Everyone put on your
data miner hardhat, we're gonna build an SSH tunnel! But first, just in case somebody in the back put on a
dunce cap instead of a hardhat, let's have a lesson.
"A 'ssh' tunnel? So it's supposed to be quiet?"
Nice try. But this node is about helping you with a problem you didn't even know you had! If you use a computer, this applies to you. If you don't use a computer and you're reading this, just use telepathy to read the information from my mind. Otherwise, can the chatter, we're going to learn about HTML, HTTP and TCP/IP for a second.
When you go to a web site the information is transferred to your computer as text. Noders have a small, small taste of what it takes just to format a few paragraphs on a web page. HTML is used to define how the content of a page will be displayed in your web browser. The words that HTML marks up are passed to HTTP for transmission. HTTP encapsulates whatever it is given and send it down to TCP/IP for network transmission. Notice I didn't say HTTP encrypts anything; if HTTP gets the data in clear text, HTTP sends the data in clear text. This means that anything you read online could be sent in unencoded text across the net; there is no encryption and the text can be read just as clear as you're reading this now. What's more, instant message and email services (like POP and SMTP) are always sent in clear text; everything you read in email is easy pickings for attackers. Would you send all of your snail mail, including your bank statements, taxes and bills, in clear plastic envelopes? Probably not. Some services offer secure HTTP connections, but "some isn't "all," is it?
The second half of the double whammy is TCP/IP. TCP/IP is the set of protocols that pushes the data from your computer to a web server and back. The problem (but actually, the beauty) of TCP/IP is the way it pushes the data from source to destination. Before your computer transmits data, it needs the source and destination. It is the source. Thanks to DNS, your computer knows the destination. So it queues up a packet of data, slaps a "To:" and "From:" label on it, pins some lunch money to it's chest (not forgetting its mittens) and sends it down the road. The data then hops from router to router based on the routing protocols. However, at any one of these routers, someone with administrator access can view or capture the contents of this data packet. We're looking at the equivalent of sending that plastic wrapped tax return through the United States Postal Service. Not very appealing, no?
Coming in Loud and Clear
So far, I have been speaking with a wired internet in mind. The router hopping takes place no matter what type of internet you have, wired or wireless. However, wireless internet is a security disaster. Many people have no encryption on their home networks and most public internet is . . .ya know, public. So no encryption there either. This is why we build an SSH tunnel: No matter where we wirelessly connect to the net, we're going to have a secure connection.
When you use a wireless network, you're sending out signals in every direction. If anybody out there can "hear" your transmission, it is trivial to capture that packet. If you have no encryption, you've already lost the war. If you have WEP, the attacker may chuckle before reading your private email. Congratulations, not only did you give the attacker your Social Security number, but you got him to laugh. You made his day twice over!
Fuck that. Time to give Chuckles the slip.
Tunnel Vision
The magic of the SSH is the strong encryption it provides from source to destination on the intertron. The quintessential use is tunneling through the web to *nix boxes as using a command line interface to interact with the machine for file retrieval, distributed computing or administration. Regardless of what you put into the tunnel, it is encrypted with SSH. Now we have a lead wrapper, welded shut, on that tax return. Get through that, bitches!
Thanks to the strength of SSH encryption, even if someone intercepts the data packets, there is a very low chances that they'll ever be able to read it. Why bother wasting enough computer power to play a million games of Counter-Strike when some clowns are sending Important Data in clear text? Hackers have Twinkies to eat, so there's no good reason to waste time cracking SSH traffic with all those unprotected bits sailing back and forth on the network.
Tools of the Trade
To pull this off, we're going to need a few tools for setup. In this writeup, we're only going to cover setting up an SSH tunnel between two *nix boxes because involving even one Windows machine is a pain in the food waste dumping port. Google it up if you must know.
- A remote machine that you have administrator access for. Like the desktop you have sitting at home while you're out cavorting around with your laptop.
- A local machine that you have administrator access for. Like the laptop you are sitting in front of while your on the run in the big, wide world.
- The OpenSSH installation files.
Hint: They're on the internet.
- Some proxy server installation files. Grab Privoxy from the web.
- An SSH client. PuTTY is free and requires no installation.
- A web browser on your local machine (the laptop you're traveling with).
Note: I will give instructions for the Firefox browser using the SwitchProxy extension. Get them both.
If this doesn't work straight off the bat, check the end up the writeup before flipping your shit.
- Install the OpenSSH software on the remote machine.
You probably already have ssh server. There are too many distos for me to walk you through this, but you can try to /msg for help.
- Install Privoxy on the remote machine. Again, the numery of distros prevents me from telling you exactly how to do this. Just check your package manager.
- Start Privoxy. Guess whether or not you think I can tell you exactly how to do this. Check the Privoxy homepage if you need help. On a completely unrelated note, I swear this writeup is helpful at some point.
- You should already have an SSH client. Just get to a command line and run "ssh". If it says anything other than a not found message, you have an ssh client. If you don't, your distro was made by morons.
- Fire up your SSH client and try to login. Enter the IP address of the remote machine. You can sign up to FreeDNS or something similar so that you get a domain name (for free!) if you don't like remembering the IP address or your ISP changes your IP address frequently.
- Accept the key. Your SSH client will ask if you want to keep it on file and if this is the first time you've logged in to the remote machine, it was ask to accept or decline it based on the fingerprint.
- Alright, we're connected! Now unconnect; enter the "exit" command and you should be logged off. That was an SSH connection, but it didn't make a tunnel, so that's the next step.
- From the command line, execute "ssh -L localhost:6789:XXX.XXX.XXX.XXX:8118".
This is a tricky command; allow me to translate.
- "-L" means set up a local port forward or tunnel from...
- "localhost:6789" this machine, port 6789, to...
- "XXX.XXX.XXX.XXX:8118" the machine at IP address XXX.XXX.XXX.XXX, port 8118.
You have to know the remote machine's IP and plug it into the Xs. Or use the domain name from FreeDNS or whatever service you choose.
The default Privoxy port is 8118, so that's why we use it here. The port can be changed in the privoxy config files, but my official stance is "eh".
Now, the stickler is if you want to use different login names for each machine. For instance, your local login is "mike" and your remote login is "mikebert". If so, use "-l mikebert" at the end of the command line to login as mikebert . "-p" also allows you to specify a non-standard SSH port, but I didn't tell you to set that up, did I?
Oh, by the way, it may be worth setting up a non standard port so nobody tries a brute force attack against your SSH server. Or disable remote root login.
- Now, back to Firefox. You can use an SSH tunnel as a proxy without that Switch Proxy extension, but it makes life much easier. Click the Add button on the Switch Proxy toolbar. Select a Standard proxy and name it in the window that comes up. Enter "127.0.0.1" for the HTTP proxy and "6789" for the port. Then hit OK.
- Now click the Apply button on the Switch Proxy toolbar and surf somewhere. Check out one of the IP reporting websites - it will say you're coming from the remote machine. Cool beans, eh?
Note 1: If you can't establish the connection with a simple SSH login (Step 5) then check to make sure you SSH server is running. If it is, you have a firewall in your way. Either the remote machine itself and/or the router between you is blocking it. You need to break out the owner's manual to figure out how to port forward the necessary ports for each firewall in your way.
Note 2: The great thing about Switch Proxy is that when you need the proxy, you just select the proxy you want, and hit Apply. When you don't need the proxy, select "none" and hit Apply. However, if you hate clutter like me, just go to "View", "Toolbars" and toggle "Switch Proxy" off. If you look in the lower right hand corner of Firefox, you'll see a litte box that says "Proxy: " and gives the current proxy. You can right click here and select the proxy you want to use, thus retaining quick functionality without the additional toolbar up top.
Note 3: You'll need to do Step 8 each time you need the tunnel. There is a way to do this automatically and/or without passwords, but that's a node for another day.
The Light at the End of the Tunnel
Congratulations, you're up and running! Now you can surf in an unsecured wired or wireless network without fear. Thanks to the tunnel, nobody can read the traffic between you and the remote SSH server. All the World Wide Web traffic is coming from the remote SSH server, so as long as that machine is secure, you have the safest browsing setup you can get.
The only reason you don't have completely anonymous surfing is due to the ARP requests that keep shooting out of your machine onto the wireless net. The worst case is that people can see the host names you're browsing, but they can't see the HTTP content, so you're information is safe. Unless you don't want people knowing that you're browsing www.HotHotFurryFucks.com with only one hand on the keyboard.