jerry
/
go-socks5-ssh-proxy
mirror of https://github.com/xor-gate/go-socks5-ssh-proxy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
19 Commits 2 Branches 0 Tags 2 MiB
Go 85.2%
Makefile 13.5%
Shell 0.9%
Python 0.4%
Go to file
Jerry Jacobs 3e67850957 Depend obfuscate job on outputs of others 2024-07-26 15:01:10 +02:00
.github/workflows Depend obfuscate job on outputs of others 2024-07-26 15:01:10 +02:00
docs Initial release production build with github actions for Darwin AMD64 and Windows AMD64 2024-07-26 08:57:53 +02:00
resources Initial working version 2024-07-24 22:57:32 +02:00
vendor Initial working version 2024-07-24 22:57:32 +02:00
.gitignore Add DLL target for windows loading in Python 2024-07-26 13:56:53 +02:00
.goreleaser.yaml Add DLL target for windows loading in Python 2024-07-26 13:56:53 +02:00
LICENSE Initial working version 2024-07-24 22:57:32 +02:00
Makefile Add DLL target for windows loading in Python 2024-07-26 13:56:53 +02:00
README.md Use windows-latest runner 2024-07-26 14:48:51 +02:00
config.go Initial working version 2024-07-24 22:57:32 +02:00
config_template.go Initial working version 2024-07-24 22:57:32 +02:00
go.mod Initial working version 2024-07-24 22:57:32 +02:00
go.sum Initial working version 2024-07-24 22:57:32 +02:00
main.go Initial working version 2024-07-24 22:57:32 +02:00
main.py Create initial python dll loader 2024-07-26 14:12:03 +02:00
main_debug.go Initial working version 2024-07-24 22:57:32 +02:00
main_dll.go Add DLL target for windows loading in Python 2024-07-26 13:56:53 +02:00
main_release.go Initial working version 2024-07-24 22:57:32 +02:00

README.md

socks5-ssh-proxy

If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy over SSH using a Jump server. Beat the (corporate) sensorship, and be free!

Background information

The proxy can use SSHFP DNS record verification for extra protection so the SSH host public key is side-channel checked.

The release build target is fully silent as os.stdout and os.stderr is written to /dev/null. Also it embeds the configuration to the SSH jump host (see config_template.go copied to config_release.go).

Server installation

When using OpenSSH server a special tunnel user should be created. It must configured no PTY could be created (interactive mode). So the client is unable to execute commands on the SSH jump host.

/etc/ssh/sshd_config

The following OpenSSH daemon options could be set. This by default doesn't allow anyone to login except from users from the system group ssh. It immediate drops the connection instead of sending a response. The system tunnel user needs to set PermitTTY no so no shell is possible, only TCP forwarding.

PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 0
ChallengeResponseAuthentication no

Match Group ssh
	MaxAuthTries 3 # Only key-based may be tried

Match User tunnel
	MaxAuthTries 1 # Only key-based may be tried
	GatewayPorts yes
	AllowTcpForwarding yes
	PermitTTY no
	PasswordAuthentication no

SSHFP verification

  • Create SSHFP DNS records use ssh-keygen -r on the SSH jumphost server
  • Configure (public) DNS server with those records
  • Check if records are active with dig SSHFP <hostname> +short

Browsing with chrome over the proxy

E.g:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --proxy-server="socks5://127.0.0.1:1337" --user-data-dir="Y:\ChromeProfile"

Detection

It is highly likely this proxy will be detected by virus or malware scanners. This can be a false-positive see https://go.dev/doc/faq#virus.

Following detections have been tested:

  • Microsoft Defender: Trojan:Win32/Gracing.I - Severe. Probably fixed because of packing with UPX
  • Palo Alto Networks, Inc. - Cortex XDR: detected as Suspicious (no fix yet)

Build time dependencies

macOS

  • go
  • upx
  • goreleaser
  • mingw-w64 (for building the windows dll)

Related information

Development information