March 24, 2010 at 10:49SSH tunnels: securely through the server
Good day. Let's try to supplement and expand the article SSH tunnels - forward the port . With the considered examples, we will kill 2 tasks at once:
1. Gateway communication through an intermediate server when there is no way between networks.
2. Creating a secure connection through an untrusted network.
Suppose we have a unix like machine on the network with sshd running.
The first option to create a cryptotunnel is a connection, conditionally which can be called point-to-point. In particular, when connecting to the server on the client side, a local port opens, calls to which will be transmitted to the remote machine through the installed crypto tunnel. To make it clear, consider an example:
Our machine: IP 10.0.0.2
Server: IP 10.0.0.1 (the external network is where we are) and 192.168.0.1 (the internal network where the target host is located)
Target host: 192.168.0.10
In order to safely pass through the external network 10.0.0.0 not controlled by us , we establish a connection with the server according to the following pattern:
That is,
if the connection is successful, then the local port 12345 was opened on our machine, when accessed, we get to the web server (port 80) 192.168.0.10. You can try entering in the browser
In fact, thereby we secured ourselves from information leakage through an insecure communication channel and gained access to the internal network resource from outside.
Consider the second option. Being in an untrusted network (for example, in an Internet cafe or other people's controlled networks) we want to use a service that basically has no encryption. Be it http (confidential not only correspondence, but also an account), icq, pop3 or any similar. To do this, we first establish a connection with our server, thereby opening the cryptotunnel, and work through it already. In this case, the local port we have open will work similarly to socks5. Consider setting up a connection:
Obviously, everything is pretty simple. Further it is already easy to configure our clients to work through open socks on localhost.
In GNOME, this can be done by clicking System-> Options -> Proxy settings: Separately, you can easily configure the browser, icq and much more in the connection settings. Naturally, you can take advantage of this opportunity in Windows. Similar connections can be made through the ssh putty client : Widecap can make most applications work through socks with widecap And a few tips: 1. In some cases, you can use the X option rather than using other people's software to increase the level of security. forwarding in the same sshd. But this is a separate issue. I’ll just say that Xming can act as an X server in Windows
2. Do not forget about the possibility of Firefox and Chrome private browsing mode.
Successes.
1. Gateway communication through an intermediate server when there is no way between networks.
2. Creating a secure connection through an untrusted network.
Suppose we have a unix like machine on the network with sshd running.
The first option to create a cryptotunnel is a connection, conditionally which can be called point-to-point. In particular, when connecting to the server on the client side, a local port opens, calls to which will be transmitted to the remote machine through the installed crypto tunnel. To make it clear, consider an example:
Our machine: IP 10.0.0.2
Server: IP 10.0.0.1 (the external network is where we are) and 192.168.0.1 (the internal network where the target host is located)
Target host: 192.168.0.10
In order to safely pass through the external network 10.0.0.0 not controlled by us , we establish a connection with the server according to the following pattern:
ssh -L локальный_порт:удаленный_хост:удаленный_порт серверThat is,
ssh -L 12345:192.168.0.10:80 192.168.0.1if the connection is successful, then the local port 12345 was opened on our machine, when accessed, we get to the web server (port 80) 192.168.0.10. You can try entering in the browser
http: // localhost: 12345.
In fact, thereby we secured ourselves from information leakage through an insecure communication channel and gained access to the internal network resource from outside.
Consider the second option. Being in an untrusted network (for example, in an Internet cafe or other people's controlled networks) we want to use a service that basically has no encryption. Be it http (confidential not only correspondence, but also an account), icq, pop3 or any similar. To do this, we first establish a connection with our server, thereby opening the cryptotunnel, and work through it already. In this case, the local port we have open will work similarly to socks5. Consider setting up a connection:
ssh -D локальный_порт серверObviously, everything is pretty simple. Further it is already easy to configure our clients to work through open socks on localhost.
In GNOME, this can be done by clicking System-> Options -> Proxy settings: Separately, you can easily configure the browser, icq and much more in the connection settings. Naturally, you can take advantage of this opportunity in Windows. Similar connections can be made through the ssh putty client : Widecap can make most applications work through socks with widecap And a few tips: 1. In some cases, you can use the X option rather than using other people's software to increase the level of security. forwarding in the same sshd. But this is a separate issue. I’ll just say that Xming can act as an X server in Windows
2. Do not forget about the possibility of Firefox and Chrome private browsing mode.
Successes.