SSH Tunnel + SOCKS Proxy Forwarding = Secure Browsing December 8, 2006
Posted by Carthik in applications, commands, guides, servers, ubuntu.trackback
When you are at the coffee shop, or at a conference, and you are not sure that you want to send all your data over the wi-fi network in plaintext, you want a secure tunnel to browse. This happened to me recently and I stumbled across a neat feature of openssh (the ssh client on everyone’s computer). The wonders of ssh never cease to amaze me!
You can use the “-D” flag of openssh to create a SOCKS proxy.
The command first:
$ssh -D 9999 username@ip-address-of-ssh-server
This of course connects you to the server specified by “ip-address-of-ssh-server”. Needless to say, you (username) must have an ssh account on the server. In addition, this will create a SOCKS proxy on port “9999″ of your computer. This is a tunnel to the server. Now all you have to do is set the preference in Firefox to use a SOCKS proxy. The proxy is, of course, “localhost”, with the port 9999.
Now when you browse, all the connections you make to websites will seem to originate from the server to which you SSH-ed. In addition, all outgoing and incoming data for the browsing session will be encrypted since it passes through the SSH connection.
Other applications (like email clients) may also support SOCKS proxies. If any of them, you can look into using proxychains(there’s an Ubuntu package).
You can misuse this technology to circumvent paranoid browsing firewalls, even to pretend you are wherever your ssh server is located - so you can work around country-based blocks etc. I use it for the very unromantic reason that I don’t want some aspiring cracker to sneak up on me when I am in public.
Updates:
- Kees Cook tells us how to tunnel DNS lookups, so snoopy folks can’t even figure out what your are browsing, and the evil ones can’t DNS-phish you
- Don McArthur points out his excellent article that addresses the same issue
- verevi says the FoxyProxy extension will make things easier for you on the Firefox side of things
Thanks a lot for the tips and pointers, folks.
[...] This tip is courtesy of the Ubuntu Blog, but I just discovered it also works perfectly well in OS X and with some hot Putty action you could probably even pull it off with Windows. I’m writing this using it now. [...]
The idea would be really useful for tunneling into an otherwise secure network (say your corporate intranet). But for general browsing, since the Internet beyond the SSH server is also untrusted, won’t it be better to rely on protocols that provide end-to-end encryption (like SSL/TLS) when security is necessary and browse in plaintext when it is not.
That’s fucking brilliant
Thanks
I wrote an article detailing how to do this here:
http://www.linux.com/article.pl?sid=06/09/05/190250
I’ve been doing exactly this every time I’m in a coffee shop. I use the FoxyProxy firefox extension to quickly enable/disable this forwarding. If you do this regularly, I highly recommend this extension.
Also, for a less featured Firefox extension just to turn this on and off, I use MM3-ProxySwitch. It adds a button in your FF buttons bar that lights up when proxied. You click it, and the proxy turns off.
I have been using an ssh server at my house to get around a restrictive transparent proxy at my workplace. I set up my home ssh server to listen on port 443 so all of the ssh traffic looks like SSL web browsing.
A good Gnome based tool to use for setting up these proxies automatically is Gnome SSH Tunnel Manager or gSTM which you can find at http://gstm.sourceforge.net/.
Also, if you have programs that dont have the ability to use a socks proxy you can use a program called tsocks. There is a good article on how to use it here http://tips.linux.com/article.pl?sid=06/06/06/200234&tid=100.
[...] Luckily, with SOCKS5 Firefox can control which side of the proxy handles DNS lookups. By default, it does the lookups locally resulting in the scenario above. To change this, set network.proxy.socks_remote_dns = true in about:config. This makes the SOCKS proxy more like a regular proxy, where DNS is handled by the remote end of the tunnel. From: http://ubuntu.wordpress.com/2006/12/08/ssh-tunnel-socks-proxy-forwarding-secure-browsing/ http://outflux.net/blog/archives/2006/12/07/paranoid-browsing-with-squid/ [...]
[...] SSH Tunnel + SOCKS Proxy Forwarding = Secure Browsing (tags: SSH linux security tunnel ubuntu network howto proxy) [...]
Neat trick ! Thanks, I can now surf everywhere with an unclouded mind.
[...] Plus d’information Ubuntu Blog - SSH Tunnel + SOCKS Proxy Forwarding = Secure Browsing Linux.com - Secure your Wi-Fi traffic using FOSS utilities [...]
[...] first saw this tip a while back on the Ubuntu Blog and it’s a useful way of using SSH to set-up private web surfing. Not to mention I’ve [...]
Geek to Live: Encrypt your web browsing session (with an SSH SOCKS proxy)
by Gina TrapaniYou’re at an open wireless hotspot, but you don’t want to send your web browsing data over it in plain text. Or you want to visit a non-work-approved web page from the office computer without the IT team…
[...] If there are only certain (NSFW) web sites you’d like to use your proxy for, the Foxy Proxy Firefox extension lets you switch between your proxy and direction connection on a per-site basis. [via Ubuntu blog] [...]
[...] If there are only certain (NSFW) web sites you’d like to use your proxy for, the Foxy Proxy Firefox extension lets you switch between your proxy and direction connection on a per-site basis. [via Ubuntu blog] [...]
How can I make this listen for all computers on my network though? Like if I am doing an ’ssh -D1234 my.shellcompany.com’, another computer on my network isn’t able to connect to port 1234 and also use it as a proxy (It’s only listening locally, for the computer that actually runs the ssh -D command.) In PuTTY there is a little tick-box on the Tunnel page that allows you to to “Allow incoming connections from outside”, thus meaning ALL of my computers on my network can enjoy the use of this tunnel. How do I do this with manual SSH syntax?
I´m using this solution, but now I have to connect 10 clients at the same type. To do that, I have 10 IP adresses on my server. The problem is: I connect the 10 clients, but all this clients get the same IP adress. If I surf on web w/ this 10 clients, all them will use only one IP adress from the server. There is a way to change the route or gateway? I mean for each ssh connection and local socks5 opened, I´ll have one IP address for surfing? Thanks
Joe: I gues your searching for the ‘-g’ option to ssh:
man ssh:
…
-g Allows remote hosts to connect to local forwarded ports.
….
[...] Carthik says, the SSH SOCKS option is a great way to quickly tunnel your web traffic. A word of caution for [...]
[...] 1 Use it as an PROXY while surfing with wLAN on public places When on a train or surfing with your laptop and accessing public wLAN s be aware that people may be sniffing your traffic in search for any sensitive information. Your best way to avoid this is by making a SSH PROXY in which you may tunnel your internet traffic. Set up the tunnel with the following command $ ssh -D “desired port to forward traffic through” you@urOpenSSHserver. Then set up firefox to use localhost and “desired port” as a SOCKS PROXY. I foud a great article on this topic on the one and only Ubuntu blog [...]
how can i force ssh users to stay in their home directories?
i mean like proftpd’s “DefaultRoot ~” setting?
Something I banged my head against for a while was this: in Firefox, don’t set your HTTP proxy to localhost:9999 and use that for everything else. You have to leave all the proxy slots blank EXCEPT the SOCKS host field - that’s where you enter your information. This isn’t an HTTP proxy, so the settings won’t work in that field.
[...] de procurar um pouco, achei um artigo que poderia me ajudar a fazer um túnel SSH afim de proteger meus dados em pontos de acesso [...]
[...] on local host (127.0.0.1) and you will be surfing via an encrypted connection to the SOCKS proxy. This article gives some detail of the setup. Likewise, if you have a home Mac attached to the internet with a [...]
When proxychains is running, it shows the proxy being used, and the IP its connecting to. Is it possible for it to show the hostnames instead, or is that going to be slower?
sweet this helped me out greatly. I needed to log into my router to forward some ports. I banged my head ageist the wall for many hours till i found this tutorial.
thanks
i need a free shell account or some free servers for creating it, supporting “SSH Tunnel + SOCKS Proxy Forwarding”
where can i find it?
plz help me
very tnx in advance
any tool for me to download sock ssh in windows ?
Plz send it via email okalodi@gmail.com, thanks,
*exactly* what I needed. Very slick, thanks!
HI,
I posted an add on ebay and they cancelled it twice. I do not know why. My question is, can i use socks to hide my IP? If so, how do i do it exactly, please?
Thanx
uhlkmlkjkjhhkjhkjhkjh
er …. and where does your DNS request go? To the local server of the entity that you do NOT want knowing what you’re browsing? Should DNS not be tunneled as well? Or am i missing something here?
Just a minor addition you might like .. FoxyProxy (a firefox extension) has a handy tick-box for “Use SOCKS proxy for DNS Lookups” in the option menu. FoxyProxy makes dealing with proxies much less painful in general as an added bonus.
im at school looking to get on myspace
please and thank you (:
[...] relay all of my network traffic was as simple as running the command ssh -D 9999 marteydodoo.com [via] and configuring proxies in System Preferences (see screenshot). Since JetBlue requires you to [...]
i am need all guys plz.. send me all commands and all remote option in command and telnets commands and all java scripts plz…send c programing all commands. and best insitute in chandigarh plz.. tell me i am joined insiutute…
what is proxy and all detail proxy.
Wouldnt this be a better option since you really dont need an interactive shell:
$ssh -N -D 9999 username@ip-address-of-ssh-server
this place is gay!
it really sucks and i have noting to do and i dont know how i foudnt this but i did and i personally think its gay and i thnk you are to
and anyone who actually writes to this thing and reads all this shit your gay to!
so how about all you guys just go and jump off a bridge! and save us all some time!
thank you
for takig the time toi read this and if you did yur gay
so see ya later…..NOT
Is there a command I can type that verifies traffic is going through the proxy?? Just want to double check!
Thanks to mounty for pointing out the proxy host field. I was banging my head on the desk trying to sort that out.
I’ve configured firefox to send DNS requests through the socks proxy, but it’s still sending requests through the server defined in resolv.conf.
[quote]You can misuse this technology to circumvent paranoid browsing firewalls…[/quote]
This will work provided port 22 remains open to contact the ssh server. If the paranoid network admins are also blocking any traffic on port 22 this is hopeless. Unless we find an open port and instruct our ssh server to also listen on that port…
Let’s say port 22 is blocked but port 443 (HTTPS) is open, then to make the tunnel to your ssh server you’d have to do the following:
$ssh -p443 -D 9999 username@ip-address-of-ssh-server
[...] Sources/Further Reading The people over at Lifehacker and Linux.com did much better jobs of explaining all of this and you can peep their versions below: Geek to Live: Encrypt your web browsing session (with an SSH SOCKS proxy) Linux.com :: Secure your Wi-Fi traffic using FOSS utilities SSH Tunnel + SOCKS Proxy Forwarding = Secure Browsing « Ubuntu Blog [...]
does anybody know any proxy sights that wouldnt be block on a school computer?
anybody?
[...] If there are only certain (NSFW) web sites you’d like to use your proxy for, the Foxy Proxy Firefox extension lets you switch between your proxy and direction connection on a per-site basis. [via Ubuntu blog] [...]
[...] limited resource Linksys devices.During a conversation with Matt in #habari, I provided the link to using SSH as a SOCKS proxy. Duh! There was the answer I was looking for! So last night, I installed the full-blown OpenSSH [...]
jeongkyu의 생각…
openoffice.org 접속 차단 문제… ssh 서버, socks proxy, proxy auto-config를 이용하여 완전 해결!…
I was just wondering, my friend has firefox running at school, goes to connection, and in the SOCKS he just types in an ip address and a port and bypasses all the firewalls. I know he is tunneling, so what would be the best way for me to do the same?
[...] Wireless encryption stinks. It always has. Generally, the way I secure my wireless is first to engage MAC filtering (not at all secure, but at least filters out the newbies), then I engage an SSH tunnel to a trusted box @ home with the dynamic application-level port forwarding which allows the SSH server to act as a SOCKS proxy (ssh -D 1655 validusername@ssh-server.com, where “1655″ is any port #), allowing all traffic on the configured applications (Firefox, Pidgin, Mail Clients, etc) to be proxied through the tunneled SSH session, offering a secure and encrypted tunnel over a wireless signal. Here’s a cute summary on how to do this for those that need it. [...]
[...] If there are only certain (NSFW) web sites you’d like to use your proxy for, the Foxy Proxy Firefox extension lets you switch between your proxy and direction connection on a per-site basis. [via Ubuntu blog] [...]