On Friday 19 June 2015 11:01:25 Reco wrote: > Hi. > > On Fri, Jun 19, 2015 at 09:13:42AM +0200, Frederic Marchal wrote: > > On Friday 19 June 2015 09:24:34 Reco wrote: > > > On Thu, 18 Jun 2015 18:20:25 -0500 > > > Richard Owlett <rowlett@cloud85.net> wrote: > > > > Mike McClain wrote: > > > > > On Thu, Jun 18, 2015 at 03:22:37PM -0500, Richard Owlett wrote: > > > > > > > > > > When CBS 60 Minutes (or was it Sunday Morning?) did an article on > > > > > security on airlines, trains, etc. They suggested setting up a VPN > > > > > on your system. > > > > > > > > > > Mike > > > > > > > > A pointer to an appropriate how-to and .deb in Jessie repository? > > > > > > A *very* simplistic howto follows: > > > > > > autossh -ND1080 <ur_home_here> > > > > > > <set iceweasel's proxy to socks4 proxy localhost:1080> > > > > With iceweasel/firefox, don't forget to change > > network.proxy.socks_remote_dns to true in about:config or the DNS > > requests will be issued to the local DNS server. > > > > See http://kb.mozillazine.org/Network.proxy.socks_remote_dns > > Please don't do so. Ssh only provides SOCKS4 proxy, and SOCKS4 can not > tunnel DNS requests (or any UDP traffic for that matter).
According to ssh(1) manpage (see http://unixhelp.ed.ac.uk/CGI/man-cgi?ssh+1 or your local man 1 ssh), ssh -D supports SOCKS4 and SOCKS5.
I have been using that trick since Debian Squeeze.
Locally run, for instance:
ssh -N -D8880 user@remote.host.example.com
Set the proxy in firefox to "socks=127.0.0.1:8880", enable network.proxy.socks_remote_dns and surf while watching with wireshark or tcpdump the DNS requests sent on the network interface. I had no DNS requests going to the local DNS server. I was completely stealthy except for the amount of data exchanged with only one server :-).
I have been using http://www.proxy-offline-browser.com/ProxySwitch/ to easily switch between a direct connection and a ssh tunnel in iceweasel.
The ssh server must allow TCP forwarding (AllowTcpForwarding in sshd_config, globally or on a per user basis) but, due to -N, you don't even need a login shell on the remote server and your tunnel won't register in /var/log/auth.log on the server.
BTW, if AllowTCPForwarding is enabled on a server where mysql is installed without a root password because it is only listening on 127.0.0.1, then anyone with a valid account (for sftp for instance) can open a ssh tunnel to access mysql running on the server:
ssh -L12000:localhost:3360 user@remote.server.example.com
Then it is easy to open a mysql client to local port 12000 as root and connect to the remote mysql server. Keep that in check when enabling TCP forwarding on a ssh server!
Frederic
|