[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Torsocks plus ssh plus command line browser - does this idea make sense?



Hi,

> So am I running torsocks ssh to the VPS and then ssh -D to 8080 at the
same time?

As before you're using Tsocks to route your SSH connection out over Tor.
Alternatively, if you've got TransPort running (in the example on 9050) you
can pass the following to SSH to achieve the same

    -o ProxyCommand="nc -X 5 -x localhost:9050 %h %p"

You'll also want to disable verification of the Host Key via DNS (to help
prevent leakage)

   -o VerifyHostKeyDNS=no -O CheckHostIP no

I have this set up in my ssh config file (~/.ssh/config) for various hosts
that run SSH as a hidden service, e.g.

    Host myOnion
      Hostname domain # This should be your .onion
      User user # Whatever username you connect with
      IdentityFile ~/.ssh/sshhs1.rsa
      ProxyCommand nc -X 5 -x localhost:9050 %h %p
      VerifyHostKeyDNS no
      CheckHostIP no
      IdentitiesOnly yes


As a slightly shameless plug, more here -
https://www.bentasker.co.uk/documentation/linux/307-building-a-tor-hidden-service-from-scratch-part-1
- including a few bits you might want to look at setting on the VPS itself

> Why would the local SOCKS run on 8080? Tor runs, I think, on 9150?

The -D flag tells SSH to enable Dynamic port forwarding. SSH will then
create it's own SOCKS proxy, and then torsocks will divert SSH out over
Tor's connection (personally I prefer the transparent mode I mentioned
above).

If you wanted to forward a specific port to a specific host, you could
instead use -L, for example

    ssh -L 8080:example.com:443 myvps

Then when you visit https://localhost:8080 you'd get example.com (though
obviously the certificate validation would fail). I used 8080 there as 443
is a privileged port so you'd need to run your SSH command as root to bind
to it.

Incidentally, if you do decide to use Firefox, be aware that by default it
*doesn't* honour the Proxy configuration for DNS, so you'd get some
leakage. To resolve that, do the following

    about:config
    Create a new boolean called *network.proxy.socks_remote_dns* and set it
to True

Depending on what you're accessing and why, you'll want to keep your
"forwarded" browser seperate from your day-to-day clearnet browser.

Ben


On Mon, Mar 14, 2016 at 4:33 PM, <blobby@xxxxxxxxxxxxxxx> wrote:

> The reason, simply, is that I have never used the -D of ssh before!
>
> So am I running torsocks ssh to the VPS and then ssh -D to 8080 at the
> same time?
>
> Why would the local SOCKS run on 8080? Tor runs, I think, on 9150?
>
> I'm sure you're right but could you please spell it out for me. Thanks!
>
>
> On 2016-03-14 13:16, Ben Tasker wrote:
>
>> ) download a browser that allows access from the command line e.g. Lynx
>>>
>> (not TBB).
>>
>> There are potentially valid reasons for doing it this way, but is there a
>> reason you're not thinking of doing
>>
>> ssh -D 8080 myvps
>>
>> And then pointing (say) Firefox at the local socks port on 8080. (i.e. all
>> steps the same except C - so still routing to the VPS via Tor).
>>
>> You'd want to make sure you could acquire the VPS anonymously, there's
>> little point in having Tor in between if the connection appears to
>> originate from a VPS registered in your name, with your card as the
>> billing
>> details.
>>
>> On Mon, Mar 14, 2016 at 1:11 PM, <blobby@xxxxxxxxxxxxxxx> wrote:
>>
>> Let's say I want to access a website and appear to be from country X. I
>>> can't use Tor because there are no exit nodes for Country X.
>>>
>>> Can I:
>>>
>>> a) buy a VPS from a hosting company that provides an IP that is from
>>> Country X?
>>>
>>> b) use torsocks to login to my VPS via ssh.
>>>
>>> c) download a browser that allows access from the command line e.g. Lynx
>>> (not TBB).
>>>
>>> d) access the destination website.
>>>
>>> AUIU, my VPS sees the tor exit node IP but the destination site sees the
>>> VPS IP in Country X.
>>>
>>>
>>> Does this sound viable? Is there an easier way than ssh? If this idea is
>>> sensible, then the command line means I have to use a very basic browser
>>> like Lynx. Correct?
>>>
>>> All ideas / opinions / criticisms / suggestions welcomed.
>>> --
>>> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe or change other settings go to
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>
>>>
>>
>>
>> --
>> Ben Tasker
>> https://www.bentasker.co.uk
>>
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk