...making Linux just a little more fun!
Suramya Tomar [security at suramya.com]
Hey Everyone, I have been using a SOCKs proxy via SSH (using port tunneling [1]) to browse the net from unsecure locations and it works great.
However I have noticed that when I connect to certain hosts I am unable to use the connection as a SOCKS proxy and I was wondering how these hosts were configured to do this. It seems like a good feature to have on servers that I configure. Are there any disadvantages to this setup that I am missing?
I have tried looking for a solution online but I guess I am not asking the right questions because I didn't find anything useful. So any idea's/suggestions on what/where to look?
Thanks in advance.
- Suramya
[1] To set up a SOCKS proxy using SSH from a windows system follow these steps:
Open PuTTY. You should be greeted with a configuration screen. First, you will enter the hostname or IP address of the SSH server. Type in a name for your connection settings in the box below ?Saved Sessions?, and click the Save button.
Now you need to look at the tree of options to the left; expand the SSH tree, and select ?Tunnels?. Enter 4567 (or any port number above 1024) in the Source Port area, and click the Dynamic radio button to select it. Leave the Destination field blank, and click ?Add?.
Now go back to the Session tree (very top of the left section), and save again. You will be prompted to enter a username, which is the username of your shell account. Type that in, hit enter, and then type in your password when it prompts you.
In your browser change the proxy setting to localhost and the port you used earlier and you can browse the net safely.
--Name : Suramya Tomar Homepage URL: http://www.suramya.com
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Fri, 19 Oct 2007, Suramya Tomar wrote:
> However I have noticed that when I connect to certain hosts I am > unable to use the connection as a SOCKS proxy and I was wondering how > these hosts were configured to do this.
I'm left wondering too!
Perhaps I don't understand your question. The way SOCKS works with SSH tunnels is: a. Browser performs name lookup for the server you are trying to reach. b. Browser asks SSH to open connection to PORT:ADDRESS combination. c. SSH opens the connection to P:A from the remote end of the the SSH connection. d. SSH sends the packets back and forth between browser and the server; between the browser and the remote end these packets are wrapped up in socks.
As far as the server is concerned it sees the connection as coming from the address/hostname of the remote end of the SSH connection. Perhaps the servers are refusing connections from the remote end of your SSH tunnel.
Alternatively, it is possible that the browser is sending the server information inside the HTTP packet (think cookies!) which contains its "real" address/hostname and so the server figures out that this is not the same address/hostname to which it is connected.
One problem with using SOCKS the way you are using it is that name lookups are still performed "locally" (see (a) above). This could be a problem if you prefer to use name servers from the remote end.
A much bigger problem is that you are using Windows 
Regards,
Kapil. --
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Fri, 19 Oct 2007, Suramya Tomar wrote:
> However I have noticed that when I connect to certain hosts I am > unable to use the connection as a SOCKS proxy and I was wondering how > these hosts were configured to do this. It seems like a good feature to > have on servers that I configure.
I just realised that I probably misunderstood Suramya's question.
You can configure an SSH server to refuse to forward TCP connections. "man sshd_config" says:
AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is "yes". Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
I also realised that I said something wrong in my previous mail. The packets are wrapped in socks between the browser and the SSH client (not the SSH remote end); it is the SSH client which is the SOCKS server! The SSH client then uses standard SSH port forwarding to forward the packets to the other end.
Regards,
Kapil. --
Karl-Heinz Herrmann [kh1 at khherrmann.de]
Hi,
On Fri, 19 Oct 2007 09:45:52 +0530 Kapil Hari Paranjape <kapil at imsc.res.in> wrote:
> On Fri, 19 Oct 2007, Suramya Tomar wrote: > > However I have noticed that when I connect to certain hosts I am > > unable to use the connection as a SOCKS proxy and I was wondering > > how these hosts were configured to do this. It seems like a good > > feature to have on servers that I configure. > > I just realised that I probably misunderstood Suramya's question. > > You can configure an SSH server to refuse to forward TCP connections. > "man sshd_config" says: > > AllowTcpForwarding > Specifies whether TCP forwarding is permitted. The default > is "yes". Note that disabling TCP forwarding does not improve > security unless users are also denied shell access, as they > can always install their own forwarders. > > I also realised that I said something wrong in my previous mail. The > packets are wrapped in socks between the browser and the SSH client > (not the SSH remote end); it is the SSH client which is the SOCKS > server! The SSH client then uses standard SSH port forwarding to > forward the packets to the other end.
I was wondering about a similar thing for a while. I've ssh access on a remote system and one or two years back it was possible to do a direct port forwarding (ssh -L option) for my local browser to the remote proxy server to access some restricted web pages. This stopped working all of a sudden, error message was something like "administratively forbidden". I never really found out if the sshd configuration on the remote end changed or the proxy (which still exists).
Then I discovered that SOCKS forwarding does still work and now I use that. But the AllowTCPForwading would surely switch off SOCKS forwarding as well? So do you have an idea how they switched this off selectively? Is it a web-proxy feature instead of an ssh one?
K.-H.
Suramya Tomar [security at suramya.com]
Hey Again,
> You can configure an SSH server to refuse to forward TCP connections. > "man sshd_config" says: > > AllowTcpForwarding > Specifies whether TCP forwarding is permitted. The default > is "yes". Note that disabling TCP forwarding does not improve > security unless users are also denied shell access, as they > can always install their own forwarders.
Awesome. Thats probably what they are using to stop the forwarding. Is there some way to bypass this?
> I also realised that I said something wrong in my previous mail. The > packets are wrapped in socks between the browser and the SSH client > (not the SSH remote end); it is the SSH client which is the SOCKS > server! The SSH client then uses standard SSH port forwarding to > forward the packets to the other end.
Oh ok. Thanks for the info.
Thanks, Suramya
--Name : Suramya Tomar Homepage URL: http://www.suramya.com
Suramya Tomar [security at suramya.com]
Hey,
> As far as the server is concerned it sees the connection as coming > from the address/hostname of the remote end of the SSH connection. > Perhaps the servers are refusing connections from the remote end of > your SSH tunnel.
True. I verified it by visiting whatismyip.com to get the IP address I was browsing with and it gave me the IP of the remote server.
> Alternatively, it is possible that the browser is sending the server > information inside the HTTP packet (think cookies!) which contains > its "real" address/hostname and so the server figures out that this is > not the same address/hostname to which it is connected.
Don't think this is whats happening, because I am unable to get to sites like google.com and yahoo either. Which I can access from the shell using lynx.
> A much bigger problem is that you are using Windows
Yeah. I have Linux on my desktop but have to use Windows on the laptop due to work. (I have to debug programs written in VB.NET and ASP.NET for work so I need to run windows to use Visual Studio, believe me its a pain)
Thanks, Suramya
--Name : Suramya Tomar Homepage URL: http://www.suramya.com