Security

Use OpenSSH as a secure Web proxy


Making sure your computers are secure is, in some respects, a full-time job. It gets even more complicated when you have to worry about wireless security too.

An important concern for travelers who use wireless networks in their travels -- whether they are using the wireless access point at a coffee shop, in an airport, or at the hotel where they spend their nights on a business trip -- is the fact that they never really know how secure that network is, unless they know it is not secure at all. That's the usual case for coffee shop wireless networks: Because they are open to everyone, you simply cannot trust them. If they weren't open to everyone, they would not be worth anything, after all.

The only sane way to address the matter of security on a laptop when you are on a public wireless access point is to be very selective about what resources you are willing to access through that network -- and how you access them. For the most part, this means you should avoid doing things such as logging into your bank's Web site, making purchases online, and otherwise sending sensitive data over this foreign network. Even when the Web site in question uses encryption for session login, that does not necessarily mean that you are not subject to some kind of man-in-the-middle attack or other trickery that would not be as easy from a network you control.

There are ways to protect yourself, however, so that you can access online resources that require sensitive data to be sent back and forth over the connection. One is to use a secure, transparent proxy. Web proxies of any sort can be very difficult for the average user to set up and configure properly, but they can also be incredibly simple, if you have no need for anything more than an encrypted connection to a transparent proxy and use the right tools. Luckily, "the right tools" in this case are very easy to come by.

The following assumes you are going to use a Linux, BSD UNIX, or commercial UNIX system at home as your proxy server. It also assumes you have a persistent Internet connection at home, usually via a typical broadband Internet account through your local DSL or cable ISP.

Server access

The first step to setting up access to your transparent proxy server is to configure the firewall on your home network to forward an SSH port to the computer you will use as your transparent proxy. You do have a firewall at home to provide secure access, right? If you don't, you should stop reading this right now and fix that fact. Connecting a home computer directly to the Internet without a separate firewall device of some sort is a monumentally bad idea.

The process of configuring your home firewall for port forwarding varies wildly from one firewall setup to the next. Most consumer-grade router/firewall devices of the sort you can get at Best Buy or Circuit City (or even Wal-Mart) provide functionality for port forwarding, and it is usually easy enough to figure out on your own. If you run your own Linux or BSD UNIX-based firewall on some old hardware you had lying around, you probably know how to set this up yourself.

We will assume that you have configured your Internet-facing firewall to accept SSH connections on port 2200 and forward them to port 22 on a UNIX-like system on your internal network. It's best if you do not use your firewall itself as the proxy server -- though it is possible (and, for that matter, easy). Make sure you secure SSH against common brute-force password cracking attacks on your proxy server.

You must also make sure that your server has HTTP access to the Internet through the firewall. This usually consists of nothing more complex than making sure you do not configure your firewall to block that access from computers in your network.

Finally, you must ensure you know the IP address you can use to connect to your home network from some outside network. This might be tricky, depending on your ISP. For those service providers that assign a relatively stable IP address, you just need to find out what the IP address is and make sure you do not lose it. You might save it in a text file on your laptop. To find out the IP address, the most obvious method is to visit any of a large number of Web sites that exist specifically for the purpose of telling you your own IP address. Two examples are ip-address.com and whatismyipaddress.com.

If your ISP changes your IP address regularly, you might need to take more drastic measures. A number of services exist that provide DNS resolution to dynamic IP addresses so that, for instance, you can point a domain name at a Web server you have at home even if your home IP address changes regularly. This is one possible solution to the problem -- and perhaps the easiest.

A client for these services needs to be installed on a computer at home to inform the service's DNS servers when the IP address changes. The ez-ipupdate client is available from both FreeBSD and Debian GNU/Linux software archives for quick and easy installation, and it works with a dozen or so different services that provide DNS resolution to dynamic IP addresses.

Encrypted proxy connection

The rest of the process of using an encrypted connection to a Web proxy at home is done on the client machine -- presumably, your laptop -- and it is not difficult at all with an average install of a UNIX-like operating system such as Debian GNU/Linux or FreeBSD. We will assume you are using such an operating system for now.

If you are using a dynamic DNS resolution service, you would replace the IP address in the following example with the domain name you are using instead. In the example, we will assume that you have the stable home IP address of 25.10.101.250 for the sake of convenience. Creating your encrypted proxy connection involves entering a command such as this:

  $ ssh -D 8080 -p 2200 username@25.10.101.250

The "username" part should be replaced with the name of a normal user account on the proxy server at home. This command creates a local transparent proxy on port 8080 that then forwards all traffic it receives to 25.10.101.250 on port 2200.

The last thing you have to do to make everything work is tell your Web browser application to use port 8080 on the local system for all connections. In Firefox, for instance, you would open up the Preferences dialog box, select the Advanced tab, then select the Network tab, and finally click the Settings button to configure your connection. Make sure the Manual Proxy Configuration: radio button is selected. Enter localhost in the SOCKS Host: field and 8080 in the corresponding Port: field.

If for some reason it doesn't work with "SOCKS v5," try switching to "SOCKS v4."

That's all there is to it.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

16 comments
darin
darin

Is there a problem with security on Microsoft's RDP? I guess my question is two parts. Is login encrypted? Is the session data?

JCitizen
JCitizen

And I don't even have to put it on a DMZ!

Michael Kassner
Michael Kassner

Thanks for the interesting article Chad. OpenSSH is somewhat complicated and I have experience with many clients that do not want to go through all of that effort. So I explain about LogMeIn and how it adds a significant amount of security by using a protected/encrypted tunnel to a known computer. They can gain web access through the known computer and if needed access anything from that particular network. Installing the client is simple and firewall porting is not required.

00drk00
00drk00

Nice post , thanks for this..

gaut.michel
gaut.michel

Interesting but I need more details. Where to find it, installation, configuration. Anybody can help...

JoeBeckner
JoeBeckner

This is good if you are able to make changes on the office firewall, but if you don't have control over your employer's router or firewall there is an alternative. The way I do this is by using my IPSec VPN connection to my office. If I am using public wireless, I first make sure that I have the firewall turned on on my laptop. Then I establish my standard IPSec VPN connection to the office using my Cisco VPN client. I have RAdmin (remote control program like PCAnywhere) installed on my desktop workstation at the office. I make a remote control connection from my laptop to my desktop. I then use my web browser on my desktop machine. All my data is encrypted by the IPSec VPN connection.

apotheon
apotheon

RDP is a protocol used for remote GUI access. This is a completely different set of functionality than a secure web proxy. See [url=http://techrepublic.com.com/5208-12846-0.html?forumID=102&threadID=255066&messageID=2434103][b]this comment[/b][/url] for more details -- someone else asked a question based on a misconception similar to yours (that the article addresses remote desktop access), and I responded. SSH can be used to forward X Window System graphical user interface data, similarly to how RDP can be used to forward MS Windows Explorer graphical user interface data, as well. RDP cannot, to my knowledge, be used to set up a remote proxy, however. With a secure remote proxy, as described in the article, you run a local instance of your browser -- not a remote instance on a remote machine. That instance of the browser merely relays its HTTP requests through the proxy, providing a better controlled networking environment. Running a remote GUI application such as a browser, meanwhile, involves shuttling a lot more data back and forth between the local system and the remote system. This contributes to sluggish response times for the applications you use and a higher degree of latency on your HTTP requests. There are other shortcomings to using an entire remote desktop system to control your browsing environment as well. As for problems with RDP itself -- well, there are a few. If you're using a version of RDP older than 6.0, in particular, you should either upgrade immediately or just switch to different software. Pre-6.0 RDP is too easily vulnerable to a man in the middle attack.

apotheon
apotheon

You don't need to specify a given port to run software on a different computer with SSH, if that's what you're saying. You could run Firefox on a remote system by simply running a command like this: [b] ssh -X hostname firefox[/b] You don't even need the -X if you have SSH configured to automatically forward the X Window System protocol -- though that's usually a bad idea for security reasons (needlessly forwarding protocols can serve as a security exposure -- including using something like Remote Desktop or VNC when all you actually need to do is run shell commands). One of the reasons you might want to run a local instance of Firefox that uses an encrypted tunnel to a remote proxy is to reduce the bandwidth demands of the remote connection -- and, thus, reduce problems like latency and bandwidth bottlenecks. Another is to make it easier to interact with the local system, such as when downloading a file. Remember that your HTTP stream has to travel across the Internet which, even with a broadband connection, usually means a much more restrictive bandwidth connection than on a local network. On the other hand, adding the massive bandwidth overhead of forwarding an entire application interface across the Internet to run it on a computer at home from some coffee shop is just begging for tears of frustration. "[i]Installing the client is simple and firewall porting is not required.[/i]" If, by "firewall porting", you mean port forwarding on the local system to connect to the secure proxy, you're obviously talking about not using a secure proxy setup on the local machine. Instead, you would have to spend time setting up a proxy server on the remote system (which is a much more complex process than running that simple SSH command in the article) or, more likely based on what I think you're suggesting for LogMeIn use, running a remote instance of a browser (in which case my above explanation of why a proxy is better comes into play).

mgordon
mgordon

I think this is one of those stories that presume familiarity with SSH (Secure Shell). In the case of a tunnel, it creates a daisy chain type of thing where you talk to port 8080 on your local machine and it has a "listener". The listener transports packets through an SSH tunnel and it pops out the other end as if it had originated on a port and IP address at the other end. If it is web browsing, a sniffer would show that the other end computer "originated" the web request and when the reply comes back to the remote computer, it feeds the reply to the far end of the tunnel, which then pops it out into your local computer port 8080 then into your browser. So far as your browser knows, it is talking to a web server inside your local computer (laptop or whatever), and so far as the actual web server is concerned, it is talking to your personal server. In a sense it is also an "anonymiser" but not usually used to achieve that purpose.

apotheon
apotheon

I'm not sure what exactly you want help with.

stux
stux

...is to use a VPN connection (such as Hamachi) and run an HTTP proxy (such as squid) on the target server, which is what I do. I then point my browser's proxy to that machine's VPN address and start browsing. This avoids the RDP overhead and still keeps most of my browsing secure (HTTPS can have certificate issues). By using Hamachi I don't have to open any ports at home either.

Dumphrey
Dumphrey

why not just use Remote Desktop? I think this article was designed to create a way to create a secure web browsing/data exchange while connected to a public wireless network. If you NEED encrypted tunnels for data at work, on a private LAN, then chances are SSH is old news... Anyway, I would guess many company firewalls would allow outgoing connections on port 22. And then again, many won't. It all depends on the CSO and company policy.

darin
darin

Yes I am aware that SSH proxying is not RDP. But VNC was also mentioned in the comments in this article and both have their merits. There are times for each and they are related topics, not everyone has time to find narrow scoped articles on each individual topic. I do thank you for your comments on pre-6.0 RDP. VPN was also mentioned and probably is more related. For me the advantage to VPN or RDP type technologies is when I do not wish to mix business browsing and personal browsing.

Michael Kassner
Michael Kassner

I have to agree about the major overhead of using a remote web browser. But I also stick to my point that setting up LogMeIn remotely with a very nervous user is great deal simpler.

JCitizen
JCitizen

LogMein looks like a good stop gap measure until VNC can be configured on the machine!

Editor's Picks