SSH Tunneling Explained
How to use a secure SOCKS Proxy with an SSH Tunnel
Secure surfing, e-mail, and more with SSH
Many of Security Engine’s readers know about SSH. Back before I learned about this useful little trick, I would do my surfing using Lynx on one of my shell accounts whenever I was on an insecure network. No longer is that necessary; this article will show you how to set up an SSH SOCKS proxy that will work with any program that allows usage of a SOCKS proxy.
First, you need 2 things:
- An SSH client (Linux/BSD/UNIX users know where to look; Windows users should check out PuTTY)
- A shell account with proper tunneling permissions – this can be a bit difficult to obtain (most free shell account providers don’t allow proxy usage, nor do shell accounts that come with Linux/BSD http servers). I recommend setting up a dedicated box @ home for this, or finding someone you trust online who already has a box for this purpose.
In Linux, BSD, and any other UNIX-like environment, this is a fairly simple affair. Just type this command into an open terminal:
ssh -D 4567 firstname.lastname@example.org
where username is the username of your account, and server.net is the domain name (or IP) of the server. You can use any port above 1024, instead of 4567.
Once you enter your password and are greeted with a prompt, you can skip down to the software configuration section of this article.
Open PuTTY (see the list of requirements above for a URL). You should be greeted with a configuration screen. First, you will enter the hostname or IP address of the SSH server. Type in a name for your connection settings in the box below “Saved Sessions”, and click the Save button.
Now you need to look at the tree of options to the left; expand the SSH tree, and select “Tunnels”. Enter 4567 (or any port number above 1024) in the Source Port area, and click the Dynamic radio button to select it. Leave the Destination field blank, and click “Add”.
Now go back to the Session tree (very top of the left section), and save again.
You will be prompted to enter a username, which is the username of your shell account. Type that in, hit enter, and then type in your password when it prompts you.
With any luck, your SSH proxy should now be running, and you can move on to the software configuration section.
In order to use the proxy, you must configure your programs to use it.
In Firefox, go to Tools -> Options -> General, and click the “Connection Settings” button. Check “Manual proxy configuration”. Now enter “localhost” (minus the quotes) in the SOCKS host field, and put the port number we set earlier in the Port field.
In Thunderbird, go to tools -> Options -> Advanced, expand the “Offline and Connection Settings” tree, and click “Connection Setings”. Select “Manual proxy configuration and enter localhost and the port number into the SOCKS host field, just like you did for Firefox.
For GAIM, go to Tools -> Preferences, and select the Network entry in the menu on the left. Under the proxy section, select “SOCKS 5”, enter localhost for the host, and enter the port number you specified earlier. Leave username and password blank.
Using SSH to set up a SOCKS proxy is a great way to ensure solid encryption for general networking, but it isn’t perfect. If you decided to open a packet sniffer and see the result, you will notice that DNS resolution requests go out unencrypted, meaning people can still see what websites you are visiting (or at least the domain name). Regardless, this is still a useful way to keep people from capturing sensitive information such as passwords.
For those with slower connections, you can use the -C command line option to use SSH’s compression (gzip).
Second thing, (supposedly) in newer versions of firefox, you can enable the SOCKS5 to also perform DNS lookups via about:config and adding network.proxy.socks_remote_dns to true. This makes your browsing completely transparent. I was unable to get it to work, however, and DNS requests went through like normal.