[1+1=2]

OneAndOneIs2

« It pains me to say itHacking with socks »

Wed, Apr 25, 2007

[Icon][Icon]Secure web access through firewalls with Portable Apps

• Post categories: Omni, FOSS, Technology, Helpful

If you have to use Windows from various locations/computers, and are frustrated by firewalls or worried about who might be snooping on your browsing, this guide is for you.

This guide was written with Portable Apps in mind, and assumes that the remote machine you will be using is an always-on Linux PC. You can, however, use the non-portable versions of the software and adjust the instructions for other operating system combinations with very little difficulty.

To begin with, on your home computer, you need SSH. If you are connected to the web via a router, you can use SSH with its default configuration. Otherwise, if your PC can be directly accessed from the web, you must edit the configuration file /etc/ssh/sshd_config and change the port number from 22 to 443.

If you have a router, you must set it to direct all traffic to its port 443 to be forwarded to your PC's port 22. On my router, this looks like this (Click image to enlarge):

[Image]

(10.0.0.3 is my home PC's address on the LAN.)

The reason we change the default SSH port is that some firewalls only allow web traffic through: They ban connections to port 22. To bypass this, we set SSH to listen instead on port 443, which is the port usually used by secure web pages - the ones with the https:// addresses with the locked-padlock icon. It just gives us a higher chance of being able to connect no matter where we are.

That should be pretty much all the configuration on your home PC done. The only other thing you need to know is your home machine's IP address. It helps if you have a static IP address here, but it's not vital: Just check the IP every time you reconnect.

Now let's switch to a Windows PC and install our Portable Apps. Go to the web page and download the portable versions Putty, plus Firefox, Thunderbird, Gaim, and/or any other packages you may want. Install them onto your USB stick.

Now run putty.

[Image]

In the "Host name" field, put your home IP address, and change the port from 22 to 443:

[Image]

Now in the Connection - SSH - Tunnels window, enter a port number such as 5678, check "Dynamic" and "Auto", then click "Add"

[Image]

You should get the port number, prefixed with a "D", in the forwarded ports box:

[Image]

That's all. Go back to the Session window, enter a "Saved sessions" name and click "Save"

This, when run, will give you a secure tunnel home if you have a direct web connection. If, however, you are behind a proxy server, you need to let Putty know about that.

Internet Explorer will usually be configured with the correct proxy settings, so find them from here: Tools - Internet Options - Connections - LAN Settings and see what's in the "Proxy server" field. Copy these settings into Putty's Connection - Proxy window as an HTTP proxy. If a username & password is needed, enter those too. Then return again to the Session window, enter a different name for the proxy-using settings, and click Save again.

Now double-click the appropriate saved session, and Putty will open an SSH connection to your home PC. It should look just like a normal shell, such as you'd see in any xterm window.

Now start up the portable Firefox. Tools - Options - Advanced - Network - Settings. Check the "Manual proxy configuration" radio button. Leave all fields blank, except for the "Socks host" entry. Set this to "localhost" and set the port to whatever you told Putty to use - in the above examples, 5678.

"Okay" everything, and now in the Firefox address bar, enter "about:config" and press "Return"

In the "Filter" box, type network.proxy.socks, right-click on the "network.proxy.socks_remote_dns" option, and select "Toggle" to make this entry "True"

[Image]

Firefox should now be set up to use the tunnel set up by Putty: If you have web access at this point, you have succeeded. The process for setting up Thunderbird is much the same, only the "about:config" screen is accessed through Tools - Options - Advanced- General - Config editor. Other than that, the same settings apply.

To make "Gaim" work, go into "Preferences". In the "Networking" tab, configure it to use a SOCKS5 proxy, with the usual localhost and port number settings.

[Image]

Gaim should now connect just fine.

Because all your web traffic is now running through the SSH connection, it is secure from any local snooping: All the web surfing is actually being done by your home PC, and uploaded through the encrypted connection to your local PC. Even the server you are connected to the Web through cannot see what you are doing, or what port you're doing it on, so long as the Putty connection is maintained.


8 comments

sinn3r
Comment from: sinn3r [Member] Email · http://sinn3r.org/
Very nice :)

Now i go and try it here in my local network. If it works, school is not secure any more :D
25/04/07 @ 18:31
Alison
Comment from: Alison [Visitor] Email · http://www.creativehedgehog.com
mwahahahah..

nice tute, thanks. Now I need an always on Linux box. hmm.
26/04/07 @ 10:50
oneandoneis2
Comment from: oneandoneis2 [Member] · http://geekblog.oneandoneis2.org/
An always-on Mac would work just as well. OpenSSH runs on everything [Smiley]

It's dead handy being able to set up this SOCKS connection. Software like Thunderbird was completely useless to me before, now it's fully functional and ready-to-go whenever I have Putty running.

Firewalls are all very well when they stop the nasty people getting in, but when they stop the nice people getting out...
26/04/07 @ 14:48
sinn3r
Comment from: sinn3r [Member] Email · http://sinn3r.org/
Must say a second thing, hope you can forgive me :)

At school we have a proxy and the traffic of every people gets logged by the server, you now all the things like urls, cookies, they have even a software like wireshark to see our chats (yeah we are allowed to chat in free lesons :) )

but now, they get a blank page our what can they see in their logs?
only the ip i use putty to connect to?
or can they see to traffc of the tunnel too?

i hope you read my terrible school english, i was trying hard to make myself explain in a clear way, hope i did it ;)

Basti
26/04/07 @ 19:34
oneandoneis2
Comment from: oneandoneis2 [Member] · http://geekblog.oneandoneis2.org/
OK, I think I understand your question.

If you follow this guide, the only thing your proxy can see is that there is network traffic going between your school PC and your home PC. It cannot tell anything else - URLs, web pages, IM sessions, all of it goes through the encrypted SSH tunnel and is therefore hidden from them.

Now, that doesn't stop them from having monitoring software on your school PC that will allow them to see what you're doing, because they have that kind of access on those PCs. All this does is make it impossible for the proxy server, or anyone else between your PC and your home PC, to see what you're doing with the network. If the machine itself can't be trusted, there's nothing anybody can do to secure you.
26/04/07 @ 22:14
sinn3r
Comment from: sinn3r [Member] Email · http://sinn3r.org/
ok, thanks that is the answer i was exspecting.

BTW: the access log software is disabled for my user account in our school net, i simple delete the link for my account (Win2000, they haven't blocked the cmd.exe, bad mistake) ;)

But thanks again for the nice answer.
26/04/07 @ 22:57
Wrath-BRIG-
Comment from: Wrath-BRIG- [Visitor] Email · http://dfbrigade.org
As a network admin & incident handler for the local college here in my city, it's nice to be able to read about the kind of things the kids try to get away with. Thanks for the thread. LOL!

On the other hand, using this technique (among others) helps me perform my job easier where our very own firewall would normally hinder me.

Again, great post and thanks. Putty rules! (when stuck working on a M$ Windoze box.)

-=w=-

"Do not go gently..."
28/07/07 @ 18:58
Paul
Comment from: Paul [Visitor] Email
One suggestion for an "always on" computer to surf through is to install DD-WRT third party firmware onto your LinkSys WRT router. This firmware includes SSH, so the router (which is a Linux box) will be the computer that you surf through. No separate PC required. (PS got that from the Feb 2008 Computer Power User magazine page 62)
12/02/08 @ 06:24
 

[Links][icon] My links

[Icon][Icon]About Me

[Icon][Icon]About this blog

[Icon][Icon]My /. profile

[Icon][Icon]My Wishlist

[Icon]MyCommerce

[FSF Associate Member]


April 2014
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Search

User tools

XML Feeds

eXTReMe Tracker

Valid XHTML 1.0 Transitional

Valid CSS!

[Valid RSS feed]

multiblog