Setup a proxy SOCKS using ssh tunnel
Open a terminal and run this command to add the group allowed to setup a tunnel
{% highlight sh %} addgroup allow_tunnel {% endhighlight %}
In /etc/ssh/sshd_config, add or replace the following lines at the end of the file
Match Group allow_tunnel
AllowTcpForwarding yes
AllowAgentForwarding yes
X11Forwarding no
PermitTunnel yes
GatewayPorts yes
#PermitOpen localhost:1080
ForceCommand echo 'This account can only be used for SOCKS and has be restricted accordingly.'Create a user for the tunnel and add it to “allow_tunnel” group.
useradd $USER_tun
usermod -a -G allow_tunnel -s /usr/bin/tunnel_shell $USER_tunNote: You cannot allow tunnel usage for a user that may not log into ssh.
Create a new file and make it executable
touch /usr/bin/tunnel_shell
chmod +x /usr/bin/tunnel_shellEdit the file you just created with vim (“vim /usr/bin/tunnel_shell“)
#!/bin/bash
trap '' 2 20 24 # CTRL+Z will escape from the script giving you full access to bash… Try adding << trap '' 20 >>
clear
echo -e "\r\n \e[5m \e[43m \e[31mSSH tunnel started, shell disabled by the syste$m administrator\e[0m \r\n"
while [ true ] ; do
sleep 1000
done
exit 0
# Number SIG Meaning
# 0 0 On exit from shell
# 1 SIGHUP Clean tidyup
# 2 SIGINT Interrupt
# 3 SIGQUIT Quit
# 6 SIGABRT Abort
# 9 SIGKILL Die Now (cannot be trap'ped)
# 14 SIGALRM Alarm Clock
# 15 SIGTERM TerminateAdd the fresh shell to the list in your server
echo "/usr/bin/tunnel_shell" >> /etc/shellsRestart the ssh service
systemctl restart sshd
Papa Sall is a Security Analyst and a Audit team leader @ Societe Generale. As part of his mission within SG, Papa is in charge of helping businesses by protecting their applications from potential hackers and cyber-attacks... Papa prevent attacks and threats to resources owned by the Financial Group. Do you want to know more? Visit my website!