SSH Proxy Server
Notes on how to setup a ssh proxy server that work as a vpn using iptables.
Setup server
Check openssh software and setup openssh server. Opessh manual pages:
ssh(1) ssh_config(5) sshd(8) sshd_config(5)
User using the proxy should not have permissions to run commands, run shell or kill any process. Using system-wide configuration to restrict the user is more reliable than restricting the user on file ~/.ssh/authorized_keys.
AllowGroups admin users gitolite sshproxy
Match Group gitolite AllowAgentForwarding no AllowTcpForwarding no Match Group sshproxy AllowAgentForwarding no PermitTTY no PermitOpen git.leetio.dev:443 ForceCommand echo 'This account can only be used for web proxy'
Add the user:
sudo useradd -r -U -d /srv/sshproxy -s /bin/false sshproxy
The option ForceCommand is not necessary if the shell is set to /bin/false.
Setup client
Add proxy to ~/.ssh/config;
Host proxy Hostname c2.ank IdentityFile ~/.ssh/sshproxy Port 2222 User sshproxy
Start listening with debug information;
$ ssh proxy -v -C -N -D 8080
Start listening and run on background on successful connection;
$ ssh proxy -f -N -D 8080
Add foxyproxy-standard plugin to configure proxy settings by domain patterns. When configuring the server run the following permission tests;
Connection closed (/bin/date is not executed):
$ ssh proxy
$ ssh proxy /bin/date
Administratively prohibited (2x):
$ ssh proxy -N -D 443
$ curl -I --socks5 localhost:443 example.com
$ ssh proxy -N -L 8080:example.com:443
$ curl -I localhost:8080
$ sftp proxy
Should be possible because the client should forward his SSH server
$ ssh host -N -R 8080:example.com:443
$ curl -I localhost:8080
This works, it forwards the client SSH to the server
$ ssh host -N -R 443:localhost:2222
Unfortunately, the client can listen on that port too. Not a big issue
$ ssh host -N -L 1234:localhost:443
Proxy user should not be able to;
- execute shell commands - done
- access files or upload files to the server - done
- use the server as proxy (e.g. webproxy) - done
- access local services which were otherwise not publicly accessible due to a firewall - partially, the client cannot access other ports than 62222, but can listen and connect to port 62222 on the server
- kill the server - done (note that these checks are limited to the SSH server. If you've an other vulnerable service on the machine, it could allow a possible attacker to run commands, kill the server, etc. )
Routing all traffic (vpn)
To route all traffic thru socks proxy, on the client;
ssh -D 5222 bob@mylinuxserver.xxx -N
Redirect all triffic using iptables;
iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -j REDIRECT --to 1081