Skip to content

Instantly share code, notes, and snippets.

@fr34k8

fr34k8/ssh-proxy.md

Forked from marthjod/ssh-proxy.md
Created December 22, 2015 18:01
Show Gist options
  • Save fr34k8/b170b2961050dfc33f3c to your computer and use it in GitHub Desktop.
Save fr34k8/b170b2961050dfc33f3c to your computer and use it in GitHub Desktop.
Download ZIP
HTTP-tunneled remote SSH proxy
Raw
ssh-proxy.md

HTTP-tunneled remote SSH proxy

Setup

Network

  • Bonus: SSHD lives on its own network connected to the Inet-NATted LAN, so that
[public IP]:443
-> 192.168.15.1 = NAT router: forward port 443
-> 192.168.15.50:443 = router 192.168.30.1: forward port 443
-> 192.168.30.5:443 (squid) -> 192.168.30.5:22 (sshd)

Deny access from second to first LAN

  • Hosts in 192.168.30.0 should not be able to access anything in 192.168.15.0
  • on 192.168.30.*: iptables -A OUTPUT -m iprange --dst-range 192.168.15.0-192.168.15.255 -j DROP
      xxxxx
     xxx   xxxxx           +--------------+
     x        xxxx         | NAT router   |         
     x  Inet     xx<------>| 192.168.15.1 |          
     xx         xxx        +--------------+               
       xx   xxxxx                    ^                    x
        xxxxx                        |                    | 
                                     v                    | "192.168.15.*"
                           +---------------+              | 
                           | router        |              |
                           | 192.168.15.50 |       +--------------+
                           | 192.168.30.1  |<----->| SSH server   |
                           +---------------+       | 192.168.30.5 |
                                                   +--------------+

SSHD

Port 22
Protocol 2
...
UsePrivilegeSeparation yes
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
...
AllowUsers exampleuser
# Idle timeout = 600 * 3 sec (30 min)
ClientAliveInterval 600
ClientAliveCountMax 3
X11Forwarding no
PrintLastLog yes
...
AllowTcpForwarding yes
Banner /etc/issue.net
# Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

Supervisor

  • /etc/supervisor/supervisord.conf on 192.168.30.5:
...
[program:sshd]
command=/usr/sbin/sshd -4 -D
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s_error.log

Proxy server: Squid

  • Acts as a Proxy for tunneling SSH through HTTP at port 443.
  • /etc/squid/squid.conf:
http_port 443

acl SSL_ports port 22
acl Safe_ports port 22

# Allow squid to establish a connection to destination port 22
acl ssh_port port 22 # ssh

http_access allow ssh_port

httpd_suppress_version_string on
visible_hostname unknown

Client: corkscrew

  • Tunnels SSH through HTTP via proxy.

Usage

  • ssh -NnD SOCKS_PORT exampleuser@INTERNAL_SSHD -o "ProxyCommand corkscrew PUBLIC_HOSTNAME 443 INTERNAL_SSHD 22"
  • E.g., ssh -NnD 1080 [email protected] -o "ProxyCommand corkscrew my.public.host 443 192.168.30.5 22"

Firefox/Thunderbird

  • Network Settings: SOCKS5 Host + Remote DNS = localhost, 1080

Chrome

google-chrome-stable \
    --proxy-server="socks5://localhost:1080" \
    --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost" \
    %U
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment