PDA

View Full Version : [ubuntu] ssh tunneling



therog726
August 1st, 2011, 08:05 AM
Hi,

I'm trying to set up ssh tunneling to encrypt my web browsing (for wireless hotspots etc) and I'm just testing it at home at the moment and I'm having some problems. I have a little experience now with linux, I'm mainly just new to the server stuff.

I've followed various guides in setting up a ssh server to tunnel through (like this one, (http://www.searchmarked.com/ubuntu/how-to-surf-anonymously-using-an-ssh-tunnel-and-ubuntu.php)this one, (http://omninoggin.com/blogging/how-to-encrypt-your-internet-traffic/) or this one. (http://lifehacker.com/237227/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy)) and that all seems to be ok.

So now for my questions:


If I tunnel from my laptop connected to my home network to the desktop (also on my home network) does that encrypt my traffic or not? Does the server need to be running on a different network (eg. at a friends place)?



If I'm out, assuming the desktop running the ssh server is all running fine, how do I connect to it? I know I have to run something similar to:
ssh -ND 9999 username@<ip address>
The ip address is: 192.1681.x but isn't that just the "internal" network address? How do I find out the "external" ip address?? Ie. to access from the outside world?


That's all I can think of at the moment. Hope it all makes sense!

EDIT: Thought of some more questions:

I read that Ubuntu basically has ssh access whenever it's turned on - Is having port 22 (or whatever) open all the time dangerous? If so, how can I make it more secure?


What is actually encrypted when I use an ssh tunnel? Is it all the packets I send via the network or my ip address or what?


My university allows ssh access - could I create a tunnel via that for the same effect? Would the fact that they have some web filtering cause problems?


Thanks! :KS

Lars Noodén
August 1st, 2011, 08:22 AM
The ip address is: 192.1681.x but isn't that just the "internal" network address? How do I find out the "external" ip address?? Ie. to access from the outside world?


Yes. It is an internal address. You'll have to set your router to forward the right port from the external address to the machine with the server.

therog726
August 1st, 2011, 08:30 AM
Yes. It is an internal address. You'll have to set your router to forward the right port from the external address to the machine with the server.

Ok. And after I've done that, I connect to the ip address of the router (ie. my networks external address?) which forwards it to the server right? And I log in using an account on the server not the router?

Lars Noodén
August 1st, 2011, 08:30 AM
Ok. And after I've done that, I connect to the ip address of the router (ie. my networks external address?) which forwards it to the server right? And I log in using an account on the server not the router?

Yes.

bodhi.zazen
August 1st, 2011, 04:35 PM
EDIT: Thought of some more questions:

I read that Ubuntu basically has ssh access whenever it's turned on - Is having port 22 (or whatever) open all the time dangerous? If so, how can I make it more secure?


yes, opening a port for ssh is a security risk.

IMO you should use a virtual machine and secure your ssh server. This means use keys and disable passwords.

If you do not know how to secure a ssh server, you need to learn security before you go any further.


What is actually encrypted when I use an ssh tunnel? Is it all the packets I send via the network or my ip address or what?


All traffic is encrypted.


My university allows ssh access - could I create a tunnel via that for the same effect? Would the fact that they have some web filtering cause problems?


Thanks! :KS

See : https://calomel.org/firefox_ssh_proxy.html

Also, if you want filtering, use a proxy server such as privoxy or squid.

Lars Noodén
August 1st, 2011, 04:49 PM
yes, opening a port for ssh is a security risk.



Not a big one though, if you disable password authentication and use keys instead.

Regarding virtualization, at best, that adds complexity:



"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of ****. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
-- http://kerneltrap.org/OpenBSD/Virtualization_Security

bodhi.zazen
August 1st, 2011, 05:34 PM
Not a big one though, if you disable password authentication and use keys instead.

Which is what I advised.


Regarding virtualization, at best, that adds complexity:

Running a server (ssh, squid) is no more or less complex in a virtual machine then a physical machine, and the advantage is that the services are then isolated from the host, and can be isolated from the rest of the network.

IMO the security advantages outweigh the difficulty of setting up a VM.

therog726
August 2nd, 2011, 01:09 AM
yes, opening a port for ssh is a security risk.

If you do not know how to secure a ssh server, you need to learn security before you go any further.


So how would I go about learning security? I've had a look at this: http://...openssh-server-best-practices (http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html)
Is there anything else I should know?



Also, if you want filtering, use a proxy server such as privoxy or squid.

Would privoxy do the same (from the end user point of view) as an ssh tunnel? (Ie. Encrypt my traffic?) I'm basically after a way that I could safely do anything I want (Online banking, checking emails, etc) from a wireless hotspot.


Thanks for your help so far guys! =D>

bodhi.zazen
August 2nd, 2011, 01:23 AM
Encryption is manages by ssh and the ssh tunnel.

squid would speed things up a tad as it is a caching proxy. privoxy would add some privacy and some adblock.