- Impact
- 111
Here's a little trick that uses Secure Shell (SSH). Most CPanel hosts offer their clients SSH. It's an oldie but a goody way to encrypt, hide, and otherwise secure your Internet activities. I see all talk of proxies on this site but never seen SSH mentioned.
Well, regardless, I put this topic in this board because often you must work out of a monitored network, whether school, company, or public place like Quizno's. I know that I have to transmit passwords and financial information and I do not appreciate having school administrators or network sniffers watching this. Who can you trust?
So...
Normally:
With this little trick:
This will work for any program that supports use of "SOCKS v5" proxies. This includes programs like:
- Firefox (Recommended)
- Internet Explorer (but sniffers will still know which sites you visit!)
- Thunderbird Email client
- Outlook
- Windows Mail
- Pidgin
- Trillian (actually I'm not 100% sure. Astra does not, however 3.0 Pro might)
What you need:
- Firefox (recommended)
- PuTTY Tray (an adaptation of PuTTY, a great SSH Client)
- Access to SSH on a remote server. I'll talk about this in a moment. It's not as hard as you think.
--------------------------------------------------------------------------
What do you want to accomplish?
Where will you want encrypted connections? Well, probably from your school or Starbucks, right? If you want to use this at work, ask your supervisor first. Ask him/her if it's alright that you encrypt your Internet transmissions for higher security, that you tunnel your connections through an SSH server.
Your normal Internet access from a LAN would look like this (red is bad, blue better, green best):
Your computer -- Intranet router -- Remote website/service you are using
In the setup I'm explaining here, there are computers involved from 3 locations, ideally. If == represents an encrypted connection, and -- is unencrypted, this is accurate:
Your public workstation == Intranet router == your SSH server (far) away from there -- website you are using
:: Choose an SSH server outside of the network you are "hiding" from. If you work at school, set up your home workstation, perhaps.
:: If you're in college, and they're okay with it, don't set up the SSH server in your dorm room! Chances are Internet access is just part of the college Intranet (a very big LAN). They are probably your ISP. The idea is to get data OUT of the network, still encrypted. In this case you'll have to use a very remote server! Mine is in southern Canada. Most hosts will provide SSH access with your account. This will work fine. Or, if you don't have hosting, here's a great list of alternatives.
INSTRUCTIONS
FIRST UP! Set up SSH server.
Have a website? Then you have a hosting account. Most hosts offer free SSH access. If you don't have it, ask them for it. You will be forced to use an off-site computer, or server, if you are on a college campus. However, again, contact your college or university's IT department first!
If you can set one up at your home computer (useful for high school and work - with permission), then try FreeSSHd (Windows 2000-Vista). Set that up on a computer that you will leave on while you're away.
Now, decide which port you will use for SSH!
If your web host supplies your SSH service, the port is probably the default 22. Take note of that.
If you decide to use FreeSSHd, the default port is also 22. Whether you keep default or change it, remember it!
If your computer at home is behind a router (if there's more than 1 computer), and you choose to host the SSH server in your home, you will have to forward that port to the computer that hosts the server. If you have questions about that, reply. I can help you to do that. It's easy.
Also, get the IP address of the SSH server. www.ipchicken.com should give you the number you need. If you use your web host, you'll need to get the IP of the server that you're on. Contact them. CAUTION: Shared and reseller hosting accounts may not favor or allow this... VPS/Dedicated is best.
Now let's set up a tunnel!
Launch PuTTY Tray. Type that IP address in the 'Host Name' field that appears. Then type the port number that you remembered so diligently into the 'Port' field. Check the "SSH" button below that. On the left, expand the "Connection" node. Expand "SSH" node. Click the "Tunnels" node. Type a port number - not the one you memorized - in "Source Port". For example, 7070 or 1492 or 4845 or 902. It could really be any valid port number. Click "Dynamic" below that then click "Add". On the left click on the "Session" node again, and save your configuration. Click "Open" to start the connection.
Type your login credentials! For web hosting accounts, this is your CPanel/Plesk/whatever login info. For FreeSSHd users, it may either be an account you created manually, but I usually set it to "NT Authentication" - meaning it uses your Windows user account.
Once logged in, minimize to put it in the tray and out of the way.
Go secure! Last step.
For now, open Firefox. At this point, you could use any application that supported SOCKS v5 proxy. Go to Tools->Options->Advanced tab->Network tab->Settings. Click "manual proxy configuration". Go to the "SOCKS Host" field and type "127.0.0.1", then for "Port" type the random number you chose in PuTTY in the last step. Check "SOCKS v5" below that, and click OK. Click OK again.
Not done yet! Sniffers can still see your domain lookups! Type "about:config" in Firefox's URL bar. Do a filter for: "network.proxy.socks_remote_dns". Set this boolean value to "true". Now, your remote proxy server will do DNS lookups, not your local machine.
Done.
And there you have it. A way to encrypt your web development sessions in less secure areas.
A NOTE FOR WINDOWS XP SP2/SP3 and VISTA USERS: If using FreeSSHd, or a SSH server on your Windows PC at home, the Windows Firewall is a little trippy. Any firewall could be, really. In windows Firewall, click on the Exceptions tab. Click "Add Port". Type a name like "SSH incoming" and then the port number that you set FreeSSHd to run its SSH service on. (Default is 22). For other firewalls, I dunno. Just figure out how to add allowances.
VISTA Only: Disable UAC if you host your own SSH server on it. User Account Control will probably interfere...
Hope you find this useful.
-Matt
PS. To test it, go to ipchicken.com again. It should be the IP of your remote server. Or, if your server is outside of the country, go to google.com. Since mine is in canada, I see google.ca. I also used a local packet sniffer to check the data. It is indeed encrypted - in and out. Cheers!
Well, regardless, I put this topic in this board because often you must work out of a monitored network, whether school, company, or public place like Quizno's. I know that I have to transmit passwords and financial information and I do not appreciate having school administrators or network sniffers watching this. Who can you trust?
So...
Normally:
- Anybody on your LAN, or school, or company network can watch your activities...
- This includes the ability to see which domains your browser resolves
- Also includes any transmission of ANY data from your computer. Not all logins have SSL (namepros doesn't...)
- Heck, they can read your email as you download it.
- Or even capture downloaded files and programs!
With this little trick:
- Nobody will know which sites your browser looks up (with Firefox)
- All the data you download from supported applications is encrypted. (Email clients, browsers, some IM programs included!)
- Your activities are hidden from malicious onlookers
This will work for any program that supports use of "SOCKS v5" proxies. This includes programs like:
- Firefox (Recommended)
- Internet Explorer (but sniffers will still know which sites you visit!)
- Thunderbird Email client
- Outlook
- Windows Mail
- Pidgin
- Trillian (actually I'm not 100% sure. Astra does not, however 3.0 Pro might)
What you need:
- Firefox (recommended)
- PuTTY Tray (an adaptation of PuTTY, a great SSH Client)
- Access to SSH on a remote server. I'll talk about this in a moment. It's not as hard as you think.
--------------------------------------------------------------------------
What do you want to accomplish?
Where will you want encrypted connections? Well, probably from your school or Starbucks, right? If you want to use this at work, ask your supervisor first. Ask him/her if it's alright that you encrypt your Internet transmissions for higher security, that you tunnel your connections through an SSH server.
Your normal Internet access from a LAN would look like this (red is bad, blue better, green best):
Your computer -- Intranet router -- Remote website/service you are using
In the setup I'm explaining here, there are computers involved from 3 locations, ideally. If == represents an encrypted connection, and -- is unencrypted, this is accurate:
Your public workstation == Intranet router == your SSH server (far) away from there -- website you are using
:: Choose an SSH server outside of the network you are "hiding" from. If you work at school, set up your home workstation, perhaps.
:: If you're in college, and they're okay with it, don't set up the SSH server in your dorm room! Chances are Internet access is just part of the college Intranet (a very big LAN). They are probably your ISP. The idea is to get data OUT of the network, still encrypted. In this case you'll have to use a very remote server! Mine is in southern Canada. Most hosts will provide SSH access with your account. This will work fine. Or, if you don't have hosting, here's a great list of alternatives.
INSTRUCTIONS
FIRST UP! Set up SSH server.
Have a website? Then you have a hosting account. Most hosts offer free SSH access. If you don't have it, ask them for it. You will be forced to use an off-site computer, or server, if you are on a college campus. However, again, contact your college or university's IT department first!
If you can set one up at your home computer (useful for high school and work - with permission), then try FreeSSHd (Windows 2000-Vista). Set that up on a computer that you will leave on while you're away.
Now, decide which port you will use for SSH!
If your web host supplies your SSH service, the port is probably the default 22. Take note of that.
If you decide to use FreeSSHd, the default port is also 22. Whether you keep default or change it, remember it!
If your computer at home is behind a router (if there's more than 1 computer), and you choose to host the SSH server in your home, you will have to forward that port to the computer that hosts the server. If you have questions about that, reply. I can help you to do that. It's easy.
Also, get the IP address of the SSH server. www.ipchicken.com should give you the number you need. If you use your web host, you'll need to get the IP of the server that you're on. Contact them. CAUTION: Shared and reseller hosting accounts may not favor or allow this... VPS/Dedicated is best.
Now let's set up a tunnel!
Launch PuTTY Tray. Type that IP address in the 'Host Name' field that appears. Then type the port number that you remembered so diligently into the 'Port' field. Check the "SSH" button below that. On the left, expand the "Connection" node. Expand "SSH" node. Click the "Tunnels" node. Type a port number - not the one you memorized - in "Source Port". For example, 7070 or 1492 or 4845 or 902. It could really be any valid port number. Click "Dynamic" below that then click "Add". On the left click on the "Session" node again, and save your configuration. Click "Open" to start the connection.
Type your login credentials! For web hosting accounts, this is your CPanel/Plesk/whatever login info. For FreeSSHd users, it may either be an account you created manually, but I usually set it to "NT Authentication" - meaning it uses your Windows user account.
Once logged in, minimize to put it in the tray and out of the way.
Go secure! Last step.
For now, open Firefox. At this point, you could use any application that supported SOCKS v5 proxy. Go to Tools->Options->Advanced tab->Network tab->Settings. Click "manual proxy configuration". Go to the "SOCKS Host" field and type "127.0.0.1", then for "Port" type the random number you chose in PuTTY in the last step. Check "SOCKS v5" below that, and click OK. Click OK again.
Not done yet! Sniffers can still see your domain lookups! Type "about:config" in Firefox's URL bar. Do a filter for: "network.proxy.socks_remote_dns". Set this boolean value to "true". Now, your remote proxy server will do DNS lookups, not your local machine.
Done.
And there you have it. A way to encrypt your web development sessions in less secure areas.
A NOTE FOR WINDOWS XP SP2/SP3 and VISTA USERS: If using FreeSSHd, or a SSH server on your Windows PC at home, the Windows Firewall is a little trippy. Any firewall could be, really. In windows Firewall, click on the Exceptions tab. Click "Add Port". Type a name like "SSH incoming" and then the port number that you set FreeSSHd to run its SSH service on. (Default is 22). For other firewalls, I dunno. Just figure out how to add allowances.
VISTA Only: Disable UAC if you host your own SSH server on it. User Account Control will probably interfere...
Hope you find this useful.
-Matt
PS. To test it, go to ipchicken.com again. It should be the IP of your remote server. Or, if your server is outside of the country, go to google.com. Since mine is in canada, I see google.ca. I also used a local packet sniffer to check the data. It is indeed encrypted - in and out. Cheers!
Last edited:
