First, let’s check our IP address, so we can verify that our proxy is working later on. If we go to Google and type “what is my ip” the Google will be nice enough to tell us!

Next, you will need access to one or more SSH servers that allow proxying. You can do a search for free ssh proxy and hopefully get a list of servers that you can use for this exercise. It is becoming harder to get free SSH proxy’s, so you might have to make friends with a server admin in order to get an account…

Let’s make our initial connection, by running the following command:

ssh -2 -C -D 55555 -L 55556:127.0.0.1:55556 -L 55557:127.0.0.1:55557 user1@host1.domain-one.tld

(If you are on a Windows machine using PuTTY, you can create a shortcut to the putty.exe file with the same flags)
This will create our initial connection with a SOCKS proxy on port 55555, while allowing two more forwards for additional servers. If you wanted, you could create additional -L PORT:127.0.0.1:PORT combinations to add additional servers.

The first -D 55555 in the initial connection string above creates our first proxy forward to the first destination server (host1.domain-one.tld in the example above). The following -L 55556:127.0.0.1:55556 lets us forward through port 55556. Similarly, the -L 55557:127.0.0.1:55557 lets us create another forwarding hop.

If you now use port 55555 in your proxy configuration with the SOCKS host set as localhost, you will be forwarding your traffic through the SOCKS proxy connection we just created! You can verify this by again going to Google and searching “what is my ip”.

Next, from the SSH connection of our first server, we will open a proxy to our second server like this:

ssh -2 -C -D 55556 -L 55557:127.0.0.1:55557 user2@host2.domain-two.tld

This will create a SOCKS proxy through our second server on port 55556. Now, all we have to do is change our SOCKS port to use 55556, and we will be going through two hosts! Again, you can verify this with Google.

Finally, from this second SSH connection, we will open a third connection, like so:

ssh -2 -C -D 55557 user3@host3.domain-three.tld

Using port 55557, we will now have a proxy going through all three servers! Also, you can simply change the port, and change which server is your exit node.

That was pretty easy! If you are using Firefox, it is really easy to change the proxy setup within the Options – Advanced – Network – Connection Settings menu. Just use the manual proxy configuration, with 127.0.0.1 as the SOCKS host, and one of the ports from above.

Finally, here is what the three connection strings look like. You should be able to figure out how to add extra hops!

ssh -2 -C -D 55557 -L 55556:127.0.0.1:55556 -L 55555:127.0.0.1:55555 user1@host1.domain-one.tld
ssh -2 -C -D 55556 -L 55555:127.0.0.1:55555 user2@host2.domain-two.tld
ssh -2 -C -D 55555 user3@host3.domain-three.tld

One of the first things we need to do is create a user account for our self. Whenever we are logged in, we should be a normal user, not a super-user! This is one of the biggest problems with Windows operating systems; normal users are given administrative privileges by default. When you download something malicious on a Windows PC, the malicious software can easily wreak havoc on your computer, because you have the permissions necessary to do so! Under Linux, we are just a normal user, and only request administrative (root) privileges when necessary. This way, even if I did download a virus on my Linux machine, unless I executed the virus as root, there is very little damage that the virus can do, because my normal user only has a restricted set of privileges.

Create a new user using the useradd command. This will allow us to add a new user, and then we can create a password for this new user using the passwd command. So, go ahead and create a new account for yourself, as I am doing below. Replace [username] with your desired username. Remember that we have to be an administrative (root) user to run the useradd command.

[root@machine ~]# useradd [username]
[root@machine ~]# passwd [username]
Changing password for user username.
New UNIX Password:
Retype new UNIX password:
Passwd: all authentication tokens updated successfully.
[root@machine ~]#

Next, we will need to enable sudo access for our newly created user, so that we will still be able to run commands as root. To do this, run the visudo command, and add the following line to the bottom of the file, replacing [username] with the username you created above.

[username]		ALL=(ALL)	ALL

The visudo command will have you editing the sudoers file with the vi editor. If you’re not familiar with vi, here are some basics. Pressing i will put you into insert mode, where you can make changes much like any other editor. Pressing esc will take you out of the editor mode. You can then type :wq! to write your changes and exit, or just :q! to quit without saving.

Now that we have our own user account set up, and our user has sudo access, we want to disable root SSH logins. Script kiddies will often search for machines configured with weak root passwords, and gain access using a brute-force or dictionary password attack. I’ve seen it before; wallpaper isn’t a very good choice for a root password… But for some extra security, lets disable the ability of root logging on via SSH.

First, open /etc/ssh/sshd_config in your favorite text editor, and find the line containing PermitRootLogin and change the entire line to this:

PermitRootLogin no

Now, to make our changes to the sshd_config file take effect, we must restart the SSHD service. Run a simple service sshd restart as root, and you should see something like this:

[root@machine ~]# service sshd restart
Stopping sshd:								[  OK  ]
Starting sshd:								[  OK  ]
[root@machine ~]#

Now, before going any further, test that you can log in with the account that you created earlier, and that you can use the sudo -i command to enter an interactive sudo session. If everything is working, then lets keep going! BARK!

Next, we can optionally change the port that SSH is listening on. There are some pro’s and con’s of changing the port. We can hopefully avoid some of the script kiddies who are only scanning port 22. This won’t keep any determined hacker from finding the port number with a simple nmap command however. Also, if you change the port, keep the port number below 1024. Only users in the root group can listen on ports below 1024, so a standard user can’t replace our SSH daemon with their own, listening to incoming requests, stealing passwords, etc.

To change the SSH listening port, open /etc/ssh/sshd_config in your favorite text editor, find the Port 22 line, and change it to look like the line below:

Port 1000

This will have our SSHD server listening to port 1000 for SSH connections. Note that we must again restart the sshd service for our changes to take effect.

That should take care of securing our SSHD configuration. Next time we can work on configuring our firewall!