SSH Tunneling

[MrLinus]

In an attempt to help a colleague avoid having a "nosy admin" snoop on her MSN conversations, I suggested she might use SSH Tunneling. For those interested I did find this interesting tutorial on it and it might help if you have other applications other than ICQ or MSN.

If you don't know what SSH tunneling is: basically, it when you "tunnel" a service through an SSH server. You usually need to have a server somewhere running SSH. Some ISPs provide this as a service as part of their webhosting. You can also run a server (free) if you have a linux/unix install (generally this can be a default install -- ensure that it is a recent version and is patched accordingly).

Oh.. and don't forget to RTFM.

Source

SSH tunneling

My new employer (more on that later) has blocked most everything going out of their network except a couple of protocols, one of which is ssh. With some clues from one of the guys there I've managed to configure my machine so that it connect to IM services such as MSN and ICQ. The really cool thing is that I can do it will stuff that I already had, and I don't have to do much extra, just learn a couple new features of stuff that I already had.

So, what's the trick? Using SSH. I've already got SSH installed on a server at home, and I've got SSH installed via cygwin on my laptop, so with two simple steps I can connect my IM client to the actual services.

1. Reconfigure the IM client so that instead of pointing at their respective servers, they instead point at "localhost". I leave the ports the same, and just change the server names.

2. By running the following command from within cygwin, I can create a tunnel which redirects all connections made to my local machine to the end servers, via my personal server. (I've removed my user name and server name just to be extra safe).

ssh -L 1863:messenger.hotmail.com:1863 -L 5190:login.icq.com:5190 -L 5223:jabber.org:5223 -l myusername -N myservername

So, what does all that mean?

Well, the -L means map a local port to another port, via the ssl connection. So, when I connect to port 1863 on my laptop, it will connect me to messenger.hotmail.com via ssl and myserver. As you can see, you can have multiple -L options.

The next option, -l just says login using this username.

The -N says just create the connection, and don't bother executing any commands on myserver.

Finally, the last bit at the end is just the server to connect to that I have a user account on.

There is just one last bit...when I do all this, I have to login to the server, however, if I wanted to make this even more automatic, I could put an authentication key on the server and on my laptop that would let me just execute the command and not have to type in a password. There is more information on how to do that in the ssh documentation.

[slarty]

Nice

What a lot of people ask, is can they tunnel stuff through HTTP. Normally I say no, but if you have a proxy which does https, it *should* be possible.

Can you get a ssh client to use a HTTPS proxy? If so, presumably you can tunnel through that too.

Slarty

PS: Nice title, Mittens

[Faqt]

thanks Mittens. I've run into needing to tunnel through http before (past ISA), it was a major dilema.

[MrLinus]

I've never used it for HTTPS proxy but I don't see why you couldn't use it. I generally use it with an X-Windows forwarding and mozilla forwarding (and have used HTTPS successfully for it). As a quick reminder, remember that this merely encrypts between the client and the SSH server. Stuff after the SSH server will be in clear text. The idea is to ensure secure usage in an unsecure/unsafe LAN.

[deftones12]

i know im gonna get flamed up the ass for this but im willin to take it, whenever i post something or someone else posts something about tryin to avoid a admin or use another service that is blocked, we get hammered, now others post it, especially a moderator? im prolly wrong but im hopin you'll correct me. ive read alot of your posts ms mittens and i really like ya and all you really seem knowledgable and all that stuff, im just confused after you post somethin to dodge an admin and somethin to get through firewalls blocking certain protocols for a reason.

[MrLinus]

It is a valid point. However, the reason that I posted this wasn't necessarily to dodge the admin but to ensure privacy (there is nothing that prevents my friend from using MSN at her company -- rather to ensure privacy of her conversations because he is sniffing the network without authority). While this can be used to by-pass some issues, it is still up to each individual using this to decide how they will use it. I'm not suggesting it necessarily be used to by-pass existing policy but rather used to protect one's privacy in environments that may not be secure (e.g., wireless hotspots)

[TheSpecialist]

Actually if you play around with a sniffer you will notice that most IM applications already provide various forms of 128 Bit encryption methods. Chances are if an admin is to stupid to even notice/prevent certian major changes going on around the network then he or she sure as hell wont be able to read many conversations anyways. If they don't have time check out all those SSL and SSH encrypted traffic then chances are they sure as heck won't be interested in what some kids have to say on some instant messageing for reasons that I've already mentioned and some I have not... such as the very boredom of watching what peaple have to say.

HTTP and IRC however is a whole different story and will be a much larger target because its mainly plain text. Many FTP services are just as bad... I've seen many transfer in something similiar to an LZ77 algorithm for compression which is ok, but then I've seen others actually base64 beleave it or not, or even just provide a plain old hex dump of the file... which is ermmm... stupid.

[Highlander]

You know if I was an admin of that company and someone was trying to
bypass a advance firewall.... There is a reason, usually corp. spying....
and other reasons like spy-ware, viruses, and some contracts with
either other companies and government agencies,
And lets not forget personal info on a corp system.
and that employee would get fire for running an un-authroised program(s).
Remember the admins and corp management usually are on a first name
basis.

[mmkhan]

Hi, i want to ask that this same technique is useable for accessing web pages, becuase i have noticed that my (ISA server-i m using cablenet at my home) admins has a habit of logging our online activities( which pages we have accessed). If this technique is applicable here than how it is possible.


Thanks

[devpon]

mmkhan and Highlander, you are both missing the point. As MsMittens stated, this is not to bypass or dodge the admin.

It is a valid point. However, the reason that I posted this wasn't necessarily to dodge the admin but to ensure privacy (there is nothing that prevents my friend from using MSN at her company -- rather to ensure privacy of her conversations because he is sniffing the network without authority).