Monday, April 28, 2008

SSH Tunneling

This is a quick blog post to let my mate Ollie know about a few ways that I use SSH and how it is useful.

Firstly, a SSH client connects to a SSH server, logs in with either a password or certificate and communicates over an encrypted tunnel. The beauty of SSH is that it is also easy to tunnel other types of traffic such as HTTP or VNC over the tunnel. This is useful for the following:

> Secure Administration of a remote server.
> Secure File transfer.
> Securing web traffic over a non-secure wired or wireless network.
> Bypassing of restrictions and filtering imposed on the local network.


Tools

> Privoxy
> SSH
> Screen


Setup

At home I have installed SSH on a server and started the service (/etc/init.d/ssh start) listening on port 22 for SSH traffic. I have set port forwarding up on my firewall to allow traffic to hit the server on this port. Usually I will set up a non-standard port but for the sake of an easy explanation I'll leave it at port 22.

On that server I have also installed pivoxy (apt-get install privoxy), and started it (/etc/init.d/privoxy start). By default, Privoxy binds to 127.0.0.1:8118 , and I have also installed Screen. Screen is a program that allows you to have multiple terminal sessions open at once and leave them running after disconnecting from the SSH server.


Connecting To The Server

From my client I connect to the server by using the following command:

ssh synjunkie@ssh_server_ipaddress


After logging in I can issue commands as if I'm sitting at the server. After connecting I would start Screen by issuing the `screen` command. If I wanted to connect to a previous screen session I would use `screen -r`

You navigate through Screen by issuing commands through key-bindings. A few of the ones I find most useful are:

Ctrl+a c new window
Ctrl+a n next window
Ctrl+a p previous window
Ctrl+a " select window from list
Ctrl+a A set window title
Ctrl+a ? show key bindings/command names
Ctrl+a d detach screen from terminal

Screen is great because you can leave a scan going in one session, irc in another and say a traffic capture in another.


Tunneling Traffic

as well as connecting to the server I might want to tunnel some traffic over SSH to my home server and then back out.

For this I would issue the following command on my client and log in.

ssh -NL 8118:localhost:8118 synjunkie@ssh_server_ipaddress

After setting up the tunnel I would go into the proxy settings on my browser and point them to localhost port 8118.


I hope this illustrates a couple of good uses for SSH.

6 comments:

callis said...

i tried but this is not working dude..
on opening any url in browser it is showing a message that connect to privoxy on ssh server but can't resolve dns.
i also tried putting ip address but even then it is not working.

SynJunkie said...

Hi callis

I know this works but to troubleshoot it what i would do is:

1) Make sure that you can browse and resolve DNS from the privoxy server.

2) On the client, test privoxy without the SSH tunnel first by changing your browse settings to it (server IP and port) and seeing if you can get out like that. This will need to be done whilst you are on the LAN where the privoxy server is.



Then test through SSH (remember to change your browser proxy settings back to localhost though). You could see my more recent post on SSH Tunelling the Pretty way, maybe that will help.

SynJunkie said...

Callis

It occurred to me after my previous reply that DNS probably doesn't go over the SSH tunnel. You can verify this with Wireshark or TCPdump.

before bringing up your tunnel try pinging a few remote sites and see if you get a response and the name resolved. I not, maybe try pointing your name servers (/etc/resolv.conf) to the opendns servers (208.67.222.222) for resolution.

Anonymous said...

Are there any free/public ssh servers? Or do you just ssh to your own IP?

SynJunkie said...

I use my own. My thoughts are if its my own I can trust it, I wouldn't want to go to the hassle of SSH'ing to a box that I could trust no more than the network i'm SSH'ing through.

Hope that makes sense. Cheers

Anonymous said...

great!!! thanks ;)