Threat Level: green Handler on Duty: Scott Fendley

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip of the Day: Secure Surfing at the Coffee Shop (or Hacker Conferences)

Published: 2006-08-16
Last Updated: 2006-08-16 15:59:06 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
Update 1:  Many of you pointed out that you can use the built-in SOCKS proxy in SSHD to make this tip easier.  Indeed, this is true.  However, you can do some cool anonymity hacks within Squid that make your surfing a little more anonymous if you are so inclined.  For those that like simplicity and aren't worried about anonymity, don't worry about setting up the Squid proxy software, SSHD will do everything for you.  Use the command "ssh -D 3128 <user@IP>" and in your web browser, configure the SOCKS proxy option to be 127.0.0.1 and port 3128.

Update 2:  Something I failed to realize is that most recent browsers will also send your outbound DNS request through the SSH tunnel, which means #6 below is only true when using the SOCKS option.  So that is another reason to use Squid if you are concerned about privacy or being re-directed by malicious DNS servers on the wireless LAN.  DNS privacy worked when using Squid from clients on Linux (Firefox) and Windows (Firefox and IE).  If you know of a browser that doesn't do this, let us know.

This tip is how to use SSH port forwarding to browse the web at your favorite coffee shop (or hacker conference).

1) Setup a machine on your home network.  If you don't have a static IP address, then use dynamic DNS.

2) On this machine setup squid (http://www.squid-cache.org/) and bind it only to localhost.  Do this with the "http_port 127.0.0.1:3128" line in squid.conf.  This will prevent others on the Internet from abusing your open proxy.

3) Setup SSHD on this machine.  And do yourself a favor, require SSH key authentication and run SSHD on a port that is NOT 22.  This will keep all those brute force SSH grinders from filling your log files.

4) At the coffee shop, do ssh -p <sshd_port> -L3128:127.0.0.1:3128 <user@IP>.  This will setup your SSH tunnel.

5) The most critical piece is to configure your web browser to use a proxy.  Host: 127.0.0.1; port 3128

6) Surf away.  All your web surfing will be encrypted to your home box before travelling to the Internet.  Be advised that your outbound DNS requests are still sent to the local network unencrypted.  But you have at least prevented snooping and/or modification on the HTTP(S) traffic.

You can forward almost any standard TCP application though an SSH tunnel and OpenSSH has recently introduced lightweight VPN features.  But that's a topic for another day.

Keywords: ToD
0 comment(s)
Diary Archives