PCgeekdom.com - PC Tricks and Projects

Monday, March 06, 2006

SSH Tunnels :: How to Beat a Firewall

     

SSH is a very powerful and secure tool to remotely access a computer. Setting up a secure tunnel, also known as port forwarding, can be very handy. One popular use of a "shunnel" is to get through a secure or over-zealous firewall. Please note that if you are going to use this technology in your workplace, those firewalls and security settings are set in place for a reason, so don't go surfing and downloading things you really shouldn’t. I have been playing with this as means for learning, ok and so I can download my Firefox extensions. Anyways, so in order to “beat” the firewall, you will setup a SSH session from your computer behind the firewall; computer W, to a computer at home; computer H. Computer H will need to have a PuTTY Tunnel SettingsSSH server on and running, if you are running Linux at home, most distros will already have a SSH server. If computer H is running Windows, you will need to install a SSH Server. On computer W, you will need a SSH client, a great Windows client is PuTTY. Once all the necessary software is installed, you will need to know your home IP address. (If you have multiple computers at home, you will need to setup your router to forward port 22 to the computer with the SSH server.) Now on computer W, you will open up PuTTY, for Host name you will put in your home computers IP address, and then go to the Tunnels section. For source port type 8080 and select Dynamic and click add. (As shown in the image to the left.) Socks Proxy SettingsNow when you click open, you will connect to your home PC and will have to login. Once you are logged in, open up your browser, you will need to change the connection settings to use a Socks proxy (as shown in the image to the right.) Now when you go to access a webpage, your request is forwarded (in the Secure Shell, so the firewall can't see what your are doing) to you home PC, and back. To check to see if it is setup right check your IP address again, it should now say the IP of your home PC. This method is not limited to just web traffic, for example, I also use SSH tunnels to VNC to my home PCs, this way I do not have to punch more holes in my home router, the only port I have to have open is for the SSH connection.

6 Comments:

  • If you're on a computer that doesn't have an SSH client, and you can't install one (no admin access, for example), try out PortaPutty. It's a fully portable version of Putty-- no installation. Just download and run, or keep a copy on a USB flash drive.

    By Anonymous Anonymous, at 1:57 PM  

  • Keep in mind, this may "work", but it doeesn't mean you are fooling anybody, it just means you're exploiting a weakness of the firewall policy.

    And when you do get caught, your sneakiness might mean you get canned instead of just chewed out.

    By Blogger Nonesuch, at 9:15 PM  

  • And when we see port 22 traffic (or trafic on another port if you reset off the standard) orriginating from our computer to the outside world, guess who's boss is getting a call?

    By Anonymous Anonymous, at 6:07 PM  

  • As the article says, don't abuse this technology in a way that will anger management, think whether whatever content you want to look at could and is worth getting yourself fired. That said, if you set your SSH server up to use port 443, the traffic looks like a connection to a Secure Web Server.

    By Blogger dustin, at 12:09 AM  

  • I second Dustin's suggestion.
    I have set up my ASUS wl-500gx router with a custum linus firmware (Aleg) then configured SSH to listen on 443.
    A tip about firefox proxy settings, before that the http settings are blank when using the socks proxy setting. If there is anything in http setting it takes priority and assumes you are actually connecting to a proxy server, and does not work, I learned from my mistakes. Also like nonesuch said you are not fooling anyone, so sure to delete your temp internet files. Network admin my wonder why you have so much network traffic to a single IP.
    Don't forget to set up your SSH to only allow certificates.

    By Anonymous tokyoturnip, at 6:39 AM  

  • I use "Defeat My Firewall". It is a program you download from their website. Works perfect. There is nothing to install. Just put it on a thumb drive. It is super fast.

    By Anonymous Anonymous, at 5:07 PM  

Post a Comment

<< Home