I’m serious- don’t tell anyone. It could cause havoc in the IT department when they find out that they can no longer sniff your packets, or log your traffic. What am I talking about? SSH tunneling, of course.
SSH is a powerful piece of software, but what’s even better is it’s ability to tunnel just about anything through it. It’s one thing to remotely and securely log into your server, it’s another to be able to pipe network traffic with 100% encryption between you and the SSH server.
Okay, here’s the thing. I learned about SSH tunneling a little bit ago, but haven’t really played with it. I thought “big deal”, right? I’ve got more important things on my plate. Well, once I gave it a try, and realized that there was really nothing to it, I haven’t looked back. All of my network traffic when at school, work or elsewhere is SSH tunneled. It’s all about local security to me.
So here’s how to take advantage of it. These are the steps that I took, and as is the case with FOSS, I am sure there is more than one way to go about it. But any event, here’s what you need to do.
First, you need SSH access to a server running squid, privoxy, or other web proxy daemon. Squid was hassle free, so I’ll use that in this tutorial. For Ubuntu servers, it’s as easy as sudo aptitude install squid. The default configuration file uses port 3128 locally, which means you won’t (shouldn’t) need to punch a hole in your firewall.
Second, you need to tell your SSH client how to connect. You need to pick a port locally on your machine that isn’t in use. A port that I pick for the client when web browsing is 8080- the default web proxy port. You should use a different port for email proxy.
Anyway, to connect, pull up a terminal (PuTTY if on Windows, an SSH-client terminal on Unix/Linux/Mac, and put in the following command:
ssh -L 8080:servername.org:3128 email@example.com
Of course, you can forward your X session as well with the -X flag, and if you use a different port for connecting to the SSH server (other than 22), you will need to specify it with the -p flag. Check the man page on SSH for more info on the flags provided. In other words, your command could be:
ssh -X -p 41234 -L 8080:servername.org:3128 firstname.lastname@example.org
That says connect to the SSH server on port 41234, forward my X session, use port 8080 on my SSH client for the network traffic, use port 3128 on the SSH server for the proxy port, and use my username ‘user’ while connected to ‘servername.org’. Fairly straight forward. (Of course, replace ‘user’ and ‘servername.org’ and the ports as needed.)
Now that the connection is made, we need to point the application that we want to proxy to port 8080, as in this case. So, pull up Firefox, Gaim, Liferea, etc., and rather than connect directly to the internet, tell it to connect to a web proxy. The name for the proxy is ‘localhost’ (your computer), and the port would be 8080. You can set exceptions to be ignored, such as ‘localhost’, ’127.0.0.1′ and others. For example, if at school, you are SSH tunneling your web traffic, you could set your school’s page as an exception. EG: weber.edu.
Now, you can browse the web securely on the SSH port using a remote proxy server. There are a number of advantages to this. For one, all usernames and passwords are encrypted on the network, regardless whether the site you are visiting utilizes SSL or not. This means FTP, email, banking, blogs (like mine), etc. You name it. Second, because your web traffic is now on an SSH port, and not on port 80 (or whatever), your web usage can’t be logged. This includes sites you visit, your length of time on the web, what your downloading, etc. It’s all on a different port, and it’s 100% encrypted on the network. Lastly, this is a handy way to bypass filters and firewalls.
So now I’ve got you thinking about the endless possibilities that you can do with SSH tunneling. Bittorrent, gaming, email, web surfing, IRC, RSS, etc. The options are really endless. But, there is a caveat. Many look at this as a way to surf inappropriate material as defined by their corporation / school and to bypass firewalls / filters. These reasons to use SSH tunneling, although may be fine in some situations, may put your employment at you job or enrollment in your school in jeopardy. SSH tunneling should be used with discretion.
One last thing to realize about SSH tunneling is only the connection between you and the SSH server is encrypted. The connection between the SSH server and the Internet may or may not be. Just because you are using SSH to encrypt your packets on the local networks (your network and the network the SSH server is on) does not mean that all of your packets on the Internet are. Keep that in mind.
At any rate, now that you’ve gained this knowledge, make sure you don’t share it with your IT department.