Re: restricting the SOCKS server

---

• From: Darren Tucker <dtucker@xxxxxxxxxxxxxxxx>
• Date: Mon, 5 Mar 2007 21:03:04 +1100

---

On 2007-02-28, dmulter <david@xxxxxxxxxx> wrote:

I have a somewhat unique request regarding using SOCKS. I'm currently
using OpenSSH with SOCKS "-D port" just fine to talk to a Web server
that is also running the SSH server. My goal is to use SSH/SOCKS
tunneling to permit secure access to the website running on this
server.

[...]

the same server. For example, user1 goes to site1.website.com, and
user2 goes to site2.website.com. I can of course partition the
websites using port numbers also. How can I control SOCKS proxy
destinations to a specific site or port?

Starting in OpenSSH 4.4 there's a PermitOpen directive which controls
which hosts port forwards, including dynamic port forwards, are permitted
to talk to. You could implement[1] what you describe above with:

PermitOpen site1.website.com:80 site2.website.com:80

If they're on separate IPs you could even restrict by user too with
the Match directive (but note that this isn't guaranteed to work if
all the sites are virtually hosted on a single IP).

Match User user1
PermitOpen site1.website.com:80
Match User user2
PermitOpen site2.website.com:80

Depending on whether or not the SOCKS client send hostname or IP address
(SOCKS4 only supports IPs, and is what most browsers use) you may need
to list the IP address instead of or in addition to the hostname.

[1] there's a bug in 4.4 and 4.5 that stops the second and subsequent
PermitOpen specifications on a single line from working but there's a
patch available, it's fixed in the snapshots and it will be fixed in
the soon-to-be-released 4.6p1.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.

---

• Prev by Date: Re: Problem with getting the moment when all reply packages to my command will be received (answer end)
• Next by Date: Re: HostbasedAuthentication on AIX: error ssh_keysign: no installed: No such file or directory
• Previous by thread: Problem with getting the moment when all reply packages to my command will be received (answer end)
• Next by thread: Re: HostbasedAuthentication on AIX: error ssh_keysign: no installed: No such file or directory
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Blocking Ports ... server to do it, and not necessarily on port 1080. ... are a small, but growing, number of open socks proxies ... > WinMX = 209.61.186.0/24 ... (comp.security.firewalls) Re: ssh on 443 to box w/socks, forward ports, bypass proxy. HELP! ... port to whatever port your SOCKS ... server is listening on. ... Then, in IE, you'll need to go to the advanced proxy settings and set ... (comp.security.ssh) Re: IPSEC problem ... Allow My Server to access IP xxx.xxx.xxx.xxx from port 25 to any port. ... Permit. ... Mirroring not checked. ... (microsoft.public.win2000.security) Re: req help with access-list config ... - the ip's I want to permit on port 25 and 100 are out ... not on my own LAN. ... is a rogue who wants to spam using my smtp server. ... The access list would permit 12.34.56.78 to send and receive mail using my ... (comp.dcom.sys.cisco) Re: nis 2003 and ftp server ... > NIS. ... What would be the custom rules to permit download and upload on my ... You will likely need port 21 in/out and possible port 20 in/out. ... If you do not want your server to show to the world, ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)