0

when I start ssh socks5 proxy like that ssh user@localhost -D 0.0.0.0:1080 it allows to anyone to connect to localhost like curl --socks5 server.com localhost:12345 which can be a security issue for services that consider connections from localhost to be safe and ask no authentication (there are plenty of examples)

Question is, how to forbid ssh to connect to localhost on behalf of socks5 clients?

igor
  • 173
  • 2
  • 2
  • 9
  • Why are you having your proxy listen on all the IPs? -D 1080 without the 0.0.0.0 should limit it to localhost. The IP address is optional. –  Jun 01 '18 at 17:49
  • @yoonix I want it to be available from everywhere for anybody, but I don't want anybody to connect to my own server, only to the internet through my server – igor Jun 01 '18 at 18:50

1 Answers1

2

The ssh SOCKS implementation doesn't have many features. I'd use a more robust SOCKS proxy.

However, you can use iptables to accomplish this. Something like:

iptables -A input -i lo -m owner --uid-owner userid -j REJECT
Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
  • If its not possible with ssh, that's an answer! Which socks proxy would you recommend if I want to not spend a lot of time configuring it? – igor Jun 01 '18 at 18:51
  • I'd try the iptables rule. I don't have a socks proxy recommendation. If squid supported SOCKS I'd recommend it but it doesn't. 3proxy.ru looks like it supports acls but I have never used it. – Mark Wagner Jun 01 '18 at 19:00