About

Tuesday, November 13, 2012

Obfuscate ssh traffic with obfsproxy

While travelling around the globe I wanted to ensure that I could always SSH into my server.. one way or another.. even if I had to use an ISP that was using using deep packet inspection to fingerprint and block SSH (changing the port is not enough). This is why I deployed obfsproxy, should I encounter such nasty and invasive filtering of SSH traffic.


Compile some software

Libevent
  • Download Libevent (I'm using 2.0.20-stable), verify the file with pgp then untar it.
  •  ./configure --prefix=/home/user/tools/libevent2/
  • make && make install
obfsproxy
  • Download obfsproxy, verify and extract it.
  • export libevent_CFLAGS=-I/home/user/tools/libevent2/include
  • export libevent_LIBS="-L/home/user/tools/libevent2/lib -levent"
  • export LD_LIBRARY_PATH=/home/user/tools/libevent2/lib
  • ./autogen.sh && ./configure && make

Setup obfsproxy on the SSH server

  • Set your sshd to listen on 127.0.0.1 port 22. Any server/client combination can be used like this.
  • Allow Incoming tcp 2222 in your firewall.
  • screen obfsproxy --log-min-severity=info obfs2 --shared-secret=password --dest=127.0.0.1:22 server 210.XX.XX.XX:2222

The obfsproxy client

  • The client needs to permit outgoing 2222 tcp if you run a local firewall.
  • screen
  • obfsproxy --log-min-severity=info obfs2 --dest=210.XX.XX.XX:2222 --shared-secret=password client 127.0.0.1:8022
  • make another tab in screen, proceed:
  • ssh-add /media/mount/key
  • ssh user@127.0.0.1 -p 8022