite sshproxy

Match Group gitolite
    AllowAgentForwarding no
    AllowTcpForwarding no

Match Group sshproxy
    AllowAgentForwarding no
    PermitTTY no
    PermitOpen git.leetio.dev:443
    ForceCommand echo 'This account can only be used for web proxy'

Add the user:

sudo useradd -r -U -d /srv/sshproxy -s /bin/false sshproxy

The option ForceCommand is not necessary if the shell is set to /bin/false.


Setup client

Add proxy to ~/.ssh/config;

Host proxy
    Hostname c2.ank
    IdentityFile ~/.ssh/sshproxy
    Port 2222
    User sshproxy

Start listening with debug information;

$ ssh proxy -v -C -N -D 8080

Start listening and run on background on successful connection;

$ ssh proxy -f -N -D 8080

Add foxyproxy-standard plugin to configure proxy settings by domain patterns. When configuring the server run the following permission tests;

Connection closed (/bin/date is not executed):

$ ssh proxy $ ssh proxy /bin/date

Administratively prohibited (2x):

$ ssh proxy -N -D 443 $ curl -I --socks5 localhost:443 example.com $ ssh proxy -N -L 8080:example.com:443 $ curl -I localhost:8080 $ sftp proxy

Should be possible because the client should forward his SSH server

$ ssh host -N -R 8080:example.com:443 $ curl -I localhost:8080

This works, it forwards the client SSH to the server

$ ssh host -N -R 443:localhost:2222

Unfortunately, the client can listen on that port too. Not a big issue

$ ssh host -N -L 1234:localhost:443

Proxy user should not be able to;

  • execute shell commands - done
  • access files or upload files to the server - done
  • use the server as proxy (e.g. webproxy) - done
  • access local services which were otherwise not publicly accessible due to a firewall - partially, the client cannot access other ports than 62222, but can listen and connect to port 62222 on the server
  • kill the server - done (note that these checks are limited to the SSH server. If you've an other vulnerable service on the machine, it could allow a possible attacker to run commands, kill the server, etc. )

Routing all traffic (vpn)

To route all traffic thru socks proxy, on the client;

ssh -D 5222 bob@mylinuxserver.xxx -N

Redirect all triffic using iptables;

iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -j REDIRECT --to 1081


Notes