This post appeared originally in our sysadvent series and has been moved here following the discontinuation of the sysadvent microsite
It is late night. You have just arrived at your Grandparents, when the SMS beeper goes off. There is a problem with a SAN controller, and the on-call person know you fixed it the last time. Now, if you only had documented it.
You know you have to fix this yourself, but you have no VPN access. You don’t even have an Internet connection, except your 3G mobile phone, and you really need access to that admin web GUI. There is an emergency SSH port available, but no other port is open. X-forwarding over 3G? Not an option. SSH port-forwarding and fix /etc/hosts. Doable perhaps? VNC over SSH? Awkward. Enter the SSH socks proxy!
Emergency web access
Simply run:
ssh -D 1080 login.example.com
Now, you have a local port 1080 that creates a SOCKS proxy to the server side. Firefox has support for that proxy.
Settings -> Advanced -> Network -> Configure how Firefox connects to the Internet -> Manual settings, Socks: localhost, Port: 1080
If you need to resolve addresses from the server side, add that to the configuration. In the URL field, type about:config
, then search for key network.proxy.socks_remote_dns
Set it to true. That is all. You are now surfing as if Firefox was running locally on the login server. Remember to reset your settings after you have finished your session, or Firefox will not work properly when you close your SOCKS proxy SSH shell.
Not just surfing
But wait, there’s more. With a local SOCKS proxy, you may also use other programs, and they don’t even have to support SOCKS themselves. Install tsocks, and set localhost as the socks proxy host:
sudo yum install tsocks || sudo apt-get install tsocks
echo "server = 127.0.0.1" | sudo tee /etc/tsocks.conf
tsocks is a little gem of a program. It hooks into other programs, and redirects network traffic to the local SOCKS proxy. Now, while the SSH SOCKS proxy is still running (the ssh -D1080
command), just use tsocks to run your favourite program through the proxy:
# Log into a server on a closed network behind the firewall
tsocks ssh server.behind.firewall.example.com
# Run a local psql shell against a remote server through the SOCKS proxy
tsocks psql -U pg_admin_user -W -h database.behind.firewall.example.com -W template1
or to run a whole session of commands through the socks proxy, start with “. tsocks on” (note the leading dot), and stop it with “. tsocks off”
. tsocks on
command
command
command
. tsocks off
To run Firefox through the SOCKS proxy, but without changing its configuration:
tsocks firefox http://ripe.net # Stop firefox first
To check tsocks status, run
tsocks show
If the LD_PRELOAD
variable is empty, tsocks is disabled for this shell.
Note that all Internet traffic is not routed via tsocks. For example, ICMP is not.
The irony of insecure security software
It can probably be understood from my previous blog post that if it was up to me, I’d avoid products like CrowdStrike - but every now and then I still have to install something like that. It’s not the idea of “security software” per se that I’m against, it’s the actual implementation of many of those products. This post lists up some properties that should be fulfilled for me to happy to install such a product.