?

Log in

No account? Create an account

Previous Entry | Next Entry

Setting Up Remote Secure Browsing

In preparation for going to DEFCON I wanted to set up remote secure browsing on my laptop so all my web browsing traffic and logins wouldn't be watched by everyone at the conference and so I wouldn't end up on the Wall of Sheep. I know most of you probably don't care about secure browsing but it's also applicable to another problem a lot of my friends have: web filters. Using this setup you can bypass your work filters and look at whatever you want by using your home internet connection for browsing.



In brief, what we're going to do is create a tunnel from a client on our remote/office machines that will connect to a server on our home machine, so that we can browse securely and also bypass any local filters or restrictions. You can also use this tunnel for secure IMs and other apps, though I won't be covering that here.

Step 1: Set up an SSH(Secure SHell) Server

If you have a dedicated webserver or a shell account or even a regular old linux machine at home, you're pretty much done with this step. If it's not already installed(and it most likely is) install openssh, edit the config file and run sshd.

////This guide for running a Cygwin sshd is deprecated, use the guide ////here: http://pigtail.net/LRP/printsrv/cygwin-sshd.html
/For people running windows, you need to download and install
[Error: Irreparable invalid markup ('<a /href>') in entry. Owner must fix manually. Raw contents below.]

In preparation for going to DEFCON I wanted to set up remote secure browsing on my laptop so all my web browsing traffic and logins wouldn't be watched by everyone at the conference and so I wouldn't end up on the <a href="http://blogs.zdnet.com/Ou/?p=660">Wall of Sheep</a>. I know most of you probably don't care about secure browsing but it's also applicable to another problem a lot of my friends have: web filters. Using this setup you can bypass your work filters and look at whatever you want by using your home internet connection for browsing.

<lj-cut text="instructions follow">

In brief, what we're going to do is create a tunnel from a client on our remote/office machines that will connect to a server on our home machine, so that we can browse securely and also bypass any local filters or restrictions. You can also use this tunnel for secure IMs and other apps, though I won't be covering that here.

Step 1: Set up an SSH(Secure SHell) Server

If you have a dedicated webserver or a shell account or even a regular old linux machine at home, you're pretty much done with this step. If it's not already installed(and it most likely is) install openssh, edit the config file and run sshd.

////This guide for running a Cygwin sshd is deprecated, use the guide ////here: http://pigtail.net/LRP/printsrv/cygwin-sshd.html
/For people running windows, you need to download and install <a /href="http://cygwin.com/">Cygwin</a>(by the way, all the programs and /services listed in this post are free) on your home PC. Setup is quite /simple, just use the defaults, when you get to "Select Packages", expand /the "Net" category, find openssh and click the "skip" icon to select it, /then finish the installation.

/Open a Cygwin window and type <i>ssh-host-config</i> and hit enter. /Answer yes to the first three questions and <i>ntsec tty</i> to the last. /Then type <i>net start sshd</i> and your SSH server is running! This /server will use your Windows accounts to log in, so if you don't have a /password go to control panel-user accounts, select your account and /choose the option to create a password.
/////

Step 2: Set Up a Hostname and Port Forwarding

If you are using a dedicated server, shell account or if your ISP account has a static IP, then you can skip this step(lucky), otherwise read on. The easiest way I've found to locate your computer <i>from</i> the internet, is to use the services of <a href="http://www.dyndns.com/services/dns/dyndns/">DynDNS.com</a>. You can create a free account with them and they will forward a hostname to your IP address, even if it changes. After you've created an account, go to "services", "Dynamic DNS", "get started", type in any hostname you want and use the dropdown box to select any domain name you want, leave service type as "host with ip address" and select the "use autodetected IP..." Now you need to set up a way to tell DynDNS what your current IP is. If you have a Linksys router this is most likely built in, just go to your router settings page and put in your account info. Some other routers have this function built in as well. If not, you can use one of the clients on <a href="https://www.dyndns.com/support/clients/">this page</a>.

If your computer is connected directly to your modem you don't need to worry about port forwarding, but your computer is also in a compromised position, consider buying a router, even if you just use the one computer. If you have a router, you need to set it up to forward a port to the computer you are running your SSH server on. So open up your router config page, go to the port forwarding section and enter your computer's IP address, enter port 22(that's the port SSH uses)click the box to enable it(on Linksys) and save your settings.


Step 3: Set up a Secure Tunnel Using PuTTY on the Remote(or work) Computer

Download <a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">PuTTY</a> and run it. In the hostname box put in the hostname you set up with DynDNS and put 22 in the port box. In the saved session box put in something like "secure tunnel" or something and hit save. Expand the connection tab and then expand the SSH tab and click on tunnels. In source port type in 9999(this is just a random port not being used) and click dynamic, then hit the add button. go back to the terminal tab and hit save. Now hit open and it should open up a terminal window and ask you for the logon to your SSH server. This will be your windows username and password. Now you have a secure tunnel to your home machine!


Step 4: Set up Your Browser

In Firefox, open Tool-Options-Advanced-Network-Settings and click on manual proxy configuartion. In the SOCKS host box, type in 127.0.0.1 and 9999 in the port box. Hit OK and close the options tab. Now you are surfing securely through your home internet connection and bypassing any work web filters!


Note: For simplicity I used port 22, which is the default SSH port. Because I'm paranoid I changed the port my SSH server runs and used that port in the port forwarding and PuTTY instructions above. If you set this up and need more info on how to do this, or have any questions about this tutorial, let me know.

Comments

( 10 comments — Leave a comment )
lumpyone
Jul. 16th, 2008 12:18 am (UTC)
This is great info, thanks!

One question for you as the company I work for just installed a barracuda box to track web traffic. Will this secure connection via Putty show up? If so, any idea how it appears to the network?

I'm defintely going to be setting my home machine this weekend for this :)
democritus
Jul. 16th, 2008 03:07 am (UTC)
It will show up as a connection over whatever port you set up your SSH server on and it may show the name of the application(PuTTY in this case) but it won't reveal the traffic over the connection, as it is encrypted. Remember your browser will still have history files if you're worried about anyone seeing that. There are plenty of programs that will clear your history and cookies out on each logout or when you specify though, if you're concerned about that. Let me know if you need help setting things up on a different port or have any other questions.
lumpyone
Jul. 16th, 2008 07:37 pm (UTC)
Another question just came to mind... the port you select could be blocked by a firewall, right? If work has it set up, they could be blocking certain ports? Any suggestions on common ports that might be a good bet to work best? I've not tried it yet from work, but I'm trying to think ahead here. :)
democritus
Jul. 16th, 2008 07:55 pm (UTC)
I would try an uncommon port first, as the firewall rules are more likely to block certain ports(like the ones commonly used for IM progs, ptp progs and such) than a blanket port range. It also makes your home SSH server more secure(good old security through obscurity, but still...) since portscanners are going to be mainly looking for services on common ports.

Here's a list of common ports used and their associated services, again, I'd try to pick something not on that list first and try it and if a few tries at that fails, then you can try common ports you think might be open.

Also, make sure you test out your server locally to make sure you can log in before trying it from work, just to make sure everything is set up right before trying it from a remote location.
jamespolk
Jul. 16th, 2008 03:07 am (UTC)
I might try installing PuTTY just to see if I can but 90% of software can't be installed on my work computer because of permission restrictions and another 9% will be detected eventually and removed (by way of telling my manager to tell me to remove it).

So I don't think I'll be getting around the work proxies anytime soon.
democritus
Jul. 16th, 2008 03:12 am (UTC)
The great thing about PuTTY is that it is a standalone .exe file, requiring no installation. If you want to try it out on my server before going through the rest of the hassle, let me know and I'll set up an account so you can see if you can connect from work.
jamespolk
Jul. 16th, 2008 04:35 am (UTC)
Good to know but I'd only be able to use it until the .exe is detected and I'm asked to explain it or remove it.

I know I could get around that without much effort but circumventing the network restrictions aren't a high priority (and if I vitally need to do something I have other methods).

Thanks for the offer though and there are some other applications where I might use the information you've shared.
hitsnarfle
Jul. 16th, 2008 10:10 am (UTC)
If it's just an .exe, could it be kept on a disc or USB key and run straight from the removable media so as not to keep the file resident on the computer?
lumpyone
Jul. 16th, 2008 01:22 pm (UTC)
Yes, it could be kept on a USB flash drive and run from that drive, just like the hard drive of your computer. I don't like to put programs on a work computer because you never know who might come along and see it on the system. I run my browser, a text editor (Text Pad), PuTTY, and a few other programs off it with no problems.
jamespolk
Jul. 16th, 2008 02:37 pm (UTC)
I'm sure that would work. I could also just rename the file extension and then change it back whenever I wanted to use it.

And since it is a standalone .exe there are probably another half dozen ways the security checks at work could be avoided.
( 10 comments — Leave a comment )