connection from university campus

eoika1782 · 09-27-2008, 09:23 AM

hi all

I am networking from a university campus connection. All is working well, and I can also connect to the computer of a friend, outside the campus, via ssh, but he had to make his ssh server listening on port 80 instead of 22.
I would like to use a software called BBO (it works on virtualbox), that is used to play bridge online, but it does not work.
My question is: is it possible to connect this software through another computer that I reach via ssh, so that I skip the proxy settings?

Thanks all

Laura

blackhole54 · 09-29-2008, 01:08 AM

It sounds like your university is controlling which ports you can connect to. (Perhaps you already knew that.) If you can get an ssh connection to a box outside of the university's network, you can use the ssh tunel to forward ports. (Check out the -L and -R options on the ssh man page.) You can also use the remote sshd as a Socks proxy using the -D option. My guess is that one of these will allow you to do what you wish, but I don't have a clear enough of an idea exactly what you are trying to do to be more specific.

Please note that it is your responsibility to conform to whatever network usage policies that your university has published. I am merley providing some technical details.

no_root_no_cry · 10-05-2008, 10:49 AM

My home PC (server) has IP address 100.100.100.100. My laptop (client) has address 200.200.200.200. I want to connect from my laptop to the Internet via my home PC. And want to do that secure.
I can't use IPsec for my purpose, can I? I must use protocol from higher layer e.g. SOCKS, I think. I'm trying to configure Dante but it isn't work for me. I can't understand tutorials completely for example this http://www.trekweb.com/~jasonb/artic...e_tunnel.shtml although it looks easy

Do you know exactly which commands, actions I must to do?
Can I use my custom large file for encryption key? I want to make weak algorithm/strong key encryption. That will be faster.

blackhole54 · 10-06-2008, 03:42 AM

Quote:

Originally Posted by no_root_no_cry

My home PC (server) has IP address 100.100.100.100. My laptop (client) has address 200.200.200.200. I want to connect from my laptop to the Internet via my home PC. And want to do that secure.

I have never use IPSec and I know nothing about Dante. But you can easily accomplish what you want using any relatively recent version of ssh. (Very old versions don't support what I am about to describe. But for security reasons you shouldn't be using anything that old any way.) You, of course, must have sshd (the SSH daemon) running on your remote host (100.100.100.100). To avoid most of the attempts to crack SSH, I suggest having it listen on a non standard port, which I will call 12345. (Change it to some other number.) Also for security, I would suggest you not allow password logins or root login. ( See the ssh-keygen man page for instructions on generating a key pair. And if you are using Debian or any Debian derive distro -- such as Ubuntu -- make sure your ssh-keygen program is up to date!!!)

To do the above, make sure /etc/ssh/sshd_config on 100.100.100.100 contains the following lines (this is *not* a complete config file, just the relevant lines for implementing what I have said):

Code:

Port 12345
PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
RSAAuthentication yes
PubkeyAuthentication yes

Again, the above is not the complete config file, but make sure those lines are present. (And eliminate any lines that directly contradict them.) Also make sure you have eliminated the Port 22 line. Copy your public key to ~/.ssh/authorized_keys on an appropriate account (I'll call it "user" on 100.100.100.100. Then issue (for example) the following command on 200.200.200.200:

Code:

ssh -D localhost:8889 -f -N -p 12345 user@100.100.100.100

ssh will then be acting as a SOCKS proxy listening on localhost:8889, but will send the requests via secure tunnel to 200.200.200.200 which will actually send the requests to the Internet. So just set your browser to use localhost:8889 as a SOCKS proxy and you're good to go! (To simplify things, you might want to define an alias for the above command or use a key binding ("hotkey") to invoke it. You might also try to automatically invoke it. But that will run into problems unless you can find a way to make sure your network connection is already up.)

------

NOTE ON SECURITY: The real security from what I have described comes from prohibiting password and root logins. Many will correctly point out that changing the listening port is an attempt at "security through obscurity" and therefore is not real security. But in the current environment it will greatly decrease the number of attempts at cracking SSH. So if you are the only one connecting to SSH on this server I think it is a useful thing to do. Also beware that in recent months the "basd guys" have started using distributed attacks to get around tools like fail2ban and denyhosts, so the usefulness of such tools to prevent SSH cracking is decreasing.

no_root_no_cry · 08-25-2009, 12:54 PM

It works! Thank you blackhole54!
But if I understand correctly I must configure each application separately to use SOCKS each time when I decide to use it. And what about the software that doesn't implement SOCKS? Actually I need VPN, I think.
Now I'm trying to configure tinc but I have problem with tun/tap driver. This driver is used by other VPN software too.
Ptunnel is interesting program too.

blackhole54 · 08-27-2009, 03:41 AM

I would imagine VPN is the most general solution, but I have no experience with it. To use ssh as a SOCKS proxy, as described, you do need to configure each application to use SOCKS. I believe there are wrappers (programs) you can use to "socksify" programs that can't handle it natively.

Good luck!