You have a really shitty ISP (Internet Service Provider) and have no way to port forward, or are behind 10,000 billion firewalls and NAT things. Do you cry, or do womething with it? If you want to have your Home \/ ServerRoom \/ AnyOtherCrapLocation accessible and do not have to administer a shitload of users, then<\/p>\n
Try out www.digitalocean.com ($5 \/ month) or\u00a0www.aruba.it (1\u20ac \/ month) and set up a server, that you can connect to, from within your alcatraz environment. Or (mis)use a friend, that has one.\u00a0<\/p>\n
We’ll call this host\u00a0“freetown”<\/strong><\/p>\n <\/p>\n Buy a raspberry, honestly. You can use a laptop, or a table PC, but it just consumes a lot of energy. RasPi is quite OK for this kind of applications. Consumption is well below 500mA at 5V. Which translates to 2.5W at peak usage (60Wh a day -> 21.915kWh \/ year). The cost? Something around $4 a year.<\/p>\n This will more likely be a 15kWh \/ year, based on usage – $3?. Cool, for comparison, a very decent, new fridge consumes 280 kWh \/ year.\u00a0<\/p>\n Use a Raspbian image to boot it, as this section covers systemd services.<\/p>\n We shall call this host “alcatraz”<\/strong><\/p>\n This is kinda tricky, best left to somebody that keeps up with all the security stuff daily (mind you, I am an IT guy myself, but cannot keep track of that all the time)<\/p>\n alcatraz needs to see freetown. (even a cell window is fine)<\/p>\n The prisoner at alcatraz which was put there by the guards (root)…<\/p>\n needs a new identity in freetown… he must know some people, though, the sshusers<\/strong><\/p>\n And of course the prisoner needs keys to freetown, and they need to know him in freetown.<\/p>\n First, list the pulic key generated in alcatraz<\/p>\n and let it be known in freetown<\/p>\n is it there?<\/p>\n Yep, good to go, the prisroner now has free access to freetown<\/p>\n The connection:<\/p>\n The tunnel:<\/p>\n Tadaaa, now let’s get the SystemD service running…<\/p>\n <\/p>\n For this, just switch to root<\/p>\n and create a file in \/etc\/systemd\/system\/freedom.service<\/strong>. You can name it any name you want (anything.service), just make a note what it is.<\/p>\n Service would love to be started right after boot<\/p>\n Before you reboot, just for… just because…<\/p>\n check how it went<\/span><\/p>\n As it goes, most of the people want business. And smuggling stuff into prisons is a very profitable business – and this whole exercise was nothing else.\u00a0<\/p>\n So, we want to be able to access alcatraz from our freetown on the internet, via the tunnel that the prisoner user dug out for us. Well, let’s do it.\u00a0<\/p>\n It starts in freetown (localhost) on the port 1234 and exits in alcatraz on port 22 (default ssh port)<\/p>\n The freetown user can be any kind of user that is able to execute ssh. In alcatraz, you are able to reach any user (prisoner or ward) that is defined on the prison system.<\/p>\n As non-priviledged ports cannot be opened by other users than root, it is quite a struggle to have reasonable “standard” port forwarded anywhere. If you wish to establish a tunnel between 2 servers, using standard users AND have ports with a number lower than 1000 tunneled, you better prepare a two step approach.\u00a0<\/p>\n The 0.0.0.0:4433 is the ip address and port the tunnel listens to on freetown, the later portion is the host:port in local network, confused?<\/span><\/p>\n This takes whatever comes in on port 443 (https) on freetown host and will redirect it to port 4433 (which is sucked in through a tunnel and ends up in alcatraz)<\/span><\/p>\n You have a really shitty ISP (Internet Service Provider) and have no way to port forward, or are behind 10,000 […]<\/p>\n","protected":false},"author":1,"featured_media":363,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,9],"tags":[],"_links":{"self":[{"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/posts\/247"}],"collection":[{"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/comments?post=247"}],"version-history":[{"count":0,"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/posts\/247\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/media\/363"}],"wp:attachment":[{"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/media?parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/categories?post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/spoton.cz\/index.php\/wp-json\/wp\/v2\/tags?post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Second, you need a constantly running machine inside your impenetrable environment<\/h3>\n
Third, you need to set it up, so there is absolute trust and security.<\/h3>\n
pi@alcatraz:~ $ ping freetown\nPING freetown (42.56.213.311) 56(84) bytes of data.\n64 bytes from 42.56.213.311 (42.56.213.311): icmp_seq=1 ttl=45 time=134 ms\n64 bytes from 42.56.213.311 (42.56.213.311): icmp_seq=2 ttl=45 time=129 ms\n64 bytes from 42.56.213.311 (42.56.213.311): icmp_seq=3 ttl=45 time=133 ms\n64 bytes from 42.56.213.311 (42.56.213.311): icmp_seq=4 ttl=45 time=129 ms\n64 bytes from 42.56.213.311 (42.56.213.311): icmp_seq=5 ttl=45 time=135 ms\n^C\n--- freetown ping statistics ---\n5 packets transmitted, 5 received, 0% packet loss, time 4005ms\nrtt min\/avg\/max\/mdev = 129.408\/132.570\/135.527\/2.613 ms<\/pre>\n
pi@alcatraz:~\/$ sudo -i\nroot@alcatraz:~\/$ useradd prisoner -m -s \/bin\/bash\nroot@alcatraz:~\/$ id prisoner\n uid=1002(prisoner) gid=1002(prisoner) groups=1002(prisoner),100(users)<\/pre>\n
user@freetown:~\/$ sudo -i\nroot@freetown:~\/$ useradd freeman -m -s \/bin\/bash -G sshusers\nroot@freetown:~\/$ id freeman\nuid=1003(freeman) gid=1004(freeman) groups=1004(freeman),1001(sshusers)<\/strong><\/pre>\n
a, generate keys<\/h3>\n
prisoner@alcatraz:~ $ ssh-keygen \nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/prisoner\/.ssh\/id_rsa): \nCreated directory '\/home\/prisoner\/.ssh'.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/prisoner\/.ssh\/id_rsa.\nYour public key has been saved in \/home\/prisoner\/.ssh\/id_rsa.pub.\nThe key fingerprint is:\nSHA256:TWUqY15gsY\/Xc6o1Be3gBR1YnfWPxEBYZjs9qRE5G2o prisoner@plutonium-dev\nThe key's randomart image is:\n+---[RSA 2048]----+\n| +. +@=oo+|\n| . o.* =O.oo|\n| = +.*+O .|\n| o OEo.X o. |\n| S.+ = = . |\n| . = |\n| + |\n| o . |\n| . |\n+----[SHA256]-----+<\/pre>\n
b, distribute keys<\/h3>\n
prisoner@alcatraz:~ $ cd .ssh\nprisoner@alcatraz:~\/.ssh $ cat id_rsa.pub \nssh-rsa AAAAB3mcoisdjcnXw[spldm0923jdlksmKLJmHRU\/\/xH1VCt+\/Ep5G1gXZqYFLaoWyh2tM6xnu9CJCIJp9aEkojsdfoijOIJjkosndfoijqwMI7Oc\/fbZ9Mps3lctuq2ciAiejuoKfW7HKL33jHxOl77uehSLUrxJu9uY5bW0GFqz5CyCHuW5SNrKU2Avf1et644uKqde4ihlkms9qmwdlkmLKNLIJFwknmsfeBQD prisoner@alcatraz<\/pre>\n
freeman@freetown:~$ echo 'ssh-rsaAAAAB3mcoisdjcnXw[spldm0923jdlksmKLJmHRU\/\/xH1VCt+\/Ep5G1gXZqYFLaoWyh2tM6xnu9CJCIJp9aEkojsdfoijOIJjkosndfoijqwMI7Oc\/fbZ9Mps3lctuq2ciAiejuoKfW7HKL33jHxOl77uehSLUrxJu9uY5bW0GFqz5CyCHuW5SNrKU2Avf1et644uKqde4ihlkms9qmwdlkmLKNLIJFwknmsfeBQD prisoner@alcatraz' >> \/home\/callhome\/.ssh\/authorized_keys<\/pre>\n
freeman@freetown:~$ cat\u00a0\/home\/callhome\/.ssh\/authorized_keys\nssh-rsaAAAAB3mcoisdjcnXw[spldm0923jdlksmKLJmHRU\/\/xH1VCt+\/Ep5G1gXZqYFLaoWyh2tM6xnu9CJCIJp9aEkojsdfoijOIJjkosndfoijqwMI7Oc\/fbZ9Mps3lctuq2ciAiejuoKfW7HKL33jHxOl77uehSLUrxJu9uY5bW0GFqz5CyCHuW5SNrKU2Avf1et644uKqde4ihlkms9qmwdlkmLKNLIJFwknmsfeBQD prisoner@alcatraz<\/pre>\n
c, test it out<\/h3>\n
prisoner@alcatraz:~ $ ssh freeman@freetown<\/pre>\n
prisoner@alcatraz:~ $ ssh -R 5013:localhost:22 freeman@freetown\nfreeman@freetown:~ $ ssh prisoner@localhost -p 5013\n\nThe authenticity of host '[localhost]:5013 ([127.0.0.1]:5013)' can't be established.\nECDSA key fingerprint is aa:77:22:4e:11:3e:16:f0:4c:xy:bc:ad:24:9a:94:bb.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added '[localhost]:5013' (ECDSA) to the list of known hosts.\nprisoner@localhost's password:\nLinux plutonium-dev 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Jan 8 13:12:46 2018 from 192.168.5.114<\/pre>\n
Fourth, you’ll need to set up a systemd service on the insider \/ alcatraz (Raspberry PI), FINALLY<\/h3>\n
pi@alcatraz:~\/$ sudo -i<\/pre>\n
root@alcatraz:~\/$ echo '\n[Unit]\nDescription=Forward local SSH port to remote host\nAfter=network-online.target\nBefore=multi-user.target\nDefaultDependencies=no\n\n[Service]\n# SSH connection uses the private key stored in this\n# users home dir (~\/.ssh\/)\nUser=prisoner\n\n# SSH connection with port forwarding\n# Forwards local port 22 to port 1234\nExecStart=\/usr\/bin\/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=\/dev\/null -o ServerAliveInterval=20 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes -N -T -R1234:localhost:22 freeman@freetown\n\n# wait 60 seconds before trying to restart the connection\n# if it disconnects \nRestartSec=60\n\n# keep retrying no matter what\nRestart=always\n\n[Install]\nWantedBy=multi-user.target\n' > \/etc\/systemd\/system\/freedom.service<\/pre>\n
root@freetown:~# systemctl enable freedom<\/span> \nCreated symlink from \/etc\/systemd\/system\/multi-user.target.wants\/freedom.service to \/etc\/systemd\/system\/freedom.service.<\/pre>\nroot@alcatraz:~\/ systemctl start freedom<\/span> <\/pre>\nroot@alcatraz:~\/ sudo journalctl -u freedom<\/span> \n Jun 25 18:03:00 alcatraz systemd[1]: Starting SSH reverse tunnelling... \n Jun 25 18:03:00 alcatraz systemd[1]: Started SSH reverse tunnelling. \n Jun 25 18:03:01 alcatraz ssh[23582]: Warning: Permanently added 'freetown'<\/span> (ECDSA) to the list of known hosts.<\/pre>\nFifth, go for it<\/h3>\n
user@freetown:~$ ssh prisoner567@localhost -p 1234<\/pre>\n
A final note on port forwarding and ssh tunneling<\/h3>\n
Create a tunnel on a non-priviledged port:<\/h4>\n
prisoner@alcatraz$: ssh -R 0.0.0.0:4433:localhost:443 freeman@freetown\u00a0<\/pre>\n
On the “outside” or “freetown” system, enable port forwarding as root (here you need to be root, albeit just once, not ssh root enabled):<\/h4>\n
iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 4433\n# list out entries...\niptables -t nad -L<\/pre>\n","protected":false},"excerpt":{"rendered":"