Linux

Use PuTTY as a secure proxy on Windows

Last month, I wrote about using OpenSSH as a secure Web proxy on UNIX and Linux systems. This time, I'll show you how to do the same thing on Microsoft Windows using PuTTY -- probably the single most popular SSH client available for Microsoft's operating system platforms (and also available in the software management systems of many free UNIX/Linux systems).

Last month, I wrote about using OpenSSH as a secure Web proxy on UNIX and Linux systems. This time, I'll show you how to do the same thing on Microsoft Windows using PuTTY -- probably the single most popular SSH client available for Microsoft's operating system platforms (and also available in the software management systems of many free UNIX/Linux systems).

Why?

As I pointed out in the previous article, Web access through public wireless networks can be dangerous because of the danger of malicious security crackers and would-be identity thieves listening in on your Web traffic. There are two very simple solutions to the problem:

  1. You can simply avoid engaging in any online activity that involves logins or other transmission of sensitive data -- including e-mail addresses that you wish to protect from spammers and phishers.
  2. You can use an encrypted connection to a secure proxy on a network that you know to be better protected than the public wireless network you're using.

A proxy is another system through which some network travel can be forwarded, making it seem to the Internet as though the proxy server is the actual source of the network traffic. A direct encrypted connection between a laptop on an unsecured wireless network and a proxy server on a secured network that then relays HTTP requests to the Web can provide a much more secure connection for Web browsing than simply sending HTTP requests directly from the laptop through the wireless network to the Internet at large.

What tools?

This article assumes you have installed PuTTY and the Mozilla Firefox Web browser on a Microsoft Windows laptop from which you wish to connect to a secure proxy. It also assumes that you have access to a computer at home or on another trusted network, running a BSD UNIX, Linux-based, or other UNIX-like operating system with OpenSSH installed, as described in the previous secure Web proxy article.

It also assumes that you have configured your trusted network to provide SSH access from outside the network. This often involves configuring port forwarding on your router and firewall, the specifics of which vary from one router/firewall to another.

In the following explanations, where you have questions, you may wish to check with the previous secure Web proxy article -- where a lot of this has already been covered -- for details.

How?

First, configure a PuTTY session to connect to the UNIX/Linux system you will use as your proxy server. Fill in the following data:

  1. Host Name (Or IP Address): This may be the domain name for your network, if you have domain name resolution via a dynamic DNS service or other means set up to allow access to your network via a domain name, or it may be the IP address for your router/firewall.
  2. Port: SSH normally uses port 22, but this may be different, depending on how port forwarding may be set up on your trusted network.
  3. Protocol: Select the SSH option.

In order to facilitate creating these encrypted proxy sessions quickly in the future, you may wish to give the session a name under the Saved Sessions heading and save it for future use. Do not click the Open button to connect yet, though.

Here's a screenshot to help:

Second, configure an SSH encrypted tunnel through which your HTTP requests can be forwarded to the system you're using as a proxy server. Open the Connection > SSH > Tunnels interface using the hierarchical Categories pane on the left-hand side of the PuTTY dialog box, and fill in this data:

  1. Source Port: Fill in a port number that will be used locally, on the laptop, for this connection. For instance, you might use port 8080 for forwarded HTTP requests.
  2. Destination: Leave the text field empty. Select the Dynamic and Auto options.

Click the Add button to commit these encrypted tunnel settings. When that happens, you will see a character string appear in the Forwarded Ports field, as shown in the following screenshot:

Third, after saving the session settings again to make sure the encrypted tunnel settings will be retrievable, click the Open button to establish the connection. You will have to provide a valid username and password on the remote system to establish the connection.

Fourth, configure Firefox to use your encrypted connection. Open the Options dialog box from the Tools menu, then select Advanced. Make sure the Network tab is selected, and click the Settings button. Fill in the following data:

  1. Configure proxies to access the Internet: Select Manual Proxy Configuration.
  2. SOCKS Host: Enter 127.0.0.1 into the text field.
  3. Port: For the SOCKS Host, fill in the same port number you specified in the PuTTY tunneling dialog -- 8080 in the above example.

Click the OK button to commit the changes, and exit the Options dialog box. When you are ready to click OK, the Connection Settings dialog box should look something like this:

Finally, you're done. All your Web browser's traffic will pass through your secure proxy via an encrypted SSH tunnel, providing the kind of security through a network you control that you just can't get from a coffee shop wireless network alone.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

68 comments
evangelinetatum92
evangelinetatum92

Can we use some other software with same feature? Its a lengthy procedure and I need some thing simple because my colleagues are not so much aware of networking and proxy servers, I have to train them for this.

abaabaa
abaabaa

I have literally been trying to do this for a whole day...driving me absolutely mad. Thankyou so much! I owe my evening to you. For anyone that's interested, this is also a useful way to access things which your institution can but you can't; a good example is MathSciNet...using this technique I can use my university computer as a proxy server and access it from home. (Perhaps this has been discussed. I stopped reading when it actually worked!!)

infopost
infopost

Does anyone know why when I try to log into putty with a certain IP it always connects me to the root IP of my server? I have 32 different IPs but I always get connected to the main IP despite the fact I will log in with one of the other IPs.

rexleop
rexleop

hi, I have a question here. Assume that i am using a proxy. I heard that if i visit a website that using https web page, or the website using JAVA, then the webmaster can be track my real ip. If i using your method above, the webmaster can also track my real ip? Thanks, Rex

guyinblacktshirt
guyinblacktshirt

Hey just wanted to share my experience with this: In china it appears that facebook/twitter etc are also blocked on the DNS level. So even though this method will indeed tunnel all web traffic, Firefox by default won't use the tunnel for DNS queries. To have Firefox use the SSH tunnel for DNS lookups as well, go to about:config and double click on the network.proxy.socks_remote_dns to set it to true. Thanks for the nice howto.

jeffrey296
jeffrey296

Is it possible to use PuTTY to host an OpenSSH on a Windows computer in the same manner you would with Linux? I basically want to be able to use a laptop to proxy to my home network (hopefully just using tools->options in the web browser). I know someone who does this with a Linux computer at home, but all I have is a Windows computer.

wolfgang123usa
wolfgang123usa

A lot easier to do the same and more, is to use BarracudaDrive. All non-techies can use it, you have full access vis SSL to all your files at home and also to be able to proxy surfe via SSL tunnel and more (not all corporate firewalls allow SSH, so SSL makes it easier). I use it since BD exists. see here: http://barracudaserver.com/examples/BarracudaDrive/index.html //Wolfgang

Photogenic Memory
Photogenic Memory

I'm sorry for the n00b question? However, how do you test to see if the tunnel is actually working( other than getting web access )? What commands do you use? Does the persistant connection show up in log files? Can someone please update me with answers?

JCitizen
JCitizen

1) Read this and the previous article 2) Read a Linux for Dummies book.(purchase it) 3) Probably one of those TR how to manuals(and buy it) 4) Fire up my old Server 2000 and review how to be a server admin again. 2003 was easy but I never owned it. 5) I'm probably toast. Never mind I'll be alright! :p (edit) The router part will probably be easy compared to the interior software firewall.

writeme_david
writeme_david

If I wanted to do this using SSH on the Linux command line, what would be the SSH command look like?

TJ111
TJ111

This is a great article on setting this up, as I have XP and use putty/firefox on my laptop frequently for work, and my home PC is running Ubuntu. My only question is if there are any security risks involved with opening up your PC/Router to outside SSH access? Also, does this reduce your bandwidth significantly? Going overseas next week, this'll add a little extra peace of mind.

seanferd
seanferd

Whatever the proxy is. So if the proxy server is your home computer, the website will have the public IP of the home computer. If, however, you want to use public proxy servers with this method, they would need to accept the secure connection. If you are more interested in avoiding tracking by a government or ISP, for example, they who control the networks can know you are using secure connections, but will not be able to read the data.

Photogenic Memory
Photogenic Memory

What where you thinking? Scratch that. What were you not thinking, LOL? Putty is more than adequate.

apotheon
apotheon

1. Most web-based SSH clients don't provide proxying capability. 2. You still have to connect to the web-based SSH client, which means that you're still connecting to [b]something[/b] from the local network without going through an SSH proxy, even if you [b]can[/b] use the web-based client as a proxy. 3. How sure are you that you can trust the people providing that web-based client? Do you really want your sensitive data going through yet another website on the way to its final destination -- a website that might be subject to cross-site scripting, that handles your data in unencrypted form before it gets forwarded elsewhere via SSH, and so on? Remember, it takes a warrant to get data off [b]your[/b] computer, but only a subpoena to get data off some third-party commercial organization's computers.

Jaqui
Jaqui

is client application, not a server application. you can get and build openssh in a cygwin environment, which is a limited linux command line on windows. that would enable you to use putty to connect to the system with openssh on it.

Derek Schauland
Derek Schauland

make a difference? If the machine I am pointing at on my home network is a Windows box will this still work?? when I open the SSH connection in putty, I get no prompt for logon or anything

clangston
clangston

You could download a free packet sniffer like Ethereal and monitor all traffic going to the forward port 8080 and to your proxy over port 22. You don't have to setup your SSH on port 22. You could set it up on port 80, but some SPI firewalls might block your proxy. This is a free solution, but its not easy. The easy solution is to setup SSL VPN using your Cisco router. Your users don't have to reconfigure their web browser proxy or install Putty. All they have to be able to do is go to is type https://router_ip_address in their browser and then there connect back to your home network via SSL VPN and they can surf the web through your network. However, Why would you want to let your remote users establish a VPN, via SSH/SSL/IPSEC simply to siphon off your bandwidth for web surfing? You might want that bandwidth for VoIP or video conferencing. I guess its that delicate balance between security and convienence.

JCitizen
JCitizen

evaluation tools would tell you if your setup is working. However in my limited experience if it isn't working the tunnel "collapses" and you don't get any access; so it should be a do or die situation there. Perhaps your more worried about end point security?

apotheon
apotheon

What problem does testing the proxy connection (outside of using it) solve? If I know what you're trying to accomplish, maybe I can help you figure out how to do that -- but I don't really see the value of testing the proxy connection by some means other than using it and seeing if you can access the web. You could try using some other application with the proxy, I suppose. Pidgin (the IM client) provides simple GUI configuration for proxy access, too, for instance. If you can use IMs with Pidgin configured to use the proxy, that too would provide some evidence that it's working. Off the top of my head, a possible means of testing other than just using the proxy for some application and seeing if it works would be to set up the proxy, configure your web browser to use it, open a web page on a server you control, then checking the logs on that server to see where the request originated. If it originated from the proxy system, you know it's proxying correctly. On the other hand, if you configure the browser to use a proxy and it fails to connect to the proxy, you won't be able to reach a web page on any server at all -- so you'll know it isn't working a lot sooner than when you check the web server logs.

apotheon
apotheon

Y'know . . . FreeBSD and PC-BSD (depending on your taste) might solve some of those problems for you. The FreeBSD Handbook is available online and on your computer if you install FreeBSD (or, presumably, PC-BSD as well). It's better than any Linux For Dummies book -- and you don't have to buy it. The pf firewall may not do the whole "just works" thing the way ZoneAlarm does, but it does the "works well, and the way you want it to" thing [b]much[/b] better. I could even help you out with that. FreeBSD (or PC-BSD) can help you solve several of your listed problems.

apotheon
apotheon

I covered that in the [url=http://blogs.techrepublic.com.com/security/?p=408][b]previous article[/b][/url] mentioned in this article. Read that for information on how to set this up from a Unix or Linux system. On my FreeBSD laptop, I set an alias in my .login file so to start the proxy service all I have to do is enter the command "proxy". Then I configure Firefox to use the proxy, and I'm done. Again, see the previous article for more details. edit: typo

TJ111
TJ111

Thanks for the replies. I have an old box sitting at home I've been meaning to set up as a server for a while, I just never got around to it. Most of the servers I work with are firewalled and already set-up, I just do a little maintenance and db/programming work. I think I'll just wait for the other comp to be set up first, then add in a little security. Bookmarked.

apotheon
apotheon

At a bare minimum, you should [url=http://blogs.techrepublic.com.com/security/?p=349]take steps to secure SSH against brute-force password cracking[/url]. In addition to that, you should consider using key-based SSH authentication only, and disallow password-based authentication. With such measures in place, you should be secure enough. Of course, the [b]best[/b] option would be to use a system that doesn't contain any sensitive data at all as your proxy, and exists in a DMZ on your secured network, though I know this is not usually practical for home networks. You should be "secure enough" with key-based authentication and a nonstandard port. If you wanted to get really advanced with your security, you could look into additional security options like port knocking.

Neon Samurai
Neon Samurai

I don't have the url handy but I think it was hosted on sourceforge. There's a prebuild OpenSSH for Windows though it's an older version. It may cover the windows "gateway" at home though.

jeffrey296
jeffrey296

I really do not know much about the command prompt/terminal, linux, and ssh, so could you explain (practically step by step) the process for me to do what you've described on a windows computer. Or is it not possible? I didn't really understand what you said. Thanks much.

jeremyl
jeremyl

Wireshark/Tshark is the latest 'replacement' to Ethereal. The first way I'd test is to run Wireshark on the 'client' machine that's opening the tunnel(s) to the server. If you look at the packets coming through, they should be 'scrambled.' Or at least when you compare browsing the web through the tunnel vs browsing the web without using the tunnel, you'll see that the packets collected from browsing w/o the tunnel are in clear text. Another issue is that of DNS lookups - DNS lookups will still be made unencrypted, so it's possible that anyone could see where you're browsing. Encrypting DNS lookups can be achieved by forwarding the requests through proxy by using tools like "FoxyProxy" in Firefox or forcing SOCKS to do the DNS lookup. You could also sniff packets with Wireshark on the server end to see what the traffic looks like. Currently I connect to my SSL VPN (SSL Explorer) via a dyndns website and launch the agent to establish a secure tunnel for SSH. I then open another Putty SSH tunnel and forward the traffic to my Squid proxy. So 'effectively' a tunnel within another tunnel. I guess it's a little extreme but ehhh... :)

apotheon
apotheon

"[i]Why would you want to let your remote users establish a VPN, via SSH/SSL/IPSEC simply to siphon off your bandwidth for web surfing?[/i]" If your users have mobile systems (like laptops) that must remain secure while on business trips, keeping them from spraying sensitive data all over an open wireless network at a hotel might be a good idea.

Photogenic Memory
Photogenic Memory

I guess if the settings aren't right; then it just plain doesn't work. In a way; this answers my questions. When it does work; then I can be confident that using the proxy through SSH will be protected. Thanks for reading and understanding my confusion. Have a good morning!

Photogenic Memory
Photogenic Memory

Apologies for the vagueness. I'm having a hard time understanding what's going on behind the "protected" connection. If I implement such a config change in the browser and attempt my browsing through a selected proxy of my choice; I really want to know if it's working( protected )? I think I'm confusing it with VPN terminology. But I don't think I'm far off the mark? My basic goal is to browse from public network away from home( internet cafe, hotel, other); and not have my "specific" communications show up in their logs files. So; and if I understood the article correctly, I can input my home router WAN ip ( after setting a rule to accept the connection to a LAN PC vis ssh ) as the proxy in the browser? I hope I'm correct. After that; my browsing should be secure ( maybe a little slower )? It's kind of like a VPN without having a traditional server setup to authenticate it? Does what I write make sense?

JCitizen
JCitizen

you're an officer and a gentleman! And I hope you take that as a true compliment! :)

JCitizen
JCitizen

all the other back ground radiation out there.(port knocking that is)

Neon Samurai
Neon Samurai

I didn't see them mentioned in the linked article but I skimmed it pretty quick. My setup has port 22 open on the router and redirecting too my workstation IP inside the network. The workstation firewall also has port 22 open with xinitd listening for connections to forward on too sshd. When I first opened the router's port 22 I got hammered. My log files where constantly getting entries and my lastb had long lists of brute force user names (they had really crappy user name and password lists too). Add in your /etc/hosts.deny All : All Meaning for all services "All :" deny connections from all sources ": ALL". Add in your /etc/hosts.allow sshd : IP1 IP2 IP3 sshd : name1 name2 name3 sshd : .domain.net Meaning for the ssh service "sshd :" allow connections if the source exists in the list ": IP1 ...". The three lines are respectively: - allowed IP addresses good for allowing machines within your network to connect with each other or specific IP outside your network to connect. - allow by name provided your router or DNS resolves the source IP to the the machine name. This is good if you dhcp issue static IP and names based on MAC or have names and IP listed in your /etc/hosts - allow by full domain or any connection under the given domain. This is good if you regularily connect in from various places but know the ISP providing the service. Roger's network covers a huge area but since it's a local company; I can chase after any shmuck trying to bruteforce in through port 22. Check your /etc/xinit.d/ folder scripts for correct deamon name or any other deamons (services) xinitd/initd works as a greater for. Apotheon's recommendation is probably more than enough but every bit helps if hosts.* where not mentioned before.

Neon Samurai
Neon Samurai

I've only used OpenSSH on Windows as a client so you'll need to look at how you setup sshd as a service running as a server on port 22. The default install for my nonWindows systems adds sshd as a service automatically so for me it goes like this: - install OpenSSH - confirm settings in sshd.conf fil -> no root login, prefer protocol 2.. some other non-defaults you don't need to worry about on a first look. - open port 22 in my firewall - on a remote machine; ssh user@domain -> so, ssh me@fish.com where my username is "me" and the machine I want to connect too is "fish.com". - enter password and carry on through the terminal prompt and X forwarding as if I was physicall at the remote machine. I don't clearly remember the setup for tunneling but a search for "setup ssh tunnel" should give you the outline too modify for Windows if not a Windows specific howto. As mentioned, posting under "Questions" will also be more productive as the regulars tend to avoid detailed help threads in the "discussion" forums as a matter of ediquette. Hopefully some of my mutterings helps or one of the more knowedgable helps you out under the questions.

JCitizen
JCitizen

of this page and you might get more timely help. Sorry I can't help you jeffrey296.

jeffrey296
jeffrey296

Ok, act as if I'm a 10 yr old. I downloaded OpenSSH for Windows. I installed it. I tried going through the quick start and readme files, but there were some things I didn't understand, and some that just didn't seem to work. Can you basically go through the quick start file in plain old english? I'm confused on local vs. domain and why I make local/domain groups. Thanks in advance.

Jaqui
Jaqui

get and install either cygwin or mingw, with gcc. get the sources for openssh and compile them for the linux emulator you picked. [ or, you can pay through the nose for the commercial ( proprietary ) windows SERVER based ssh server. ] or, better yet, get rid of windows and put linux on your system. or buy "gotomypc" with windows, you either spend money, or learn to use the free software from source code. the compile commands for openssh: ./configure [ insert any of the hundreds of options here ] make make install then you run it: openssh

JCitizen
JCitizen

I couldn't remember the name for; but my brain is toast anyway, sorry I couldn't be more helpfull! :p

Photogenic Memory
Photogenic Memory

Thank you. T-Shark will do me justice! I like it's output and I can redirect it's output to a text file for review if need be. Thank you so much, man!

Photogenic Memory
Photogenic Memory

Thanks for the quick replies! I gotta run to work. Have s good weekend!

apotheon
apotheon

"[i]I think I'm confusing it with VPN terminology. But I don't think I'm far off the mark?[/i]" No, you're not far off the mark. There's a lot of similarity between what goes on with most VPNs and the SSH SOCKS proxy being set up with PuTTY (or OpenSSH, as explained in the previous article). Your explanation of what you believe is happening in the second paragraph of your post is almost correct. I've tried explaining what's going on behind the scenes in a bit more detail at my private weblog, in an entry titled [url=http://sob.apotheon.org/?p=371]what's really happening with an SSH SOCKS proxy[/url]. Hopefully that will help answer some of your questions.

apotheon
apotheon

"[i]Believe me your articles and advice are greatly appreciated![/i]" I'm pleased to hear it. Appreciation is often the best motivation.

JCitizen
JCitizen

a newbie has to start somewhere and your suggestions look like as logical path as any! As I say often,"beggars have no right to be choosy." I'm coming to this security mindset for the same reason DanLM; after you get hit once, you learn to educate yourself and be very paranoid. What I've learned in school and on contract is good but is only the tip of the iceberg. Believe me your articles and advice are greatly appreciated!

apotheon
apotheon

Slandering me with terms like "officer" will get you nowhere. Perhaps you meant "scholar". Feel free to take what I say with a grain of salt, particularly when I'm engaging in particularly egregious examples of OS favoritism. While it's true that FreeBSD or PC-BSD may solve some of those problems for you, to some degree, I obviously don't mean to say that using one or the other will magically make life a happy place filled with puppies and rainbows. I over the sunshiny view to people like you only because I think I know you well enough to be able to tell the difference. . . . and most of the above disclaimer is actually directed toward other readers who may come across this line of discussion.

Neon Samurai
Neon Samurai

It basically came down to this; it's time to do a BSD install now to learn it for future server needs and because it's a potential host OS for my own system, well, until proven not. FreeBSD means the BSD user manual, a more home workstation centric setup, possibly the hardware support I need and that groovy little devil icon. ;) I don't flop between distributions for my primary OS let along between OS so I wouldn't be moving on a whim. As an OS geek, well, I gotta explore if it's there without licensing issues (booo Vista 400$ tax.. me want to explore, but.. ). If it turns out to be better than what I'm using for servers, it will be used for future srevers. If it proves it's technical merits over my prefered desktop OS, I benefit as the end user. I'm well aware of your justifiable bias and wouldn't take anything said by anyone without a grain of salt.

apotheon
apotheon

My experience with OpenBSD and NetBSD is more limited than my experience with FreeBSD, to say nothing of the fact that there are some limitations to OpenBSD and NetBSD with regard to suitability for the average home user that balance out some of their benefits for the discerning Unix admin. Aside from one little bone I have to pick with the OpenBSD project over the way it handles licensing, however, I certainly have nothing against either NetBSD or OpenBSD. While I may point out some benefits of FreeBSD over Linux-based systems from time to time, nothing I say at this point about FreeBSD should be taken as endorsement of FreeBSD over NetBSD or OpenBSD unless I specifically say something about one of them. I just thought I'd clear that up, in case there was any question.

Neon Samurai
Neon Samurai

Of the BSDs, I chose FreeBSD over OpenBSD primarily due to your frequent mention of it in my short time frequenting the forums. Now if only I could get time away from my other after hours contract and hobby work to play with the VM more. I can't see any software it wouldn't have that I use already other than ATI/nVidia drivers; I just haven't looked for those too confirm though.

apotheon
apotheon

I'm a BSD Unix user (FreeBSD, specifically). You might have guessed already that I'm unlikely to argue with that statement.

apotheon
apotheon

"[i]I also hate to use a non-package install with a package based system unless there's no other way but that's just me keeping things clean.[/i]" I'm the same way. That's one of the reasons I like FreeBSD so much, in fact: 1. FreeBSD stays very up-to-date with the software in ports. 2. FreeBSD ports tend to be very stable, in part because of the fact they can be installed from source so that all software can be installed by compiling it specifically for my own machine with no more effort than installing binary packages on Debian. 3. It's very easy creating a port of my own, so in the unlikely event I need an extra version of something (such as a different version of Python than what's in ports), I can install it alongside what's already there by creating my own port of it and letting the software management system handle it thereafter.

Neon Samurai
Neon Samurai

Yeah, going on and on about how to lock down a single protocol like ssh would be a long and fun discussion but, in another forum or time. I actually looked at denyhosts before the host files; sometimes I really learn things backwards but at least I learn them. The issue I had was that the denyhosts build I was looking at required the python (or whichever language it was) one version behind what the rest of my system required and wouldn't work with the newer version. I think it's time I check back in with the project sight and confirm if it's been updated. I also hate to use a non-package install with a package based system unless there's no other way but that's just me keeping things clean.

DanLM
DanLM

It allows for throttling on connections.. [b]max-src-conn 5, max-src-conn-rate 5/6, overload flush global[/b] http://www.bgnett.no/~peter/pf/en/bruteforce.html [i]max-src-conn is the number of simultaneous connections you allow from one host. In this example, I've set it at 100, in your setup you may want a slightly higher or lower value.[b]for me, 5 connections top[/b] max-src-conn-rate is the rate of new connections allowed from any single host, here 15 connections per 5 seconds. Again, you are the one to judge what suits your setup. [b]my setup is 5 attempts in 6 seconds[/b] finally, flush global says that when a host reaches the limit, that host's connections will be terminated (flushed). The global part says that for good measure, this applies to connections which match other pass rules too.[b]bu bye num nuts[/b][/i] Has a VERY nice affect of dealing with brute force attacks. I like it. I have the table of ip's [b]floodtable[/b] at the top of my rules with block all, and I do not clear it out unless I know the ip. You notice my limits are low? Actually, my home machine is even lower... Who the hell would be trying to connect to my home machine but me? Dan

apotheon
apotheon

Using hosts files is also good advice. Because the best manner of using them varies between some OSes, I didn't go into any detail in the mostly OS-nonspecific article to which I linked. I chose to keep it largely OS agnostic, instead. Another option is to use a tool called denyhosts, which is available on most free/libre/open source Unix-like operating systems, including FreeBSD, NetBSD, OpenBSD, and the majority of Linux distributions, as well as on some commercial UNIX systems. The denyhosts tool builds a blacklist by recognizing brute force attacks and building a list of the sources of those attacks, so that after the first few attempts that particular source is cut off. We could go on at great length about the possibilities for securing SSH against malicious security crackers. I basically chose to point out a minimum option and a far more secure, preferable option. The rest tends to fall somewhere between the two.