Tunneling SSH over a Proxy Server

200px-Squid-cache_logo

Download corkscrew from this site

http://www.agroman.net/corkscrew/

Unpack and compile corkscrew

tar -xzvf corkscrew.tar.gz
cd corkscrew
./configure
make install 

Now create a file in .ssh folder

touch ~/.ssh/config

Now edit that file

vim ~/.ssh/config

and add these lines inside config file

Host *
  ProxyCommand corkscrew http-proxy.example.com 8080 %h %p

Replace http-proxy.example.com with the name or address of your http proxy and possibly replacing 8080 with the port on which the proxy listens, which may be 80 or even some other port. The %h and %p will be replaced automatically by SSH with the actual destination host and port.

Now try ssh

ssh user@someserver.org

replace user and some server with yours.If you are getting an error like this then your proxy needs authentication

ssh_exchange_identification: Connection closed by remote host
[ OR ]
ssh: connection to host example.net port 22: Connection timed out 

Authenticated proxy connections
create a file on .ssh

touch ~/.ssh/proxyauth

edit that file and give your usrname and password like this

<username>:<passwd>

Then change your config file inside ssh with proxyauth

Host *
  ProxyCommand corkscrew http-proxy.example.com 8080 %h %p ~/.ssh/proxyauth

Happy Hacking ūüôā

Squid set download limit and prevent downloads by extension

200px-Squid-cache_logo

 

 

 

 

 

Open squid.conf file

sudo vim /etc /squid3/squid.conf

search for reply_body_max_size you can see a line like this

reply_body_max_size 10 MB it will limit the download by 10 MB.

This option specifies the maximum size of a reply body. It can be¬†¬†used to prevent users from downloading very large files, such as¬†MP3’s and movies.

To prevent download of a particular file type you can use regular expressions

acl mp3_ext url_regex -i \.mp3$

This acl is to prevent mp3 downloads.The http_acces for this acl is

http_access deny mp3_ext

To prevent youtube streaming

acl flash rep_mime_type video/x-flv

and the http_acces

http_reply_access deny flash

We can group different types and write it in a file and can be asked to block

acl denied_filetype url_regex "/etc/squid3/denied_filetype"

Now the types written in the file denied_filetype will be blocked with the below http_access

http_access deny denied_filetype

 

Squid user authentication

200px-Squid-cache_logo

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords.

Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it’s universally readable

touch /etc/squid3/squid_passwd

chmod o+r /etc/squid3/squid_passwd

Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called admin

htpasswd /etc/squid3/squid_passwd admin

New password:

Re-type new password:

Adding password for user admin

Find your ncsa_auth file using the locate command.

locate ncsa_auth

/usr/lib/squid3/ncsa_auth

Edit squid.conf…..specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users

May be a modified my acl &  http_access will be like this

acl my_network src 192.168.1.0/24
acl ncsa_users proxy_auth REQUIRED
acl work_hours time SMTWHFA 07:00-21:00

http_access allow  my_network ncsa_users work_hours

Restart squid ūüôā

Screenshot from 2012-12-10 11:51:15

 

 

 

 

 

 

If denied…..

Screenshot from 2012-12-10 11:51:24

Squid Access Control Lists

You can limit users’ ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it.

Adding my network on acl.

I can add it in two ways like this

acl my_network src 192.168.1.0/24

or

acl my_network src 192.168.1.0/255.255.255.0

both means my network starts from 192.168.1.0 to 255

Now on http_access section allow this network to access internet

http_access allow my_network

Restricting Web Access By Time

You can create access control lists with time parameters.that is you can allow internet only on working hours etc..Add acl for time

acl work_hours time SMTWHFA 08:00-17:00

SMTWHFA- represents Sunday to Saturday

please ensure there is no space between the time it may cause error..

now modify htt_access with time

http_access allow  my_network  work_hours

Now the machines under my_network will get internet connection only during working hours

Installing and Configuring squid proxy server on ubuntu server

Am using ubuntu 12.04 server edition for this purpose.Squid is a full-featured web proxy cache server application which provides proxy and cache services for  HTTP..

Installation

sudo apt-get install squid3

Configuration

Squid is configured by editing the directives contained within the /etc/squid3/squid.conf configuration file.First make a backup copy of the squid.conf file..Copy the /etc/squid3/squid.conf file and protect it from writing with the following commands entered at a terminal prompt

sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original
sudo chmod a-w /etc/squid3/squid.conf.original

By default squid listens to default TCP port 3128..we can change the port by editing the squid.conf file…

sud vim /etc/squid3/squid.conf

search for http_port…change the http_port directive as you wish am changing it to 8888

http_port 8888

After changing the settings restart squid..For restarting we can use both these commands

sudo /etc/init.d/squid3 restart
or
sudo service squid3 restart