One of the most important things by working in \"dangerous\" Networking Enviroments is protection.<\/p>\n
And by that I don't mean the usual (and important!) Anti Virus, Anti Malware and Firewall Software, but Traffic Tunneling, meaning VPN or SSH.<\/p>\n
SSH is the secure equivalent to the good old (and Plaintext transmitted) Telnet. And its also more powerful: Its use is not limited to remote Control, but can also provide an secured Datatunnel through which all your Traffic to your Remote Location (i.e. an Mysql Database, Web- or Mailserver or the Web itself) is tunneld - and encrypted. Giving therefore little to no chance to \"Wiresharkes\" and other Cable Tappers or Span Users.<\/p>\n
So lets go:<\/p>\n
1. Setting up the SSH Server
\nSetting up an ssh Server is as simple as:
\napt-get install openssh-server
\nif you're running Debian or Ubuntu.<\/p>\n
Optional you can configure that the \"root\" Account
\nwon't be able to access via ssh and you can configure that
\nPlaintext Passwords aren't allowed. We will go for an Keybased Setup here,
\nbut I would recommend not shutting down this Plaintext Password Authentification
\nif you can't access the machine physically easily (as the Certifactes are only valid
\nfor one year...).<\/p>\n
2. Configuring the SSH Server
\nvi \/etc\/ssh\/sshd_config<\/p>\n
- change Port to 18000
\nPort 18000
\n\/\/ Thats an must!<\/p>\n
- deactivate root access
\nPermitRootLogin yes
\n\/\/ Thats optional, it does NOT allow your root Account to login via SSH.
\n\/\/ Only set that if you know what you're doing!<\/p>\n
- deactivate password login
\nPasswordAuthentication no
\n\/\/ Thats optional as well, you can set that after this whole thing,
\n\/\/ as you have working SSH Key Authentification - but beware,
\n\/\/ you won't be able to login via an Password then!
\n\/\/ ( And that will hurt if your Keys are expired and don't work anymore... )<\/p>\n
3. Configure Router (NAT and Firewall) to Allow Access to your SSH Server.
\nUse Dynamic DNS (i.E. DynDNS.org) to get an Dynamic DNS Adress.
\n( Means that an adress like myserver.dyndns.org will always point to
\nyour dynamically changing IP Adress of your Router. Most Routers have an
\nDynDNS Client built in, so they update the DynDNS Account on every IP Change -
\nlook it up in the Handbook \/ Config Menu)<\/p>\n
4. Setting up an SSH User with Restricted Shell Access
\nsudo apt-get install rssh
\n\/\/ Installs the restricted shell
\nsudo useradd tunnel -m -s \/usr\/bin\/rssh
\n\/\/ Creates an User named tunnel with the Restricted Shell
\nsudo passwd tunnel
\n\/\/ Enter the Password you want for the User<\/p>\n
5. Setting up Squid HTTP Proxy
\nsudo apt-get install squid<\/p>\n
6. Creating the Connection using Putty and Setting up the Clients
\nDownload the Putty installer from
\nhttp:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/download.html
\nand install. Then open Putty:<\/p>\n
Session -> Hostname and Port: Enter your DynDNS Adress and the Port you chose for SSH
\nConnection -> Enable TCP Keepalives
\nConnection -> SSH -> Don't start a shell or command at all
\nConnection -> SSH -> Enable compression
\nConnection -> SSH -> Tunnels: Source Port you can choose i.E. 20000
\n\/\/ Source Port is the Port the Tunnel will end on your \"Client PC\"
\nConnection -> SSH -> Tunnels: Destination Port localhost:3128
\n\/\/ Destination Port is in that Case the Server (localhost) and Port 3128
\n\/\/ which is the Squid Proxy. But it could also be something like
\n\/\/ IPofyourRouter:21 to forward the Telnet of your Router to Port 20000 on
\n\/\/ the Remote PC, or IporNameofyourHomePc:3389 to forward the Windows
\n\/\/ Remote Desktop - or anything else. You would then connect with the
\n\/\/ Remote Desktop Tool to \"localhost:20000\" to Access your PC at Home.
\nSession -> Press Save and Save the Session
\nSession -> Press Open and Enter your Login, i.E. tunnel and password<\/p>\n
You won't see anything as it stays open and \"nothing happens\".<\/p>\n
Go to your Internet Explorer \\ Firefox and enter as Proxy localhost, Port 20000<\/p>\n
Internet Explorer:
\nExtras, Internetoptions, Lan Settings, Choose Proxy Server for Lan
\nEnter localhost, Port 20000<\/p>\n
Firefox:
\nExtras, Settings, Advanced, Network, Settings
\nManual Proxy Configuration, HTTP Proxy: localhost, Port 20000
\nFor all Protocols<\/p>\n
And now you'll be able to surf the Web Securely from everywhere through your
\nsecured Tunnel!<\/p>\n
WARNING: ONLY the Traffic is secured. Your DNS Lookups STILL go to your local
\nDNS Server. So i.e. the Local DNS Admin can see that you were surfing on
\ni.e. Google, Facebook or so - but can't see what you did transmit there.
\nTo change that and to do DNS also tunneled via SSH do this:.<\/p>\n
Internet Explorer:
\ndon't know, isn't working<\/p>\n
Firefox:
\n\/\/ Enter in the URL Bar:
\nabout:config
\n\/\/ Look for this string and set it to \"true\"
\nnetwork.proxy.socks_remote_dns<\/p>\n
Only one thing to do left:
\nSet Keybased Authentification.
\nKeybased Authentification has two main Advantages:
\na) You can use it allow scripts to identify themselfes via the key and use ssh
\nb) Its more secure as the Key does check its Serverpart and tells you if you're
\nconnection has been redirected or intercepted. Its the way to go.<\/p>\n
Creating keys:
\nsu
\n\/\/ Enter password for root Access
\nssh-keygen -t rsa -b 2048
\nJust \"enter\" through everything<\/p>\n
Installing keys:
\ncd \/home\/tunnel\/
\nmkdir .ssh
\nchmod 700 .ssh\/
\ncd .ssh\/
\ntouch authorized_keys
\ncat ~\/.ssh\/id_rsa.pub > authorized_keys
\nchmod 600 authorized_keys
\ncd ..
\nchmod 700 .ssh\/
\nchown tunnel -R .ssh\/
\nexit<\/p>\n
Download the key id_rsa in \/root\/.ssh\/ via WinSCP to your PC
\nStartup puttygen which you did gain with the Putty installer.
\nLoad the id_rsa in Putty and press on \"Save Private Key\"<\/p>\n
Using key based Authentification with Putty:
\nOpen Putty and load your Preset
\nConnection -> SSH -> Auth
\nAnd use the \"Private Key File for Authentification\" to point to your previously
\nset Private Key (wheter encrypted or not isn't important at this Point).
\nGo again to Session and Save again. Press Open.
\nYou'll be asked to enter your Username and Passphrase (if you got one).
\nIf you want to really automate that, you can even specify your Username in
\nPutty under SSH -> Connection -> Data \"Auto Login Name\"<\/p>\n