4

I am using ssh client as a SOCKS server by running on the remote server this command:

ssh -f2qTnND *:1080 some-server-user@localhost

There is only one problem here: anyone can connect to the server and use it's internet connection.

Options:

  • To use iptables to filter access to the remote server, but clients connect to the server from various non-statically allocated IP addresses so filters should be edited very frequently, which is awkward.
  • To install a SOCKS server on the remote server (e.g. Dante). Ultimately this is the last option if there is no other simpler way to do it.
  • Launching the command on clients instead of remote server. The problem here is that some clients don't run on Linux and it is awkward again to set up the tunnel (e.g. Windows + Putty). It is also more difficult for end users to set up their local SOCKS server (e.g. remembering the command, typing mistakes).

Is there a way to add authentication to a SOCKS server made using ssh client?

Bonus question: How to add encryption between the client and the server (made using ssh client)?

Aalex Gabi
  • 147
  • 1
  • 7
  • 1
    Wow. SSH to localhost to create an instant socks server ? not sure if this is brillant or insane. – b0fh Oct 14 '12 at 01:29
  • I got the easy way by installing `dante-server`... and then realized that a lot of clients don't support authentication :( I think I will ultimately go with a VPN solution. – Aalex Gabi Oct 14 '12 at 03:33

2 Answers2

2

SSH is your authentication

If you only want the localhost to access bind it,

ssh -D localhost:port user@host

This ensures that only local programs can access the port. vs *:port This is binding to both localhost and all your addresses.

If you want to reduce the login attempts on your ssh just change the default port and rate limit it with iptables,

I would also recommend setting up fail2ban http://www.fail2ban.org/wiki/index.php/Main_Page

Why add an extra level of auth on top? If your too lazy just setup ssh key pair and a short cut to putty with the required settings.

daxroc
  • 274
  • 1
  • 7
  • The idea is to use the computer as a server. There is no point in binding it to localhost because remote clients could not connect. There is no extra level. The user connects as himself on the same machine just for the `ssh` built-in dynamic port forwarding. Once the port forwarding is set up clients can connect to the server. I do this just because some networks block some ports or limit bandwidth to some websites. This does not answer my question: Is it possible to add authentication to a server created like this? – Aalex Gabi Oct 14 '12 at 02:12
  • How many users are you wanting to use the service. Maybe this is what your looking for http://www.catonmat.net/blog/linux-socks5-proxy/ You could use a dynamic dns service to over come the changing ip addresses. This does seem like a lot of work and extra complication. – daxroc Oct 14 '12 at 03:54
  • You could bind external to a local port and have other local clients connect to you using ssh auth and forward through the same port. This is a little convoluted. – daxroc Oct 14 '12 at 04:02
1

You're saying that it's awkward to tunnel in Windows. Try Bitvise Tunnelier, it's pretty easy to use.

There is no user authentication available in the OpenSSH client's socks server.

Bonus question: How to add encryption between the client and the server (made using SSH)?

SSH is encrypted already, and it's pointless for you since you're connecting to the localhost. You're better off disabling the encryption for more speed. There is no encryption for socks, if there is one, it's probably not going to work for most clients any ways.

Bill the Lizard
  • 352
  • 1
  • 7
  • 15
niknah
  • 51
  • 2
  • Thank you! For the second question by `client` I meant some random remote application and by `server` the `ssh` `SOCKS` server. You answered my question in the second part of the answer. – Aalex Gabi Oct 14 '12 at 03:28