When I visit my daughter I take my lap top with me. I happen to have a BSD machine on an oc line that I can do this through next time I stay at a hotel. Da machine is mine, so nobody is going to get ticked off.... It also should be quicker then my home machine, no matter how happy I am with my isp.
Thank you very much.
dan
Discussion on:
View:
Show:
I came into the discussion through the active forums list so I have to go read the article and most likely learn something new. Ignore my noise if I'm simply repeating what's already been said.
I've been using a local X desktiop through SSH too a remote system since I first instaled openSSH. When home, I can run any GUI program I may need on the remote server for administration beyond cli. Away from home, I can run any GUI program I may need on my own workstation at home. I've even used firefox when I needed my bookmarks from home or thunderbird when I needed to check my email. Since it all starts with an ssh terminal; it's safe and happy.
That's really X forwarding over ssh rather than tunnely I think but they may well be the same thing.
In testing with arp poisoning; my ssh wouldn't connect to the remote sshd. If the man in the middle comes on after I'm already connected; sorry sucker. (ok, I gotta do a little more testing to be sure but certs instead of passwd should help that.)
It's made the network between my keyboard and my remote computer transparent. I hope it works as well for you also.
Another great howto Apotheon. Keep them coming. I look forward to many more.
I've been using a local X desktiop through SSH too a remote system since I first instaled openSSH. When home, I can run any GUI program I may need on the remote server for administration beyond cli. Away from home, I can run any GUI program I may need on my own workstation at home. I've even used firefox when I needed my bookmarks from home or thunderbird when I needed to check my email. Since it all starts with an ssh terminal; it's safe and happy.
That's really X forwarding over ssh rather than tunnely I think but they may well be the same thing.
In testing with arp poisoning; my ssh wouldn't connect to the remote sshd. If the man in the middle comes on after I'm already connected; sorry sucker. (ok, I gotta do a little more testing to be sure but certs instead of passwd should help that.)
It's made the network between my keyboard and my remote computer transparent. I hope it works as well for you also.
Another great howto Apotheon. Keep them coming. I look forward to many more.
"That's really X forwarding over ssh rather than tunnely I think but they may well be the same thing."
X forwarding over SSH tunnels the X protocol through the SSH protocol. What we were discussing is proxying HTTP through a remote host, which also involves some tunneling (HTTP through SSH), plus forwarding requests from the far end of the "tunnel" -- and aside from the fact that an SSH tunnel is being used, is not the same thing as X forwarding at all.
With X forwarding, you're running your desktop applications as X clients on a remote system, connected to the X server on the local system. With a secure proxy, you're running the application as an X client on the local system, connected to the X server on the local system as well, but simply bouncing your HTTP requests through the remote proxy before they are sent off into the big bad Internet.
"Another great howto Apotheon. Keep them coming. I look forward to many more."
Thanks much. I intend to.
X forwarding over SSH tunnels the X protocol through the SSH protocol. What we were discussing is proxying HTTP through a remote host, which also involves some tunneling (HTTP through SSH), plus forwarding requests from the far end of the "tunnel" -- and aside from the fact that an SSH tunnel is being used, is not the same thing as X forwarding at all.
With X forwarding, you're running your desktop applications as X clients on a remote system, connected to the X server on the local system. With a secure proxy, you're running the application as an X client on the local system, connected to the X server on the local system as well, but simply bouncing your HTTP requests through the remote proxy before they are sent off into the big bad Internet.
"Another great howto Apotheon. Keep them coming. I look forward to many more."
Thanks much. I intend to.
I realized that the setup was a local [any OS] reaching out too a remote *nix too proxy through ssh after I posted but I figured it might be good information to leave in place. The real irony is that I just read a back issue article describing the very same tunnel to proxy for browser setup; luckily, I also got some sleep last night. 
If one is not able to change the local browser's proxy settings, I've also seen setups using httpd/ssl too a webpage written as a browser. Your browser connects to your home webserver which provides a form field and an include of whatever URL you place in the field.
If one is not able to change the local browser's proxy settings, I've also seen setups using httpd/ssl too a webpage written as a browser. Your browser connects to your home webserver which provides a form field and an include of whatever URL you place in the field.
hi,
I have a question here. Assume that i am using a proxy. I heard that if i visit a website that using https web page, or the website using JAVA, then the webmaster can be track my real ip. If i using your method above, the webmaster can also track my real ip?
Thanks,
Rex
I have a question here. Assume that i am using a proxy. I heard that if i visit a website that using https web page, or the website using JAVA, then the webmaster can be track my real ip. If i using your method above, the webmaster can also track my real ip?
Thanks,
Rex
If I am ever in the position to use public wi-fi, I'll remember this. Great article, once again. Some very good comments as well.
Good discussion is one of the more enjoyable rewards of writing an article people liked. It's good to see people discussing the possibilities they find in a technique I've described, and the alternatives to it they can offer.
I'm glad you liked the article.
I'm glad you liked the article.
If not, I'll delete the post if you say it should be on topic.
Question:
I just set up a user authenticate certificate for myself into my WebMin... Now, in that WebMin uses it's own miniserver... I can't lock it down to just a certificate auhtorized login only... But, one thing that jumped right out and bit me was.
**** The certificate is imported into your browser... Anyone that has access to your browser now has authentication into a secure web site.. This seems like a security hole to me... A big one.
Now, how I delt with this. Lol, I have 5 browsers I can use on my desktop. opera, firefox 3 beta 4, ie6, and ie7. On my thumb drive, I have f.f. 2 via the u3 technoligy. I imported this certificate into my thumb drive which requires password authentification to use... But... No offense... Not everyone would go to that much trouble... Where is the security gain here with client side certificates? If its a home machine, mutiple people would use that machine most likely.
[edited to add:] now that I think about this. Public/private keys for ssh have the same problem if they are stored physically on the machine.
Dan
Question:
I just set up a user authenticate certificate for myself into my WebMin... Now, in that WebMin uses it's own miniserver... I can't lock it down to just a certificate auhtorized login only... But, one thing that jumped right out and bit me was.
**** The certificate is imported into your browser... Anyone that has access to your browser now has authentication into a secure web site.. This seems like a security hole to me... A big one.
Now, how I delt with this. Lol, I have 5 browsers I can use on my desktop. opera, firefox 3 beta 4, ie6, and ie7. On my thumb drive, I have f.f. 2 via the u3 technoligy. I imported this certificate into my thumb drive which requires password authentification to use... But... No offense... Not everyone would go to that much trouble... Where is the security gain here with client side certificates? If its a home machine, mutiple people would use that machine most likely.
[edited to add:] now that I think about this. Public/private keys for ssh have the same problem if they are stored physically on the machine.
Dan
Using key-based authentication provides an improvement in network security over password-based authentication, but there's a corresponding reduction in security of secure resources from the physical access side of things. If someone has access to your authentication key (certificate, whatever), that person has you, basically.
The same goes for passwords stored in your browser for easier browsing, and other (similar) conveniences, too. Do you ever tell your browser to save a password you've entered into a website? Do others have access to that browser? If so, you've just done basically the same thing as installing an authentication certificate or authentication key that can be used by anyone on the system.
Good thinking, realizing this about key/certificate based authentication -- and securing yourself against the problems that might introduce. Now, if only everyone thought about the security implications of what they were doing. . . .
The same goes for passwords stored in your browser for easier browsing, and other (similar) conveniences, too. Do you ever tell your browser to save a password you've entered into a website? Do others have access to that browser? If so, you've just done basically the same thing as installing an authentication certificate or authentication key that can be used by anyone on the system.
Good thinking, realizing this about key/certificate based authentication -- and securing yourself against the problems that might introduce. Now, if only everyone thought about the security implications of what they were doing. . . .
I've screwed up and accidently said yes a few times, but I clear them out... No thanks...
I know that what I have access to is not national security or anything... But, I have had my BSD machine brute forced before and all my music wipped out... That is why I have become so pre-occupied with security and what I can do to protect myself.
Dan
I know that what I have access to is not national security or anything... But, I have had my BSD machine brute forced before and all my music wipped out... That is why I have become so pre-occupied with security and what I can do to protect myself.
Dan
This is a great article on setting this up, as I have XP and use putty/firefox on my laptop frequently for work, and my home PC is running Ubuntu. My only question is if there are any security risks involved with opening up your PC/Router to outside SSH access? Also, does this reduce your bandwidth significantly? Going overseas next week, this'll add a little extra peace of mind.
At a bare minimum, you should take steps to secure SSH against brute-force password cracking. In addition to that, you should consider using key-based SSH authentication only, and disallow password-based authentication. With such measures in place, you should be secure enough.
Of course, the best option would be to use a system that doesn't contain any sensitive data at all as your proxy, and exists in a DMZ on your secured network, though I know this is not usually practical for home networks. You should be "secure enough" with key-based authentication and a nonstandard port.
If you wanted to get really advanced with your security, you could look into additional security options like port knocking.
Of course, the best option would be to use a system that doesn't contain any sensitive data at all as your proxy, and exists in a DMZ on your secured network, though I know this is not usually practical for home networks. You should be "secure enough" with key-based authentication and a nonstandard port.
If you wanted to get really advanced with your security, you could look into additional security options like port knocking.
I didn't see them mentioned in the linked article but I skimmed it pretty quick.
My setup has port 22 open on the router and redirecting too my workstation IP inside the network. The workstation firewall also has port 22 open with xinitd listening for connections to forward on too sshd.
When I first opened the router's port 22 I got hammered. My log files where constantly getting entries and my lastb had long lists of brute force user names (they had really crappy user name and password lists too).
Add in your /etc/hosts.deny
All : All
Meaning for all services "All :" deny connections from all sources ": ALL".
Add in your /etc/hosts.allow
sshd : IP1 IP2 IP3
sshd : name1 name2 name3
sshd : .domain.net
Meaning for the ssh service "sshd :" allow connections if the source exists in the list ": IP1 ...". The three lines are respectively:
- allowed IP addresses good for allowing machines within your network to connect with each other or specific IP outside your network to connect.
- allow by name provided your router or DNS resolves the source IP to the the machine name. This is good if you dhcp issue static IP and names based on MAC or have names and IP listed in your /etc/hosts
- allow by full domain or any connection under the given domain. This is good if you regularily connect in from various places but know the ISP providing the service. Roger's network covers a huge area but since it's a local company; I can chase after any shmuck trying to bruteforce in through port 22.
Check your /etc/xinit.d/ folder scripts for correct deamon name or any other deamons (services) xinitd/initd works as a greater for.
Apotheon's recommendation is probably more than enough but every bit helps if hosts.* where not mentioned before.
My setup has port 22 open on the router and redirecting too my workstation IP inside the network. The workstation firewall also has port 22 open with xinitd listening for connections to forward on too sshd.
When I first opened the router's port 22 I got hammered. My log files where constantly getting entries and my lastb had long lists of brute force user names (they had really crappy user name and password lists too).
Add in your /etc/hosts.deny
All : All
Meaning for all services "All :" deny connections from all sources ": ALL".
Add in your /etc/hosts.allow
sshd : IP1 IP2 IP3
sshd : name1 name2 name3
sshd : .domain.net
Meaning for the ssh service "sshd :" allow connections if the source exists in the list ": IP1 ...". The three lines are respectively:
- allowed IP addresses good for allowing machines within your network to connect with each other or specific IP outside your network to connect.
- allow by name provided your router or DNS resolves the source IP to the the machine name. This is good if you dhcp issue static IP and names based on MAC or have names and IP listed in your /etc/hosts
- allow by full domain or any connection under the given domain. This is good if you regularily connect in from various places but know the ISP providing the service. Roger's network covers a huge area but since it's a local company; I can chase after any shmuck trying to bruteforce in through port 22.
Check your /etc/xinit.d/ folder scripts for correct deamon name or any other deamons (services) xinitd/initd works as a greater for.
Apotheon's recommendation is probably more than enough but every bit helps if hosts.* where not mentioned before.
Using hosts files is also good advice. Because the best manner of using them varies between some OSes, I didn't go into any detail in the mostly OS-nonspecific article to which I linked. I chose to keep it largely OS agnostic, instead.
Another option is to use a tool called denyhosts, which is available on most free/libre/open source Unix-like operating systems, including FreeBSD, NetBSD, OpenBSD, and the majority of Linux distributions, as well as on some commercial UNIX systems. The denyhosts tool builds a blacklist by recognizing brute force attacks and building a list of the sources of those attacks, so that after the first few attempts that particular source is cut off.
We could go on at great length about the possibilities for securing SSH against malicious security crackers. I basically chose to point out a minimum option and a far more secure, preferable option. The rest tends to fall somewhere between the two.
Another option is to use a tool called denyhosts, which is available on most free/libre/open source Unix-like operating systems, including FreeBSD, NetBSD, OpenBSD, and the majority of Linux distributions, as well as on some commercial UNIX systems. The denyhosts tool builds a blacklist by recognizing brute force attacks and building a list of the sources of those attacks, so that after the first few attempts that particular source is cut off.
We could go on at great length about the possibilities for securing SSH against malicious security crackers. I basically chose to point out a minimum option and a far more secure, preferable option. The rest tends to fall somewhere between the two.
Yeah, going on and on about how to lock down a single protocol like ssh would be a long and fun discussion but, in another forum or time.
I actually looked at denyhosts before the host files; sometimes I really learn things backwards but at least I learn them.
The issue I had was that the denyhosts build I was looking at required the python (or whichever language it was) one version behind what the rest of my system required and wouldn't work with the newer version. I think it's time I check back in with the project sight and confirm if it's been updated.
I also hate to use a non-package install with a package based system unless there's no other way but that's just me keeping things clean.
I actually looked at denyhosts before the host files; sometimes I really learn things backwards but at least I learn them.
The issue I had was that the denyhosts build I was looking at required the python (or whichever language it was) one version behind what the rest of my system required and wouldn't work with the newer version. I think it's time I check back in with the project sight and confirm if it's been updated.
I also hate to use a non-package install with a package based system unless there's no other way but that's just me keeping things clean.
"I also hate to use a non-package install with a package based system unless there's no other way but that's just me keeping things clean."
I'm the same way. That's one of the reasons I like FreeBSD so much, in fact:
1. FreeBSD stays very up-to-date with the software in ports.
2. FreeBSD ports tend to be very stable, in part because of the fact they can be installed from source so that all software can be installed by compiling it specifically for my own machine with no more effort than installing binary packages on Debian.
3. It's very easy creating a port of my own, so in the unlikely event I need an extra version of something (such as a different version of Python than what's in ports), I can install it alongside what's already there by creating my own port of it and letting the software management system handle it thereafter.
I'm the same way. That's one of the reasons I like FreeBSD so much, in fact:
1. FreeBSD stays very up-to-date with the software in ports.
2. FreeBSD ports tend to be very stable, in part because of the fact they can be installed from source so that all software can be installed by compiling it specifically for my own machine with no more effort than installing binary packages on Debian.
3. It's very easy creating a port of my own, so in the unlikely event I need an extra version of something (such as a different version of Python than what's in ports), I can install it alongside what's already there by creating my own port of it and letting the software management system handle it thereafter.
It allows for throttling on connections..
max-src-conn 5, max-src-conn-rate 5/6, overload flush global
http://www.bgnett.no/~peter/pf/en/bruteforce.html
max-src-conn is the number of simultaneous connections you allow from one host. In this example, I've set it at 100, in your setup you may want a slightly higher or lower value.for me, 5 connections top
max-src-conn-rate is the rate of new connections allowed from any single host, here 15 connections per 5 seconds. Again, you are the one to judge what suits your setup. my setup is 5 attempts in 6 seconds
finally, flush global says that when a host reaches the limit, that host's connections will be terminated (flushed). The global part says that for good measure, this applies to connections which match other pass rules too.bu bye num nuts
Has a VERY nice affect of dealing with brute force attacks. I like it. I have the table of ip's floodtable at the top of my rules with block all, and I do not clear it out unless I know the ip. You notice my limits are low? Actually, my home machine is even lower... Who the hell would be trying to connect to my home machine but me?
Dan
max-src-conn 5, max-src-conn-rate 5/6, overload flush global
http://www.bgnett.no/~peter/pf/en/bruteforce.html
max-src-conn is the number of simultaneous connections you allow from one host. In this example, I've set it at 100, in your setup you may want a slightly higher or lower value.for me, 5 connections top
max-src-conn-rate is the rate of new connections allowed from any single host, here 15 connections per 5 seconds. Again, you are the one to judge what suits your setup. my setup is 5 attempts in 6 seconds
finally, flush global says that when a host reaches the limit, that host's connections will be terminated (flushed). The global part says that for good measure, this applies to connections which match other pass rules too.bu bye num nuts
Has a VERY nice affect of dealing with brute force attacks. I like it. I have the table of ip's floodtable at the top of my rules with block all, and I do not clear it out unless I know the ip. You notice my limits are low? Actually, my home machine is even lower... Who the hell would be trying to connect to my home machine but me?
Dan
I'm a BSD Unix user (FreeBSD, specifically). You might have guessed already that I'm unlikely to argue with that statement.
Of the BSDs, I chose FreeBSD over OpenBSD primarily due to your frequent mention of it in my short time frequenting the forums.
Now if only I could get time away from my other after hours contract and hobby work to play with the VM more. I can't see any software it wouldn't have that I use already other than ATI/nVidia drivers; I just haven't looked for those too confirm though.
Now if only I could get time away from my other after hours contract and hobby work to play with the VM more. I can't see any software it wouldn't have that I use already other than ATI/nVidia drivers; I just haven't looked for those too confirm though.
My experience with OpenBSD and NetBSD is more limited than my experience with FreeBSD, to say nothing of the fact that there are some limitations to OpenBSD and NetBSD with regard to suitability for the average home user that balance out some of their benefits for the discerning Unix admin. Aside from one little bone I have to pick with the OpenBSD project over the way it handles licensing, however, I certainly have nothing against either NetBSD or OpenBSD.
While I may point out some benefits of FreeBSD over Linux-based systems from time to time, nothing I say at this point about FreeBSD should be taken as endorsement of FreeBSD over NetBSD or OpenBSD unless I specifically say something about one of them.
I just thought I'd clear that up, in case there was any question.
While I may point out some benefits of FreeBSD over Linux-based systems from time to time, nothing I say at this point about FreeBSD should be taken as endorsement of FreeBSD over NetBSD or OpenBSD unless I specifically say something about one of them.
I just thought I'd clear that up, in case there was any question.
It basically came down to this; it's time to do a BSD install now to learn it for future server needs and because it's a potential host OS for my own system, well, until proven not.
FreeBSD means the BSD user manual, a more home workstation centric setup, possibly the hardware support I need and that groovy little devil icon.
I don't flop between distributions for my primary OS let along between OS so I wouldn't be moving on a whim. As an OS geek, well, I gotta explore if it's there without licensing issues (booo Vista 400$ tax.. me want to explore, but.. ). If it turns out to be better than what I'm using for servers, it will be used for future srevers. If it proves it's technical merits over my prefered desktop OS, I benefit as the end user.
I'm well aware of your justifiable bias and wouldn't take anything said by anyone without a grain of salt.
FreeBSD means the BSD user manual, a more home workstation centric setup, possibly the hardware support I need and that groovy little devil icon.
I don't flop between distributions for my primary OS let along between OS so I wouldn't be moving on a whim. As an OS geek, well, I gotta explore if it's there without licensing issues (booo Vista 400$ tax.. me want to explore, but.. ). If it turns out to be better than what I'm using for servers, it will be used for future srevers. If it proves it's technical merits over my prefered desktop OS, I benefit as the end user.
I'm well aware of your justifiable bias and wouldn't take anything said by anyone without a grain of salt.
all the other back ground radiation out there.(port knocking that is)
Thanks for the replies. I have an old box sitting at home I've been meaning to set up as a server for a while, I just never got around to it. Most of the servers I work with are firewalled and already set-up, I just do a little maintenance and db/programming work. I think I'll just wait for the other comp to be set up first, then add in a little security. Bookmarked.
If I wanted to do this using SSH on the Linux command line, what would be the SSH command look like?
I covered that in the previous article mentioned in this article. Read that for information on how to set this up from a Unix or Linux system.
On my FreeBSD laptop, I set an alias in my .login file so to start the proxy service all I have to do is enter the command "proxy". Then I configure Firefox to use the proxy, and I'm done. Again, see the previous article for more details.
edit: typo
On my FreeBSD laptop, I set an alias in my .login file so to start the proxy service all I have to do is enter the command "proxy". Then I configure Firefox to use the proxy, and I'm done. Again, see the previous article for more details.
edit: typo
1) Read this and the previous article
2) Read a Linux for Dummies book.(purchase it)
3) Probably one of those TR how to manuals(and buy it)
4) Fire up my old Server 2000 and review how to be a server admin again. 2003 was easy but I never owned it.
5) I'm probably toast. Never mind I'll be alright!
(edit) The router part will probably be easy compared to the interior software firewall.
2) Read a Linux for Dummies book.(purchase it)
3) Probably one of those TR how to manuals(and buy it)
4) Fire up my old Server 2000 and review how to be a server admin again. 2003 was easy but I never owned it.
5) I'm probably toast. Never mind I'll be alright!
(edit) The router part will probably be easy compared to the interior software firewall.
Y'know . . . FreeBSD and PC-BSD (depending on your taste) might solve some of those problems for you.
The FreeBSD Handbook is available online and on your computer if you install FreeBSD (or, presumably, PC-BSD as well). It's better than any Linux For Dummies book -- and you don't have to buy it.
The pf firewall may not do the whole "just works" thing the way ZoneAlarm does, but it does the "works well, and the way you want it to" thing much better. I could even help you out with that.
FreeBSD (or PC-BSD) can help you solve several of your listed problems.
The FreeBSD Handbook is available online and on your computer if you install FreeBSD (or, presumably, PC-BSD as well). It's better than any Linux For Dummies book -- and you don't have to buy it.
The pf firewall may not do the whole "just works" thing the way ZoneAlarm does, but it does the "works well, and the way you want it to" thing much better. I could even help you out with that.
FreeBSD (or PC-BSD) can help you solve several of your listed problems.
you're an officer and a gentleman!
And I hope you take that as a true compliment!
And I hope you take that as a true compliment!
Slandering me with terms like "officer" will get you nowhere. Perhaps you meant "scholar".
Feel free to take what I say with a grain of salt, particularly when I'm engaging in particularly egregious examples of OS favoritism. While it's true that FreeBSD or PC-BSD may solve some of those problems for you, to some degree, I obviously don't mean to say that using one or the other will magically make life a happy place filled with puppies and rainbows. I over the sunshiny view to people like you only because I think I know you well enough to be able to tell the difference.
. . . and most of the above disclaimer is actually directed toward other readers who may come across this line of discussion.
Feel free to take what I say with a grain of salt, particularly when I'm engaging in particularly egregious examples of OS favoritism. While it's true that FreeBSD or PC-BSD may solve some of those problems for you, to some degree, I obviously don't mean to say that using one or the other will magically make life a happy place filled with puppies and rainbows. I over the sunshiny view to people like you only because I think I know you well enough to be able to tell the difference.
. . . and most of the above disclaimer is actually directed toward other readers who may come across this line of discussion.
a newbie has to start somewhere and your suggestions look like as logical path as any!
As I say often,"beggars have no right to be choosy."
I'm coming to this security mindset for the same reason DanLM; after you get hit once, you learn to educate yourself and be very paranoid.
What I've learned in school and on contract is good but is only the tip of the iceberg.
Believe me your articles and advice are greatly appreciated!
As I say often,"beggars have no right to be choosy."
I'm coming to this security mindset for the same reason DanLM; after you get hit once, you learn to educate yourself and be very paranoid.
What I've learned in school and on contract is good but is only the tip of the iceberg.
Believe me your articles and advice are greatly appreciated!
"Believe me your articles and advice are greatly appreciated!"
I'm pleased to hear it. Appreciation is often the best motivation.
I'm pleased to hear it. Appreciation is often the best motivation.
I'm sorry for the n00b question? However, how do you test to see if the tunnel is actually working( other than getting web access )? What commands do you use? Does the persistant connection show up in log files? Can someone please update me with answers?
What problem does testing the proxy connection (outside of using it) solve? If I know what you're trying to accomplish, maybe I can help you figure out how to do that -- but I don't really see the value of testing the proxy connection by some means other than using it and seeing if you can access the web.
You could try using some other application with the proxy, I suppose. Pidgin (the IM client) provides simple GUI configuration for proxy access, too, for instance. If you can use IMs with Pidgin configured to use the proxy, that too would provide some evidence that it's working.
Off the top of my head, a possible means of testing other than just using the proxy for some application and seeing if it works would be to set up the proxy, configure your web browser to use it, open a web page on a server you control, then checking the logs on that server to see where the request originated. If it originated from the proxy system, you know it's proxying correctly. On the other hand, if you configure the browser to use a proxy and it fails to connect to the proxy, you won't be able to reach a web page on any server at all -- so you'll know it isn't working a lot sooner than when you check the web server logs.
You could try using some other application with the proxy, I suppose. Pidgin (the IM client) provides simple GUI configuration for proxy access, too, for instance. If you can use IMs with Pidgin configured to use the proxy, that too would provide some evidence that it's working.
Off the top of my head, a possible means of testing other than just using the proxy for some application and seeing if it works would be to set up the proxy, configure your web browser to use it, open a web page on a server you control, then checking the logs on that server to see where the request originated. If it originated from the proxy system, you know it's proxying correctly. On the other hand, if you configure the browser to use a proxy and it fails to connect to the proxy, you won't be able to reach a web page on any server at all -- so you'll know it isn't working a lot sooner than when you check the web server logs.
Apologies for the vagueness. I'm having a hard time understanding what's going on behind the "protected" connection. If I implement such a config change in the browser and attempt my browsing through a selected proxy of my choice; I really want to know if it's working( protected )? I think I'm confusing it with VPN terminology. But I don't think I'm far off the mark?
My basic goal is to browse from public network away from home( internet cafe, hotel, other); and not have my "specific" communications show up in their logs files. So; and if I understood the article correctly, I can input my home router WAN ip ( after setting a rule to accept the connection to a LAN PC vis ssh ) as the proxy in the browser? I hope I'm correct. After that; my browsing should be secure ( maybe a little slower )? It's kind of like a VPN without having a traditional server setup to authenticate it? Does what I write make sense?
My basic goal is to browse from public network away from home( internet cafe, hotel, other); and not have my "specific" communications show up in their logs files. So; and if I understood the article correctly, I can input my home router WAN ip ( after setting a rule to accept the connection to a LAN PC vis ssh ) as the proxy in the browser? I hope I'm correct. After that; my browsing should be secure ( maybe a little slower )? It's kind of like a VPN without having a traditional server setup to authenticate it? Does what I write make sense?
"I think I'm confusing it with VPN terminology. But I don't think I'm far off the mark?"
No, you're not far off the mark. There's a lot of similarity between what goes on with most VPNs and the SSH SOCKS proxy being set up with PuTTY (or OpenSSH, as explained in the previous article).
Your explanation of what you believe is happening in the second paragraph of your post is almost correct. I've tried explaining what's going on behind the scenes in a bit more detail at my private weblog, in an entry titled what's really happening with an SSH SOCKS proxy. Hopefully that will help answer some of your questions.
No, you're not far off the mark. There's a lot of similarity between what goes on with most VPNs and the SSH SOCKS proxy being set up with PuTTY (or OpenSSH, as explained in the previous article).
Your explanation of what you believe is happening in the second paragraph of your post is almost correct. I've tried explaining what's going on behind the scenes in a bit more detail at my private weblog, in an entry titled what's really happening with an SSH SOCKS proxy. Hopefully that will help answer some of your questions.
evaluation tools would tell you if your setup is working. However in my limited experience if it isn't working the tunnel "collapses" and you don't get any access; so it should be a do or die situation there.
Perhaps your more worried about end point security?
Perhaps your more worried about end point security?
I guess if the settings aren't right; then it just plain doesn't work. In a way; this answers my questions. When it does work; then I can be confident that using the proxy through SSH will be protected. Thanks for reading and understanding my confusion. Have a good morning!
You could download a free packet sniffer like Ethereal and monitor all traffic going to the forward port 8080 and to your proxy over port 22. You don't have to setup your SSH on port 22. You could set it up on port 80, but some SPI firewalls might block your proxy.
This is a free solution, but its not easy. The easy solution is to setup SSL VPN using your Cisco router. Your users don't have to reconfigure their web browser proxy or install Putty. All they have to be able to do is go to is type https://router_ip_address in their browser and then there connect back to your home network via SSL VPN and they can surf the web through your network.
However, Why would you want to let your remote users establish a VPN, via SSH/SSL/IPSEC simply to siphon off your bandwidth for web surfing? You might want that bandwidth for VoIP or video conferencing. I guess its that delicate balance between security and convienence.
This is a free solution, but its not easy. The easy solution is to setup SSL VPN using your Cisco router. Your users don't have to reconfigure their web browser proxy or install Putty. All they have to be able to do is go to is type https://router_ip_address in their browser and then there connect back to your home network via SSL VPN and they can surf the web through your network.
However, Why would you want to let your remote users establish a VPN, via SSH/SSL/IPSEC simply to siphon off your bandwidth for web surfing? You might want that bandwidth for VoIP or video conferencing. I guess its that delicate balance between security and convienence.
"Why would you want to let your remote users establish a VPN, via SSH/SSL/IPSEC simply to siphon off your bandwidth for web surfing?"
If your users have mobile systems (like laptops) that must remain secure while on business trips, keeping them from spraying sensitive data all over an open wireless network at a hotel might be a good idea.
If your users have mobile systems (like laptops) that must remain secure while on business trips, keeping them from spraying sensitive data all over an open wireless network at a hotel might be a good idea.
Wireshark/Tshark is the latest 'replacement' to Ethereal. The first way I'd test is to run Wireshark on the 'client' machine that's opening the tunnel(s) to the server. If you look at the packets coming through, they should be 'scrambled.' Or at least when you compare browsing the web through the tunnel vs browsing the web without using the tunnel, you'll see that the packets collected from browsing w/o the tunnel are in clear text.
Another issue is that of DNS lookups - DNS lookups will still be made unencrypted, so it's possible that anyone could see where you're browsing. Encrypting DNS lookups can be achieved by forwarding the requests through proxy by using tools like "FoxyProxy" in Firefox or forcing SOCKS to do the DNS lookup.
You could also sniff packets with Wireshark on the server end to see what the traffic looks like.
Currently I connect to my SSL VPN (SSL Explorer) via a dyndns website and launch the agent to establish a secure tunnel for SSH. I then open another Putty SSH tunnel and forward the traffic to my Squid proxy. So 'effectively' a tunnel within another tunnel. I guess it's a little extreme but ehhh...
Another issue is that of DNS lookups - DNS lookups will still be made unencrypted, so it's possible that anyone could see where you're browsing. Encrypting DNS lookups can be achieved by forwarding the requests through proxy by using tools like "FoxyProxy" in Firefox or forcing SOCKS to do the DNS lookup.
You could also sniff packets with Wireshark on the server end to see what the traffic looks like.
Currently I connect to my SSL VPN (SSL Explorer) via a dyndns website and launch the agent to establish a secure tunnel for SSH. I then open another Putty SSH tunnel and forward the traffic to my Squid proxy. So 'effectively' a tunnel within another tunnel. I guess it's a little extreme but ehhh...
Thank you. T-Shark will do me justice! I like it's output and I can redirect it's output to a text file for review if need be. Thank you so much, man!
I couldn't remember the name for; but my brain is toast anyway, sorry I couldn't be more helpfull!
make a difference? If the machine I am pointing at on my home network is a Windows box will this still work??
when I open the SSH connection in putty, I get no prompt for logon or anything
when I open the SSH connection in putty, I get no prompt for logon or anything
A lot easier to do the same and more, is to use BarracudaDrive. All non-techies can use it, you have full access vis SSL to all your files at home and also to be able to proxy surfe via SSL tunnel and more (not all corporate firewalls allow SSH, so SSL makes it easier). I use it since BD exists. see here: http://barracudaserver.com/examples/BarracudaDrive/index.html
//Wolfgang
//Wolfgang
Is it possible to use PuTTY to host an OpenSSH on a Windows computer in the same manner you would with Linux? I basically want to be able to use a laptop to proxy to my home network (hopefully just using tools->options in the web browser). I know someone who does this with a Linux computer at home, but all I have is a Windows computer.
is client application, not a server application.
you can get and build openssh in a cygwin environment, which is a limited linux command line on windows. that would enable you to use putty to connect to the system with openssh on it.
you can get and build openssh in a cygwin environment, which is a limited linux command line on windows. that would enable you to use putty to connect to the system with openssh on it.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
