Setting up, creating and testing a SSH Encrypted Tunnel
A unique way to freely create and test the creation and use of a SSH Encrypted Tunnel on your Linux Mint Computer uses the freeware OpenSSH Server and Client software.
*Optional softwre, to visually show the Mint user that all of your data is encrypted and being sent from your local Mint driven machine into the SSH tunnel to the application (Browser, Email, XChat) easily, I'll be using the
Firestarter IPtables GUI front-end for illustration purposes. Such could be seen as optional however it must be pointed out that ANYTIME a user runs a tunnelling connection (SSL,VPN,SSH) you should keep an eye on port connections via a firewall graphics utility interface such as Firestarter to make certain there are no unauthorised connections. Yes, Linux Mint IPtables rules are adequate with proper settings however I urge Mint users to have a graphic interface to occasionally keep an eye on in real time also.
*Optional softwre,
Gstm is a optional GUI SSH Tunnel manager which allows the Mint user to quickly and easily setup their SSH accounts, ports and then simply activate, minimise while in use then simply choose 'Stop' and 'Quit' to close the SSH tunnel when it's no longer wanted or being used.
*Optional softwre,
EtherApe is a optional GUI visual port packet interface which shows the user the SSH,HTTPS and Plain-Jane WWW transfers at a colorful glance as well as which IP's those protocols are being addressed too.
Let's start with installing the SSH software
Via Linux Mint Terminal Mode:
sudo apt-get install openssh-server openssh-client
* OPTIONAL SOFTWARE BUT RECOMMENDED:
sudo apt-get install firestarter
sudo apt-get install gstm
sudo apt-get install etherape
OK, once ssh is installed, you will need to modify the configuration file (/etc/ssh/sshd_config). First using the Mint user terminal (Alt-Cntl-T) enter this command to make a back-up copy of your sshd_config file in case you need the original unedited copy:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
then:
sudo gedit /etc/ssh/sshd_config
You will need to check/change/add the following lines:
# What ports, IPs and protocols we listen for
Port 22
# Port 443 <- Use Port 443 if you need to bypass user blocks on Port 22 and use standard SSL Port 443
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
#ServerKeyBits 768 <----Lame Weak Default!
#ServerKeyBits 2048 <--Recommended 2 years ago.
#ServerKeyBits 4096
ServerKeyBits 8192
# Authentication:
LoginGraceTime 30
StrictModes yes
MaxAuthTries 3
PermitRootLogin no
PermitTunnel yes
#AllowUsers tom jerry bill
#AllowGroup groupsshaccess <--Uncomment and use if you want to add another layer of protection via groups.
Now restart your SSH server with the following command, and run it with root privileges in the Mint users terminal mode:
sudo /etc/init.d/ssh restart
OR
sudo service ssh stop
Followed by:
sudo service ssh start
Now that you've restarted the SSH server with the new settings, you should be able to now log in to your SSH server on port 22 following the example below using either the Mint terminal CLI mode or gSTM GUI.
Remember you will be using the exact Mint Login Name you used and will be prompted for that exact password also. When the SSH public key exchange prompt comes up you answer the word yes and your new SSH public key will be added to your client keyring designating you as OK to access the SSH server. Afterwards you'll simply be asked to supply your password given the following directions and CLI Terminal Commands or thru the gSTM GUI Interface.
Again, Since this is the first time you're connecting to this server, there will be displayed an alert and prompt you to confirm the host's fingerprint. (This should happen only once; thereafter, your SSH client will confirm that the SSH server encrypted fingerprint hasn't changed. If it does change, that could indicate that your connection has been tampered with.) You'll see text similar to the following:
The authenticity of host ‘Your IP in this example or the SSH Server Address' can't be established. RSA key fingerprint is 11:22:33:44:55.
Are you sure you want to continue connecting? Yes
Once you confirm the fingerprint, you'll be prompted to enter your password, because you provided the username on the command line already.
Login via your Client side SSH Encrypted Tunnel
Via the Mint CLI Terminal:
Run the following command to create an SSH tunnel. In this testing example the SSH Server is listening at Port 22 and you are Dynamically Forwarding the SSH Tunnel via Port 9001. You can however change the Dynamically Forwarded Tunnel Port to any Port 1025 thru 65000 as you desire and is not in conflict with another running service.
ssh -D 9001 -C YourMintLoginName@YourIP -p 22
-->
example: ssh -D 9001 -C asmith@124.216.250.178 -p 22
--> If you don't know what your IP exactly is:
http://www.whatismyip.com/
Then minimise this terminal window while using your SSH encrypted Tunnel and remember to
close it when you wish to close your SSH encrypted Tunnel and finish your SSH sessions.
* Security Step when not using the OpenSSH server setup on your local machine*
sudo /etc/init.d/ssh stop OR sudo service ssh stop
The optional '-C' SSH switch option option just adds compression to the SSH encrypted tunnel connection. Once you've successfully connected using the above command then you're ready to set your browsers proxy configuration. You can repeat this with Local port forwarding (see further SSH switch examples later) for non-browser network applications (such as POP3,IMAP,IRCD) if they allow you to manually set a proxy connection. Above all, these examples are given as a learning and testing tutorial to help YOU learn how to setup, use and deploy a SSH encrypted Tunnel.
*
Optional Software, gSTM GUI SSH client Tunnel Manager, to first setup then login using the gSTM GUI SSH Tunnel Management Interface and use the gSTM GUI front-end to create your client side SSH Encrypted Tunnel connected to the SSH Server:
Run the gSTM GUI Utility via the Mint Menu Internet > gSTM
Add your Mint login name
Chose Properties:
Tunnel properties > Tunnel configuration
Name: Mint Login Name
Login:Mint Login Name
Host:YOUR IP Address example 191.144.147.198
Port:22 example 443 if you are bypassing user blocks
Port redirection
Type Port To host
dynamic 9001 n/a
Chose OK
To activate via gSTM highlight your name,select Start,supply your password at the prompt, then minimise the gSTM window as long as you want the SSH Tunnel active.
Next, Configuring your browser applications to use the SSH encrypted Tunnel Proxy
Configuring the Firefox, Opera Internet web browsers to use the Proxy
In Firefox, go to Edit>Preferences>Advanced>Network>Settings
Select "Manual Proxy Configuration"
For "SOCKS Host:" enter "localhost" and for "Port:" enter "9001"
Choose "SOCKS v5"
Click "OK"
In Opera, go to Settings>Preferences>Advanced>Network>Settings
Select 'Proxy Servers'
Check 'SOCKS': "enter 127.0.0.1 and for Port: " enter "9001"
Click "OK"
***Point your web browser to whatismyip.com to find out if your IP address is being reported as the same as the IP address of the computer running your SSH server. If it's the same, then everything works. In the above creation and test of a local SSH Server and Client you'll simply be shown your local IP however connecting to a remote SSH server should indicate the IP address of the remote SSH Server.
That's about all you have to do to surf through a private SSH tunnel with Firefox,Opera and any browser that simply allows you to manually add a SOCK5 proxy and using your own Linux OpenSSH server.
View of Success with the Client Use of a SSH Encryption Tunnel
*
Optional Software, If you are running the optional Firestarter GUI Firewall Interface you'll see in your
active connections the proxy'd browser will now have:
Source Destination Port Service Program
YourIP YourIP 22 SSH ssh
127.0.0.1 127.0.0.1 9001 Unknown
YourIP BrowsertargetIP 80 HTTP sshd:login name
YourIP BrowsertargetIP 443 HTTPS sshd:login name
Each of your Internet Browser Connected Proxy applications connected to your SSH Encrypted Tunnel will be prefaced in your active connections listing as sshd:login name (OpenSSH Daemon and your login name). This shows you those applications are being piggy-backed thru the SSH encrypted Tunnel.
NOTE: Today I was able to use the system wide Network Proxy Application (gnome-network-properties) on a box running Mint 11 Standard set to 'Manual Proxy Configuration' Socks Host: 127.0.0.1 Port 9001 which then automatically shifted email browser and XChat under the SSH encrypted Tunnel protocol as well. In the above Firestarter example using the Gnome Network Proxy for a system wide connection, under Firestarter's category Program is now the number 1 on all of the Internet applications. I doubt that however means Tun1 (Tunnel 1).
The Firestarter information illustrated above shows you are connected to the OpenSSH server via Port 22. Your dynamic forwarding port is 9001 to your machines IP. The browser in this example is tunnelling both regular port HTTP 80 traffic as well as SSL encrypted traffic HTTPS port 443 thru the encrypted SSH Tunnel.
Normal Browser Remote Connection via your local SSH client and a remote SSH server operation via the Mint users terminal CLI command: (You could optionally add the -C compression switch)
$ ssh -ND 9001
username@server.websitewelcome.com
The username in this example (again using Dynamic Port 9001 Forwarding would be either your Mint login username OR what that server administrator has assigned as your username and to the ICANN website URL. The 'N' option tells the SSH client that you do not want an interactive session (a command prompt), because you just want to set up a tunnel.
Another example of testing your local machine SSH Server using your Mint terminal, if it is working properly you'll be prompted for your local machine password (the RSA fingerprint transfer will have already occurred in the aforementioned setup) unless this is the first time you are accessing your local machines SSH Server:
$ ssh username@localhost
With your SSH Server, Client up and running, browser or other network application properly proxyed thru a Dynamic or Local Port forwarding:
*
Optional Software,
Run the optional EtherApe application to visually see the SSH, HTTPS and HTTP-ALT packets distributed to their select servers.
Additional SSH switches and examples to use for tunnelling POP3 services and other applications of SSH tunneling:
All right, lets get into switches. No no, not the switches your 'pa made you pull off the tree branch when you broke ma's favorite vase, SSH switches.
A typical SSH tunnel (without tunneling X) looks like this:
ssh -N -p 22
bob@mylinuxserver.xxx -L 2110:localhost:110
Where:
-N
= Do not execute a remote command
-p 22
= External SSH port 22. I tend to use other external SSH ports to keep intruders from hitting my home SSH server
bob@mylinuxserver.xxx
= username@hostname(or ip address)
-L 2110/localhost/110
= Bind information. Broken down as such: client-port:hostname:hostport - In this example your binding POP3 on the server to your localhost port 2110
So how about some examples?
Forward pop3 and smtp through SSH:
ssh -N -p 2022
bob@mylinuxserver.xxx -L 2110:localhost:110 -L 2025:localhost:25
Forward google Talk through SSH:
(-g Allows remote hosts to connect to local forwarding ports)
ssh -g -p 2022 -N
bob@mylinuxserver.xxx 5223:talk.google.com:5223
Basically anything that is sent in plain-text can be secured via SSH tunneling. Once you have established the tunnel, on the client-side you would configure your settings for the hostname as localhost and the port as your 'client-port', be it 2110,2020,5223, or any other port that you have selected to forward through.
Encrypt your HTTP Traffic
This is another one that goes without saying. If you work for a company that has an 'IT Acceptable Use Policy' check before you do this. This is one that I use whenever I'm out of town or in a place that I don't trust the wifi. On an android I'll use my SSHTunnel app, but if I'm on my laptop I use the following SSH command
ssh -D 5222
bob@mylinuxserver.xxx -N
After you make a connection, then set your browser of choice (or any application that allows proxy) to localhost:5222. This will create a dynamic port forward and tunnel all the application traffic through your SSH server, both encrypting your data and bypassing content filters.
Tunneling X and VNC Sessions
Remember when you added 'X11Forwarding yes' to your sshd_config? This is where tunneling X comes in.
ssh -X -p 2022
bob@mylinuxserver.xxx
You guessed it, -X tunnels X. Remember though, this will tunnel X apps from your remote machine to your client machine running Linux. If you somehow find you're on a Microsoft Windows machine and want to tunnel, just install Cygwin/X (
http://x.cygwin.com/) on your guest OS. I haven't personally tried this but from what I understand it gives you an X windowing system that should allow you to run your remote X apps in Windows.
When it comes to tunneling VNC sessions, you have to be careful. If the client you're tunneling from has a vnc server running on say 5900, make sure you don't decide to put your local forwarding port at 5900 or you will just connect right back to yourself. Connecting via VNC is as straight forward as any of the other services:
ssh -p 2022
bob@mylinuxserver.xxx -L 5900:localhost:5900
In this example your connecting to ssh external port 2022 as user bob to mylinuxserver.com. Your local forwarding port is 5900, the port you want to forward is mylinxuserver.com's 5900 vnc. Once you setup the forward you can open up your vnc client of choice and type: localhost:0 at which point you should be connected via vnc to your remote desktop. If you used 5901, then it would be localhost:1, and so on and so forth.[1]
Here is the variant I use which adds compression, and not logging into your server (aka, only forwarding ports). The command also prints out information about what is connecting. I love to see the output that shows all this working which the -vv option provides:
ssh -vv -CND 1080
username@hostname.com
[2]
Further References:
[1] SSH Tunneling - Poor Techie's VPN
http://www.linuxjournal.com/content/ssh ... echies-vpn
[2] SSH TUnnel Proxy
http://www.netdip.com/ssh-tunnel-proxy- ... or-mac-i4/
[3] Bypass almost any firewall with an SSH tunnel on port 443
http://www.netdip.com/bypass-almost-any ... rt-443-i6/
[4] Guide to Setting UP a Secure SSH Tunnel
http://www.netdip.com/ssh-tunnel-proxy- ... or-mac-i4/
[5] Configure SSH tunneling with Ubuntu and surf Privately
http://www.netdip.com/configure-ssh-tun ... vately-i0/