Using SSH For Secure Web Browsing
With fraud on the rise everyone has a need for a secure Internet connection, weather this is to do some online banking or possibly checking a social networking site such as Facebook or MySpace. You can have peace of mind while browsing via a public computer or wireless Internet connection by using a SSH tunnel to encrypt your data.
When i was a student at college i quite often used a SSH tunnel to bypass the strict filtering policy imposed by the local network administrators, this enabled me to access blocked sites such as MySpace and Facebook and also to log into my Internet banking with peace of mind that my credentials are fairly secure. To take advantage of a SSH tunnel you are going to require a few tools which i shall list.
- SSH Account
- Putty (SSH Client)
- Portable FireFox
- 3proxy
First off we are going to need to get a SSH account on a server somewhere, you may know a friend who owns a server and is willing to let you have a shell account or you may have to purchase one from a shell provider. Luckily for me i happen to own a number of virtual servers which i shall be using one for this tutorial. Obtaining a SSH account is beyond the scope of this tutorial but using a tool such as Google should assist you in finding a provider.
OK so assuming you now have your SSH account we need to login using the Putty SSH client. Go ahead and enter your user name and password then hit return.
You should now be logged in and see a black screen with some white writing that looks similar to the following.
login as: greg
greg@10.10.10.10’s password:
Last login: Sun Jun 8 01:43:21 2008 from 10.10.10.20
[greg@vm103 ~]$
Now you are logged in you need to run a command to download 3proxy.
[greg@vm103 ~]$ wget http://3proxy.ru/0.5.3k/3proxy-0.5.3k.tgz
OK so now we have downloaded the archive we need to extract it so that we can start work on compiling the binary. You will now need to run another command
[greg@vm103 ~]$ tar xvfz 3proxy-0.5.3k.tgz
The archive has now been extracted to its original structure before it was archived and compressed. We now need to start compiling the sources to build the executable binary file. Once again go ahead and run the following command.
[greg@vm103 ~]$ make –makefile=Makefile.unix
Now its time to go and get a drink or a bite to eat while the program compiles. This is not a massive application so should not take too long to compile depending on the hardware specs of your SSH server.
Once the compilation is complete your shell should be displaying something similar to
make[1]: Leaving directory `/home/greg/src’
[greg@vm103 ~]$
Congratulations you have just compiled 3proxy and it is ready to be run. So once again just a few more commands to run and the proxy will then be listening for connections
[greg@vm103 src]$ cd src
[greg@vm103 src]$ ./proxy -d -i127.0.0.1 -e78.129.159.162 -p6500 -a
Obviously for this to work with your configuration you are going to need to change some values. The “-d” flag means that the application will be daemonized (run in the background) which enables you to still use the shell and safely close it without killing the proxy server process. The local interface to listen on is defined by -i and in this case we should leave this as 127.0.0.1 as it stops anyone from using your proxy unless they already have access to the server its self which we do. You also need to let the proxy server know what IP to connect out on as usually a web server will have more than 1 IP address so set this to the IP address you want to appear to be connecting from. And finally you need to specify a port number to listen on and we have chosen 6500 but you may chose another port as long as it is not lower than 1024.
OK so you think your proxy is running? we can check that it is running by using a simple Linux command.
[greg@vm103 src]$ ps x
PID TTY STAT TIME COMMAND
15141 ? S 0:00 sshd: greg@pts/0
15142 pts/0 Ss 0:00 -bash
15245 ? Ss 0:00 ./proxy -d -i127.0.0.1 -e78.129.159.162 -p6500 -a
15251 pts/0 R+ 0:00 ps x
[greg@vm103 src]$
You can easily see that the command we ran to execute the proxy server is running and has been assigned the PID of 15245. So far we have downloaded and compiled 3proxy and set it running and listening for an incoming connection. You can test that the proxy is accepting connections easily by using the telnet command.
[greg@vm103 src]$ telnet localhost 6500
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
Success! you have locally connected to the running proxy server, you will now need to exit from this by holding ctrl and pressing the ] character on the keyboard, now type quit and hit return.
Now we need to create a tunnel to the proxy server using the Putty SSH client, to make this easier i have provided screen shots of the process.
Before you can create the tunnel you need to create a saved session on Putty that will store your server details and also the important flag that tells putty to create the tunnel.
Once you have entered your connection details into Putty you will need to click on save and magically your session have been saved. Now just for safe measure click on the session name you selected and click load just so we know it is the correct session that we currently have loaded.
The 2nd from last you now need to setup the port forwarding (tunnel) on Putty so that the port that is listening on the proxy server is tunneled via an encrypted SSH session back to your PC.
Now you have completed all the steps required for the port forwarding to work you can set your web browser proxy settings to “localhost” on port 8080. Now visit a site such as http://whatismyip.com/ and the site should tell you that the IP you are visiting from is the server IP address you specified earlier.
Enjoy your secure filter bypassing tunnel 
You could do away with the whole 3proxy thing by using the “Dynamic” port forwarding feature of SSH.
Look for it in the second PuTTY screenshot.
“Dynamic” port forwarding is a fancy name for a socks proxy (port 1080)
Use it in PuTTY, point firefox to localhost:1080 and select proxy type Socks (v5)
Cheers!