Networking Gurus: Help With Chicken And Egg Vps + Vnc + Ssh + Firewall Problem

[diggler]

Hi All,

Scenario/Background:

I'm on a boat. We use VSAT + two year old Cisco router. Router has been locked down. The only ports open are 80 (http), 443 (https), 25 (mail), 3389 (RDP).

When travelling I used to be able to use OpenVPN (udp), PPTP VPN (tcp), or a socksified (-D) SSH connection to tunnel my traffic. That's no longer the case.

I borked my VPS server trying to get around the above stated issue. It's left me in a bit of a pickle.

I can use TOR to get to my VPS's CPANEL (control panel). I have to use a service like TOR, because the CPANEL is on a non-standard web port (5454).

I can't reinstall the server though. To do that I need to VNC to the VPS. I use 'Chicken of the VNC' which doesn't support proxying, like a web browser.

I've looked at a few options, like NoVNC, etc which are browser based HTML5 implementations of a VNC client but they rely on a companion server which my VPS is not running.

Any ideas? (1A) Help!

*I'm asking a friend to remotely reconfigure my server, and to run SSH on port 443 so I'll have SSH access and web proxying ability, but it has led me to even more questions. I hope that the firewall doesn't filter to the Layer 7 networking stack, otherwise I might need a better solution. What are some ways to accomplish this? (2A) Below is what I've found so far. Please help me add to the list of possibilites.

Is there a software solution (Mac OS X or Ubuntu) that allows a user to specify which application uses the socksified SSH connection (ex ssh -D 8080 username@y.y.y.y) on the local machine? (3A) It woud be ideal if an application could force traffic over the SSH connection. Example, tell 'Chicken of the VNC', Adium, etc to route through SSH without having to set a proxy in their individual preferences (most don't even have the option/ability).

Future Solutions

1B.

#Ubuntu wiki says this might be a problem on some VPS's - https://help.ubuntu....y/IptablesHowTo

#execute on remote server

iptables -t nat -I PREROUTING -p tcp -m conntrack --ctstate NEW -s x.x.x.x -d y.y.y.y --dport 443 -j REDIRECT --to-port 22

or

#execute on remote server

iptables -t nat -I PREROUTING --src x.x.x.x --dst y.y.y.y -p tcp --dport 443 -j REDIRECT --to-ports 22

sudo iptables -t nat -L -n -v

#execute on local machine in Terminal

ssh -p 443 -D 8080 username@y.y.y.y

2B.

http://www.thoughtcr...tware/firemole/

3B.

http://dag.wieers.co...http-tunneling/

*anyone know of a more current way to do this? (4A) software doesn't look like it's been updated since 2009

4B.

sudo nano /etc/ssh/sshd_config

change the line "Port 22" to "Port 443"

to save --> hit ctrl+o, then ctrl+x

sudo restart ssh

*how does encrypted web traffic (https 443) still work if SSH is now using port 443 on the VPS? (5A)

Edited August 23, 2012 by diggler

[Jason Cooper]

You could always just ssh into your VPS, OK I know port 22 is blocked for your outgoing connection but you can run ssh through tor just like you do for some of your other tools.

edit your ~/.ssh/config file and add the following (remebering to change the relevant host and username details)

Host mydomain
HostName mydomain.com
User myaccount
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) %p

Assuming you have the standard tor tools it should get you back in control of your VPS.

[diggler]

Hi Jason,

Interesting reply. Thanks. I have a couple of questions from your post:

- I have the TOR browser bundle installed

- Am I correct in assuming that TOR (browser bundle) listens on local port 9050 for exactly these types of proxy situations without the need to configure/modify the TOR browser bundle? What we're doing is telling SSH to route its traffic to local port 9050, where TOR is listening, then forward traffic through TOR 80 HTTP or 443 HTTPS

- Is it then possible for me to run other applications, like 'Chicken of the VNC' through TOR as well? Do you know how this would be done?

*I think I can use this piece of software to accomplish my goal: http://code.google.com/p/torsocks/

**I think my best bet is to launch TOR through BT5, use VNC, and proxy chains... http://bent.latency.net/bent/git/goto-san-connect-1.85/src/connect.html

Edited August 23, 2012 by diggler

[Jason Cooper]

As far as I am aware the tor browser bundle really consists of two parts, tor and preconfigure browser. Just make sure that you have the browser open while using tor as I suspect it might be configured to automatically turn off tor when you close the browser.

tor is effectively a socks proxy which listens on port 9050 by default. Any program that supports the use of a socks proxy will usually work fine with tor, though you may want to check how it resolves hostnames if you are really wanting to be secure.

What we are doing in the ssh config file is simply telling ssh that for a specific host we want to use the follow settings (hostname, user, protocol version and proxy). The key line for us is the poxycommand line, which effective tells ssh that we need to use a socks proxy (the -S option) that is found on port 9050 on the localhost.

The other bits on the proxycommand line that do things like make sure it is using IPv4 (the -4 option) and look up hostnames via to tor (The whole tor-resolve %h bracketed bit in the options).