Secure Internet Access via SSH Proxy

Posted by admin on June 22, 2007 under Tech Tips | Be the First to Comment

An OpenSSH server can be used as a SOCKS compliant proxy, allowing one to tunnel virtually any type of traffic via the SSH protocol. This is very useful when surfing the web on untrusted networks such as hotel internet services and wireless hotspots. You just never know who’s snooping in on your data.

All you need is external access to a trusted OpenSSH server, perhaps the one you have at home, work, etc. If you’re using your laptop to surf the internet at your local coffee shop, you’ll simply need to establish a connection to that external SSH server using the appropriate client variables, and configure your web browser’s proxy settings to connect to a locally defined TCP port.

From a Linux terminal session on your local computer, run the following command:

$ ssh -ND 8080 [email protected]

You will be prompted for a password as you would normally expect when connecting to your server. After you make a successful connection, the session does not execute your default shell, and the command will remain silent until you close the console or terminate the process.

The “-D 8080” option opens TCP port 8080 on your local client, which you will use as the SOCKS proxy port to tunnel your connections through. This can be verified via netstat:

$ netstat -an | grep 8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN

Next, you change your browser (or any other application) proxy settings to connect to your localhost (127.0.0.1) port 8080. For example, here is a screenshot of the appropriate Firefox settings.

You should also make sure that your web browser is using the proxy for DNS queries. This is important because even if people cannot “see” the content of your browser traffic, they would still be able to get a feel for what your are doing by your DNS lookups. There is also a risk of a malicious user feeding you dangerous DNS answers which could send you in the wrong direction leaving you open to man in the middle attacks.

In firefox, open “about:config” in your location bar, and change the value of “network.proxy.socks_remote_dns” to “true”.