PGA - Pretty Good Anonymity
Posted 12-10-2009 at 04:08 AM by Web31337
a note i found on my archive while was making a cleanup on my HDDs.
written about 2 months ago.
i guess it might be useful for someone =) from what i can say i use that PGA for a long time already. it is slow of course, but it is like a gift for paranoid users =)
-----------------------------------------
proxychains + ssh = Pretty Good Anonymity(let's just name it PGA? ;) )
How to make PGA in five steps
by edK
Scheme:
You -> SSH(s) -> Proxy(1) -> Proxy(2) -> SSH(e) -> ProxyAtSSH(e, 127.0.0.1:10080 socks5) -> RemoteServer
You is obvious. There is no place localhost this we all know =)
SSH(s) is a first(start) SSH server, that is used to mask your following connections and data from your local ISP.
Proxy(1), Proxy(2), ... proxies of type HTTP/SOCKS(4/5).
SSH(e) is a last SSH server(end), used to mask traffic between ISPs after SSH(s).
ProxyAtSSH(e) is a proxy on SSH(e), that is redirecting traffic finally to RemoteServer.
In entire chain, only you and ISP of SSH(e) knows about where traffic really goes and what it contains, if it's not encrypted itself(say, yet another SSH or HTTPS connection). It's really very hard process to sniff and locate all the exact chain you used, better way, of course is also to choose SSH and proxy locations in different countries.
For example you need to connect so some server (let it be RemoteServer) using sftp(yeah, that SSH extension).
1. connect to your SSH(s) server.
2. add a tunnel to Proxy(1).
3. run proxychains ssh someuser@SSH(e) with chain through Proxy(1), tunnel to which is now located at You, then through absolute IP of Proxy(2) and others(if you plan to use Proxy(3) after Proxy(2) and more). Absolute IPs of Proxy(2), etc, and settings of chaining are added to proxychains config, of course.
4. add a tunnel from your proxychained SSH(e) connection to ProxyAtSSH(e) (say it's socks5 listening 127.0.0.1:10080 or the one port where proxy locates at SSH(e) server).
5. run proxychains sftp someuser@RemoteServer (requires other proxychains config) through your tunnel created at previous step (yes, through a tunnel to ProxyAtSSH(e)).
6 (optional). Enjoy :D
I really appreciate tools like TOR, Freenet, but it requires yourself to provide same proxying services (if you don't then how will network survive, uh? better not use at all if you aren't planning to give something). Also it is not so secure. You never know... In this case you control your entire chain, you know where the traffic goes and how.
basically to implement this system you may have two servers with SSH access with "AllowTcpForwarding yes" setting, one with a proxy on it. or you may not have proxy on SSH at all, just use external ones you can get either yourself(up to you "how?") or on proxy-related sites. Of course, everyone knows about free proxies stability, don't rely on them, you will waste more time debugging which one failed this time and searching for a replacement, than you will spend online =)
I hope this will be helpful for someone =)
greetz! ;)
written about 2 months ago.
i guess it might be useful for someone =) from what i can say i use that PGA for a long time already. it is slow of course, but it is like a gift for paranoid users =)
-----------------------------------------
proxychains + ssh = Pretty Good Anonymity(let's just name it PGA? ;) )
How to make PGA in five steps
by edK
Scheme:
You -> SSH(s) -> Proxy(1) -> Proxy(2) -> SSH(e) -> ProxyAtSSH(e, 127.0.0.1:10080 socks5) -> RemoteServer
You is obvious. There is no place localhost this we all know =)
SSH(s) is a first(start) SSH server, that is used to mask your following connections and data from your local ISP.
Proxy(1), Proxy(2), ... proxies of type HTTP/SOCKS(4/5).
SSH(e) is a last SSH server(end), used to mask traffic between ISPs after SSH(s).
ProxyAtSSH(e) is a proxy on SSH(e), that is redirecting traffic finally to RemoteServer.
In entire chain, only you and ISP of SSH(e) knows about where traffic really goes and what it contains, if it's not encrypted itself(say, yet another SSH or HTTPS connection). It's really very hard process to sniff and locate all the exact chain you used, better way, of course is also to choose SSH and proxy locations in different countries.
For example you need to connect so some server (let it be RemoteServer) using sftp(yeah, that SSH extension).
1. connect to your SSH(s) server.
2. add a tunnel to Proxy(1).
3. run proxychains ssh someuser@SSH(e) with chain through Proxy(1), tunnel to which is now located at You, then through absolute IP of Proxy(2) and others(if you plan to use Proxy(3) after Proxy(2) and more). Absolute IPs of Proxy(2), etc, and settings of chaining are added to proxychains config, of course.
4. add a tunnel from your proxychained SSH(e) connection to ProxyAtSSH(e) (say it's socks5 listening 127.0.0.1:10080 or the one port where proxy locates at SSH(e) server).
5. run proxychains sftp someuser@RemoteServer (requires other proxychains config) through your tunnel created at previous step (yes, through a tunnel to ProxyAtSSH(e)).
6 (optional). Enjoy :D
I really appreciate tools like TOR, Freenet, but it requires yourself to provide same proxying services (if you don't then how will network survive, uh? better not use at all if you aren't planning to give something). Also it is not so secure. You never know... In this case you control your entire chain, you know where the traffic goes and how.
basically to implement this system you may have two servers with SSH access with "AllowTcpForwarding yes" setting, one with a proxy on it. or you may not have proxy on SSH at all, just use external ones you can get either yourself(up to you "how?") or on proxy-related sites. Of course, everyone knows about free proxies stability, don't rely on them, you will waste more time debugging which one failed this time and searching for a replacement, than you will spend online =)
I hope this will be helpful for someone =)
greetz! ;)
Total Comments 2
Comments
-
The example set of commands with proxychains.
# ~/.proxychains/proxychains.conf - stage 1 config, contains proxy chain between SSH(s) and SSH(e).
# it can as well contain only reference to Proxy(1) if you are not using chains between servers.
# ~/p/chain2/proxychains.conf - stage 2 config, contains a ProxyOnSSH(e) reference.
# Assume PROXY_1 is Proxy(1) IP. Proxy(1) might as well be placed on SSH(s) the way ProxyAtSSH(e) is.
# start your terminal emulator. better the one supports tabs or multiple sessions in 1 window. You can as well use GNU screen util for this purpose.
user@srvr:~/anydir$ ssh tunneluser@ssh_s -L 2222:PROXY_1:8080 -N
# run to another console(or create new window (^a+c) if you work in GNU screen)
# this will use proxychains config in your home directory, containing a chain between SSH(s) and SSH(e).
user@srvr:~/anydir$ proxychains ssh tunneluser@ssh_e -L 22222:127.0.0.1:10080 -N
# now at local port 22222 you have a tunneled link to your last point, ProxyAtSSH(e).
# to use this scheme, start another session, cd to ~/p/chain2/ and run proxychains with anything you like.
user@srvr:~/p/chain2$ proxychains sshnuke 10.2.2.2 -rootpw="Z10N0101"
# you can as well use ~/.proxychains/proxychains.conf as a symlink to ~/.proxychains/stage1 which contains chain between servers and ~/.proxychains/stage2 which contains ProxyAtSSH(e), so that when you create a tunnel to SSH(e) you can remap it to stage2 file and use proxychains in any directory.Posted 01-23-2010 at 08:16 AM by Web31337
Updated 01-23-2010 at 08:22 AM by Web31337 -
You may simplify this by using '-D' param of ssh that acts like a SOCKS5 proxy, allowing you to create tunneled connections to any server.
That decreases anonymity but increases performance and stability. I prefer staying with initial version of this solution. Also it has a side effect that some web browsers require HTTP/HTTP CONNECT-type proxies, and socks are not applicable in this context. If you are looking for a way to surf the net freely, this solution might not comfort you.Posted 02-06-2010 at 01:07 PM by Web31337