Quote:
Originally Posted by no_root_no_cry
My home PC (server) has IP address 100.100.100.100. My laptop (client) has address 200.200.200.200. I want to connect from my laptop to the Internet via my home PC. And want to do that secure.
|
I have never use IPSec and I know nothing about
Dante. But you can easily accomplish what you want using any relatively recent version of
ssh. (Very old versions don't support what I am about to describe. But for security reasons you shouldn't be using anything that old any way.) You, of course, must have
sshd (the SSH daemon) running on your remote host (100.100.100.100). To avoid most of the attempts to crack SSH, I suggest having it listen on a non standard port, which I will call 12345. (Change it to some other number.) Also for security, I would suggest you
not allow password logins
or root login. ( See the
ssh-keygen man page for instructions on generating a key pair. And if you are using Debian or any Debian derive distro -- such as Ubuntu -- make sure your
ssh-keygen program is up to date!!!)
To do the above, make sure /etc/ssh/sshd_config on 100.100.100.100 contains the following lines (this is *not* a complete config file, just the relevant lines for implementing what I have said):
Code:
Port 12345
PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
RSAAuthentication yes
PubkeyAuthentication yes
Again, the above is not the complete config file, but make sure those lines are present. (And eliminate any lines that directly contradict them.) Also make sure you have eliminated the
Port 22 line. Copy your
public key to ~/.ssh/authorized_keys on an appropriate account (I'll call it "user" on 100.100.100.100. Then issue (for example) the following command on 200.200.200.200:
Code:
ssh -D localhost:8889 -f -N -p 12345 user@100.100.100.100
ssh will then be acting as a SOCKS proxy listening on localhost:8889, but will send the requests via secure tunnel to 200.200.200.200 which will actually send the requests to the Internet. So just set your browser to use localhost:8889 as a SOCKS proxy and you're good to go! (To simplify things, you might want to define an alias for the above command or use a key binding ("hotkey") to invoke it. You might also try to automatically invoke it. But that will run into problems unless you can find a way to make sure your network connection is already up.)
------
NOTE ON SECURITY: The real security from what I have described comes from prohibiting password and root logins. Many will correctly point out that changing the listening port is an attempt at "security through obscurity" and therefore is not real security. But in the current environment it will greatly decrease the number of attempts at cracking SSH. So if you are the only one connecting to SSH on this server I think it is a useful thing to do. Also beware that in recent months the "basd guys" have started using distributed attacks to get around tools like
fail2ban and
denyhosts, so the usefulness of such tools to prevent SSH cracking is decreasing.