It is very common, especially in companies, that there are certain sites to which access is restricted for some specific reason (sometimes absurd, sometimes not), such as download sites, webmails and others.
In general, these restrictions are made by blocking the domain of the site in question, also adding restrictions to certain ports. What do we do then if we need to obtain some information immediately?
Usually users of Windows make use of programs like Putty (which is also available on GNU / Linux): YourFreedom, but there is another way a little more secure to be able to access the sites that we have denied, using SSH y Sock5.
For this example, I am counting on that we have open ports 80, 3128 (normally used for navigation) and 9122, and we will see two real cases. It is not my objective with this article, to explain in detail what it is SSH, Sock5 and how they work, we'll leave that for another time. We will see two examples:
- Connecting to another PC by SSH using its IP address.
- Connecting to another PC by SSH using a domain (via DNS).
What do we need?
- A computer with Internet access that we can access by SSH.
- SSH installed of course.
- Corkscrew (in case we are behind a proxy).
We open a terminal and put (in the case of Debian):
$ sudo aptitude install ssh corkscrew
OK .. I already installed. How do I connect?
It's very simple. We open a terminal and put ssh -p 443 user @ internet_computer_ip:
ssh -p 9122 -D 1080 elav@192.168.1.1
Parameter -p as is logical, it is used to establish through which port we are going to connect. That simple Now, we open the browser preferences (in my case Firefox) and the Network Options, we only mark the option to use Socks Server and we put:
127.0.0.1:1080
This is enough to navigate.
What if we are behind a proxy?
It may be the case that we are behind a very restrictive proxy server or that simply our ISP does not allow us to connect through an IP address, so we have to do it by DNS. This is where it comes in to play Corkscrew. To use this application, all we have to do is create a file inside the folder with our favorite editor .ssh in our / Home, LLAMADA config:
$ vim ~/.ssh/config
and inside we put something like this:
host dominio.net
user tu_usuario
hostname dominio.net
port 9122
proxycommand corkscrew IP_Proxy 3128 %h %p
DynamicForward 1080
Compression yes
LocalForward 8888 localhost:8888
Explaining this a bit. In the host parameter we put the URL of the server to which we are going to connect (which has to have SSH available by the 9122, as we saw in this post. In the parameter proxycommand after corkscrew we put the IP of our proxy or the FQDN, For example: proxy.domain.net and the port that is used to navigate.
Now we just have to open a terminal and put:
ssh usuario@dominio.net
Now, one last detail. It may be necessary to modify a parameter in the configuration of Firefox if we had no connection. We open a tab and type about: config. We promise that we will not put our hands in the settings and we look for:
network.dns.disablePrefetch
And if it is in false we put it in true.
Excellent, I would only like to have a server to be able to do it in a functional way and not just practice between 2 computers in my local network:)…
One question: Can't you navigate to desdelinux.net from https?
Nope, right now you can't. We would have to buy an SSL certificate, and it costs about $ 60 a month or a year, money that we do not have 🙁 ... sorry friend.
And why not a self signed certificate?
I don't know much about it, but if we generate a certificate ourselves, then your browser will tell you that the site is untrusted and that ... 🙁
If I remember correctly, it seems to me that I have ever seen certificates limited to about 15 USD per year, of course this depends largely on the hosting provider. But frankly, for a blog (public by nature) I don't see the need for HTTPS browsing except perhaps to ensure that the information we see is really the original and not part of a man-in-the-middle attack (or the desire may also be a sign that we are getting a bit paranoid) 😉
on sock server, you were missing a dot at 127.0.0.1:1080
Thank you. Right now I correct it.
Well I have to say, SSH looks very interesting ...
hehehe yes, you don't know the wonders that can be done only with an SSH connection 😀
It may be possible to remove corkscrew from the equation, at least for Firefox.
In "about: config", set the entry network.proxy.socks_remote_dns to true, which in the case of a socks v5 proxy causes DNS requests to be made by the socks proxy as well.
My link has no major restrictions so I don't know if this will work. Try and report. 😉
Another suggestion I've seen out there is to use -4D instead of -D to create the proxy only on an ipv4 address. This apparently optimizes the connection a bit.
Finally: if you do not want to execute any remote command, you could use the parameter at the end -N (thus we avoid putting the helmets), and to disconnect we would only have to give a Ctrl + C.
Thanks for the suggestion Hugo, would have to try. By the way, with all this combination I also use Screen 😀
I also use it, although through byobu. In fact, there are times when I have had a tremendous mess because I have had access to hosts in which I had had access to other hosts in which I had also had access to others, etc. As almost all of them used byobu, at For a while I finished closing everything because it was difficult for me to know from where I was accessing where, hehehe.
Hugo about the weather, call me from your house on my cell phone to call you back 😉
In addition to -4D (to optimize the connection) and -N (to tell SSH that we are only going to forwarder ports) we can add secure keys to both sides of the connection and an & at the end of the SSH invocation line to initiate a tunnel in an automated way.
Assuming we have the files configured correctly:
~ / .ssh /
authorized_keys2
id_rsa
id_rsa.pub
on the machines involved in the connection, the final instruction would be:
$ssh -p 9122 -4D 1080 -N elav@192.168.1.1 &
You can add it to our /etc/rc.local to ensure that the connection is established automatically every time the system starts.
Furthermore, using pm-suspend and eth-tool we can configure /etc/rc.local so that it wakes up the machine that is going to act as a proxy through the internet and automatically connects to it and then leaves it on standby again by when we close our system ...
Happy nerding 😀
Excellent contribution .. Thank you 😀