Image of the glider from the Game of Life by John Conway
Skip to content

SSH! It's A Secret!

I'm serious- don't tell anyone. It could cause havoc in the IT department when they find out that they can no longer sniff your packets, or log your traffic. What am I talking about? SSH tunneling, of course.

SSH is a powerful piece of software, but what's even better is it's ability to tunnel just about anything through it. It's one thing to remotely and securely log into your server, it's another to be able to pipe network traffic with 100% encryption between you and the SSH server.

Okay, here's the thing. I learned about SSH tunneling a little bit ago, but haven't really played with it. I thought "big deal", right? I've got more important things on my plate. Well, once I gave it a try, and realized that there was really nothing to it, I haven't looked back. All of my network traffic when at school, work or elsewhere is SSH tunneled. It's all about local security to me.

So here's how to take advantage of it. These are the steps that I took, and as is the case with FOSS, I am sure there is more than one way to go about it. But any event, here's what you need to do.

First, you need SSH access to a server running squid, privoxy, or other web proxy daemon. Squid was hassle free, so I'll use that in this tutorial. For Ubuntu servers, it's as easy as sudo aptitude install squid. The default configuration file uses port 3128 locally, which means you won't (shouldn't) need to punch a hole in your firewall.

Second, you need to tell your SSH client how to connect. You need to pick a port locally on your machine that isn't in use. A port that I pick for the client when web browsing is 8080- the default web proxy port. You should use a different port for email proxy.

Anyway, to connect, pull up a terminal (PuTTY if on Windows, an SSH-client terminal on Unix/Linux/Mac, and put in the following command:

ssh -L 8080:servername.org:3128 user@servername.org

Of course, you can forward your X session as well with the -X flag, and if you use a different port for connecting to the SSH server (other than 22), you will need to specify it with the -p flag. Check the man page on SSH for more info on the flags provided. In other words, your command could be:

ssh -X -p 41234 -L 8080:servername.org:3128 user@servername.org

That says connect to the SSH server on port 41234, forward my X session, use port 8080 on my SSH client for the network traffic, use port 3128 on the SSH server for the proxy port, and use my username 'user' while connected to 'servername.org'. Fairly straight forward. (Of course, replace 'user' and 'servername.org' and the ports as needed.)

Now that the connection is made, we need to point the application that we want to proxy to port 8080, as in this case. So, pull up Firefox, Gaim, Liferea, etc., and rather than connect directly to the internet, tell it to connect to a web proxy. The name for the proxy is 'localhost' (your computer), and the port would be 8080. You can set exceptions to be ignored, such as 'localhost', '127.0.0.1' and others. For example, if at school, you are SSH tunneling your web traffic, you could set your school's page as an exception. EG: weber.edu.

Now, you can browse the web securely on the SSH port using a remote proxy server. There are a number of advantages to this. For one, all usernames and passwords are encrypted on the network, regardless whether the site you are visiting utilizes SSL or not. This means FTP, email, banking, blogs (like mine), etc. You name it. Second, because your web traffic is now on an SSH port, and not on port 80 (or whatever), your web usage can't be logged. This includes sites you visit, your length of time on the web, what your downloading, etc. It's all on a different port, and it's 100% encrypted on the network. Lastly, this is a handy way to bypass filters and firewalls.

So now I've got you thinking about the endless possibilities that you can do with SSH tunneling. Bittorrent, gaming, email, web surfing, IRC, RSS, etc. The options are really endless. But, there is a caveat. Many look at this as a way to surf inappropriate material as defined by their corporation / school and to bypass firewalls / filters. These reasons to use SSH tunneling, although may be fine in some situations, may put your employment at you job or enrollment in your school in jeopardy. SSH tunneling should be used with discretion.

One last thing to realize about SSH tunneling is only the connection between you and the SSH server is encrypted. The connection between the SSH server and the Internet may or may not be. Just because you are using SSH to encrypt your packets on the local networks (your network and the network the SSH server is on) does not mean that all of your packets on the Internet are. Keep that in mind.

At any rate, now that you've gained this knowledge, make sure you don't share it with your IT department. :)

{ 4 } Comments

  1. Mike using Firefox 1.5.0.7 on Windows 2000 | October 29, 2006 at 8:59 am | Permalink

    I use tinyproxy for this, just FYI.

  2. Lonnie Olson using Firefox 2.0 on Mac OS | October 30, 2006 at 12:45 pm | Permalink

    Much easier solution that doesn't require any proxy software on the server.

    ssh -D 8080 user@someserver.com

    The -D switch causes ssh to create a SOCKS compliant proxy server on the port specified. Just set your browser's socks proxy to be localhost:8080 and all traffic is routed over the secure tunnel.

    Since most browsers, mail clients, newsreaders, etc support SOCKS for their proxies, this option can make secure internet usage available to anyone with a shell account. No fancy server setup required.

  3. Kevin using Firefox 2.0 on Windows XP | October 30, 2006 at 1:34 pm | Permalink

    Would it be possible to just do port 80 instead of 8080? Thereby creating a kinda transparent proxy....

  4. Aaron using Firefox 2.0 on Ubuntu | October 30, 2006 at 2:59 pm | Permalink

    Lonnie- I always get an error with -D: "bind: Address already in use", regardless of port or server. Good to know though, if I can actually get it to work.

    Kevin- Not if you are already using that port on your computer. I would rather move it somewhere else like 8080, or higher.

Post a Comment

Your email is never published nor shared.

Switch to our mobile site