SSH Tunneling Explained for Linux and Windows Table of Contents Chapter 1 – Introduction Freedom of Privacy What is SSH Tunneling? When is a SSH Tunnel Appropriate? Essential Tools 1. PuTTY 2. The Tube 3. Freecap Alternative Tools 1. Tor 2. Privoxy Customer Connectivity Notes Creating a SSH Tunnel 1. Using “PuTTY” 2. Using “The Tube” 3. Using the Linux/Unix Console SSH Key Authentication Creating a SSH Tunnel Chain What is the level of my privacy? Chapter 2 – Browsing the web Why do I need to browse securely? Browser configuration guidelines 1. Internet Explorer 2. Mozilla 3. Firefox 4. Opera Chapter 3 – Sending E-Mail Why do I need to secure my e-mail traffic? Setting up an email purpose SSH tunnel SSH Secure Shell for workstations configuration Client configuration guidelines 1. Mozilla Mail 2. Outlook 3. Outlook Express 4. Thunderbird Chapter 4 – Instant Messaging and VoIP Why do I need to secure my IM traffic? Configuration guidelines 1. mIRC 2. Xchat 3. Yahoo Messenger 4. MSN Messenger 5. ICQ 6. Skype 7. VoIPBuster 8. Trilian 9. Gaim Chapter 5 – Security Ethics Why do we need security ethics? Top 10 ways to protect your privacy online Chapter 1 – Introduction Freedom of Privacy In our society, technology often forces us to choose between privacy and freedom. The pervasiveness of computers has resulted in the almost constant surveillance of everyone, with profound implications for our society and our freedoms. Corporations and the police are both using this new trove of surveillance data. We as a society need to understand the technological trends and discuss their implications. If we ignore the problem and leave it to the "market," we'll all find that we have almost no privacy left. Most people think of surveillance in terms of police procedure: Follow that car, watch that person, listen in on his phone conversations. This kind of surveillance still occurs. But today's surveillance is more like the NSA's model, recently turned against Americans: Eavesdrop on every phone call, listening for certain keywords. It's still surveillance, but it's wholesale surveillance. Wholesale surveillance is a whole new world. It's not "follow that car," it's "follow every car." The National Security Agency can eavesdrop on every phone call, looking for patterns of communication or keywords that might indicate a conversation between terrorists. Many airports collect the license plates of every car in their parking lots, and can use that database to locate suspicious or abandoned cars. Several cities have stationary or car-mounted license-plate scanners that keep records of every car that passes, and save that data for later analysis. More and more, we leave a trail of electronic footprints as we go through our daily lives. We used to walk into a bookstore, browse, and buy a book with cash. Now we visit Amazon, and all of our browsing and purchases are recorded. We used to throw a quarter in a toll booth; now EZ Pass records the date and time our car passed through the booth. Data about us are collected when we make a phone call, send an e-mail message, make a purchase with our credit card, or visit a website. Much has been written about RFID chips and how they can be used to track people. People can also be tracked by their cell phones, their Bluetooth devices, and their WiFi-enabled computers. In some cities, video cameras capture our image hundreds of times a day. The common thread here is computers. Computers are involved more and more in our transactions, and data are byproducts of these transactions. As computer memory becomes cheaper, more and more of these electronic footprints are being saved. As processing becomes cheaper more and more of it is being cross-indexed and correlated, used for secondary purposes. Information about us has value. It has value to the police, but it also has value to corporations. The Justice Department wants details of Google searches, so they can look for patterns that might help find child pornographers. Google uses that same data so it can deliver context-sensitive advertising messages. The city of Baltimore uses aerial photography to surveil every house, looking for building permit violations. A national lawn-care company uses the same data to better market its services. The phone company keeps detailed call records for billing purposes; the police use them to catch bad guys. In the dot-com bust, the customer database was often the only salable asset a company had. Companies like Experian and Acxiom are in the business of buying and reselling this sort of data, and their customers are both corporate and government. Computers are getting smaller and cheaper every year, and these trends will continue. Here's just one example of the digital footprints we leave: It would take about 100 megabytes of storage to record everything the fastest typist input to his computer in a year. That's a single flash memory chip today, and one could imagine computer manufacturers offering this as a reliability feature. Recording everything the average user does on the Internet requires more memory: 4 to 8 gigabytes a year. That's a lot, but "record everything" is GMail's model, and it's probably only a few years before ISPs offer this service. The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video. It'll be sold as a security device, so that no one can attack you without being recorded. When that happens, will not wearing a life recorder be used as evidence that someone is up to no good, just as prosecutors today use the fact that someone left his cell phone at home as evidence that he didn't want to be tracked? In a sense, we're living in a unique time in history. Identification checks are common, but they still require us to whip out our ID. Soon it'll happen automatically, either through an RFID chip in our wallet or face-recognition from cameras. And those cameras, now visible, will shrink to the point where we won't even see them. We're never going to stop the march of technology, but we can enact legislation to protect our privacy: comprehensive laws regulating what can be done with personal information about us, and more privacy protection from the police. Today, personal information about you is not yours; it's owned by the collector. There are laws protecting specific pieces of personal data -- videotape rental records, health care information -- but nothing like the broad privacy protection laws you find in European countries. That's really the only solution; leaving the market to sort this out will result in even more invasive wholesale surveillance. Most of us are happy to give out personal information in exchange for specific services. What we object to is the surreptitious collection of personal information, and the secondary use of information once it's collected: the buying and selling of our information behind our back. In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it is to pass laws regulating its generation, use and eventual disposal. Basic Internet security measures including ISP online filters, firewall, and virus, Trojan, worm, spyware and spam protection are only the beginning. For families, software to protect kids is needed. If you keep sensitive personal information and/or documents on your computer, they should be password protected or encrypted. If you dislike the idea of companies tracking your surfing habits, you need software to erase your browser tracks and manage cookies. In this guide you will learn how you can securely browse the web, send email, chat and have VoIP traffic without the fear or worry of identity theft or privacy loss, all by the benefits of encrypted communication channels guaranteed by SSH a tunnel. What is SSH Tunneling? SSH Tunneling, or port forwarding, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell for Workstations. You can secure for example POP3 and SMTP (email traffic) and HTTP connections (web traffic) that would otherwise be insecure. These are just a few basic examples as you will see later in our guide how you can use the benefit of SSH Tunneling for many other purposes. The tunneling capability of SSH Secure Shell for Workstations is a feature that allows, for example, company employees to access their email, company intra-web pages and shared files securely by even when working from home or on the road. Tunneling makes it possible to access email from any type of Internet service (whether accessed via modem, a DSL line or a cable connection, or a hotel Internet service). As long as the user has an IP connection to the Internet she can get her mail and access other resources from anywhere in the world securely. This often is not the case with more traditional IPSec based VPN technologies because of issues with traversing networks that are implementing Network Address Translation (NAT) - this is especially the case in hotels. NAT breaks an IPSec connection unless special protocols such as NAT-Traversal are implemented on the client and gateway. The client-server applications using the tunnel will carry out their own authentication procedures, if any, the same way they would without the encrypted tunnel. The protocol/application might only be able to connect to a fixed port number ( e.g. IMAP 143). Otherwise any available port can be chosen for port forwarding. When is a SSH Tunnel Appropriate? Tunnels are a lot easier to understand if you think about when a tunnel is appropriate: Tunneling to ensure privacy - many people use Outlook Express to connect to their SMTP and IMAP (or POP) mail server. They should know that when they connect to the mail server they supply a userid and password in the clear that others might snoop from the net. This isn’t a terrible problem if the data path between the client and the server is over a switched local area network. It is a problem if the network path cannot be trusted -- e.g., when traveling or when using an insecure network (wireless networks are awfully insecure). In cases like this SSH tunnels can be used to secure a reliable and private data connection. Note that you can surf anonymously through the available servers with their pre- installed proxies so your real IP is anonymous. All the available proxies on the servers are set to High Anonymity which means they cannot be detected as a proxy but actually look like a normal legitimate IP. This is a great feature that allows you have both security and natural Internet traffic and flow control without triggering any filtering as happens with normal proxy configurations. Tunneling to get past a firewall - many organizations erect campus firewalls to block certain protocols. If you have a "home network" you probably have a "router" (actually it’s a NAT device) to protect your systems from outside attacks. SSH tunnels can be used to carry data that might otherwise be blocked. X11 tunneling is the classic example. The advice that you should take for tunneling on Windows: X-Win32 and SSH Tunneling to maintain locality - often times services that we provide are constrained depending on where you are. A campus service only exposes local newsgroups to the world at large. If you’re off campus you can only see the <extension>.* newsgroups. With an SSH tunnel you can connect as a local user even though you’re off campus - tunnel the NNTP protocol and you can read all newsgroups. Essential Tools In this section we find it necessary to explain the basic usage of the most popular tools that are used for creating first a SSH connection and then extending usability to SSH tunnel connections. Following the descriptions and screenshots provided will get you started in the shortest time possible with a minimum of effort, having said that no initial networking knowledge is required to initiate your usage of these tools. Beyond the options and methods provided there are many other custom features that you may want to learn about by reading each of the described software’s manuals if you are interested in better understanding and extended use. 1. PuTTY PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham. This tool can be downloaded for free from the official website located at: http://www.chiark.greenend.org.uk/~sgtatham/putty/ Visit the “ Download ” page and get PuTTY for the operating system and computer architecture that you are using. As most of the common Internet users you will probably have to download PuTTY For Windows 95, 98, ME, NT, 2000 and XP on Intel x86 . If by any chance this is not the case, the PuTTY project providers binaries for other architectures, on the same page. It is important to make sure that you always use the latest software versions. The latest version for PuTTY is beta 0.58 Right after downloading PuTTY and opening it you will be presented with the default GUI (Graphical User Interface), as shown in Image1 Image1 - Default PuTTY GUI The server “ example.server.com ” should be replaced by the server you receive with your account details Important: Throughout the guide we will presume that while you have the SSH Tunnel configured and customized for your account default surfing port, you will replace port 4111 with the correct one. The other surfing ports like Privoxy, Tor and so on are all the same on all servers. As an initial reference, here is a description of the most important options and configurations that you have to use in order to establish a SSH connection using PuTTY with no effort: Host Name (or IP address): Type your server address (i.e. server.example.com) Protocol: Choose “ SSH” Saved Sessions: If you want to save your settings for later use, type a name for this connection (i.e. Example-Server ) and then click “ Save ”, so that you will later be able to “ Load ” the target host/protocol settings by just selecting it from the list Clicking on the “Open” button will spawn a SSH connection to the server with the login prompt (user/password pair). At this point you can login successfully but this is not the point of our service as we have to first create the SSH Tunnel configurations in order to enjoy the provided benefits. See the later section “ Creating a SSH Tunnel ” for reference. If you have followed these simple steps you will be able to see now the following PuTTY GUI, as described in Image2 , below. Image2 – PuTTY configured to store the session configuration for the given host “server.example.com” 2. The Tube The Tube is a free working tool designed for all SSH Tunneling needs, developed with ease of use in mind. Extra Benefits: - Works on Windows 2000 / XP / Vista - Allows you to automatically configure the next applications for the tunnel you want to assign to them: * FireFox * Mozilla * Thunderbird * Opera * Internet Explorer * Outlook Express * Microsoft Outlook - pop3/smtp/imap - no annoying popups/scumware You will receive a free copy of The Tube when you sign up to our service. The latest version is 1.0 and this software’s development and maintenance is powered by donations. After downloading and running The Tube you will be presented with the following default GUI, as in Image3 Image3 – The Tube default GUI 3. Freecap You should be aware of the fact that there are certain applications that are not able to proxify their traffic by their default features. This is where Freecap comes into the scene and helps us to secure out traffic even for the case of such virtually incompatible applications. FreeCap is a program widely used for transparency redirect connections from different software applications through a given SOCKS server. In fact, some programs do not have native SOCKS support (i.e. Internet Explorer or Opera browsers), in this case FreeCap will be helpful, transparently redirecting all connection requests through a preconfigured SOCKS server. As noted on the official FreeCap webpage (http://www.freecap.ru), the main program features are: Functionality of SOCKSCap program! Functionality of SOCKS Chain program! Support SOCKS protocols version4 and version5 Support authorization for SOCKS v5 Support chain of SOCKS-servers. Support tunneling through HTTP proxy (via connect method) Run with system startup Working on Windows 95/98/ME/NT/2000/XP Supporting many popular programs, such as: Microsoft Internet Explorer, Netscape, Mozilla, Trillian, Opera, Microsoft Outlook Express In order to download FreeCap you will have to visit the official website: http://www.freecap.ru The Download page offers direct links for FreeCap v 3.18 (latest version) and after installing it you will be able to see the main GUI of FreeCap as in Image4 , below. Image4 – Freecap default GUI Alternative Tools The above mentioned tools are required for most users that wish to secure their traffic but then again there are some other methods available that are able to provide high anonymous traffic solutions. In this guide we are going to learn about Tor and Privoxy and how they can be used in various circumstances to better secure our work environment. 1. Tor Tor as widely known is an anonymous Internet communication system. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications traffic. As the Tor user number grows the more its security is improved because the system is based on a set of clients and servers that are running all around the world ensuring high anonymous traffic relays. Tor can be obtained for free from the following web address: http://tor.eff.org/ At this same web address you can find a lot more information and guidelines for using Tor as well as some important tutorials that have been written to help common users to torify their favorite applications. Note that Tor also makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Regarding version control of the current time, Tor registers the latest stable release as 0.1.1.24 , and the latest development release as 0.1.2.2-alpha Please keep in mind that using Tor directly requires your tools/apps to be SOCKS enabled. For further documentation about Tor check http://tor.eff.org As you will see further in this guide, we are going to secure our traffic that is generated by various common use applications. To be noted is the fact that all these methods and applications can be also secured with the help of Tor on either its default port 8119 which is Privoxy relaying to Tor or one can connect directly to Tor on localhost port 10003 which is SOCKS. 2. Privoxy As we learn from Privoxy official webpage (http://www.privoxy.org), this tool is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page data, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has also very flexible configuration and can be customized to suit individual needs and tastes. Privoxy is free and can be downloaded from its official website located at the following address: http://www.privoxy.org/ The latest version of Privoxy is 3.0.5 (BETA) and is based on Internet Junkbuster™. We have associated both Tor and Privoxy to this section entitled because Tor can't solve all anonymity problems. Tor focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use web proxies such as Privoxy while web browsing to block cookies and withhold information about your browser type. Note that besides downloading Privoxy and Tor these services are already installed on our servers and ready for you to use them, as noted in the following guidelines. Customer Connectivity Notes Once you have understood how to handle PuTTY and connect to our service you can read the message displayed in the console, representing the “message of the day” as known for Linux/Unix users. The details that you are provided when logging in can be seen in the console if you are using PuTTY but in the case of your choice is going with The Tube (recommended) you should be aware of the following anonymous traffic purpose ports: Surfing anonymously the web can be achieved through proxy on port 4111. Surfing anonymously and protected by Privoxy can be configured through Privoxy , on port 8118. Surfing extremely anonymously and protected by Privoxy cam be done through Privoxy , with the help of Tor on port 8119 Important! Using Tor directly requires SOCKS version 4 or version 5 enabled tools! Tor can be used as follows: Through port 10003 (more documentation available at http://tor.eff.org ) Using applications which need SOCKS version 4 or version 5 can be configured: Through socks 4/5: Dante proxy on port 1080 In the above last mentioned case we kindly ask our customers to not abuse our bandwidth for P2P activity. Vital Note: All above ports are accessed through a SSH tunnel. In order to properly understand how SSH tunnels are created and managed see the following section of this guide entitled “Creating a SSH Tunnel” Quick Example: To surf anonymously through Privoxy relaying to a squid proxy from a Linux/Unix console you have to run the following command: ssh -c blowfish -C -l your-username server.example.com -L 33333:localhost:8118 sleep 999999 Creating a SSH Tunnel To use an SSH tunnel you must first establish the tunnel using an SSH client, and then connect to it using the application which you want to access the remote machine. The next section shows you how to set up the tunnel. Each of the following sections will explain how to connect and establish a SSH Tunnel with a specific SSH client or tunneling application to access the privately addressed server. If you have reached this far with reading this guide then you should already have downloaded and setup the essential tools required to manipulate SSH Tunneling. Then again, we will also go into creating a SSH Tunnel using the Linux/Unix Console for those that are not using Windows™. The host “ localhost ” will be used instead of “ 127.0.0.1 ” and it is recommended to use “ localhost ” since some servers don't use the default numeric IP for “ localhost ” Important: Throughout the guide we will presume that while you have the SSH Tunnel configured and customized for your account default surfing port, you will replace port 4111 with the correct one. The other surfing ports like Privoxy, Tor and so on are all the same on all servers. 1. Using “PuTTY” In order to use PuTTY for SSH Tunneling purposes: Open Putty. In the Category pane of the application window, select the " Tunnels " option found under Connection -> SSH In the main pane, in the " Port Forwarding " section, do this: - Add the port that you would like to use for SSH Tunnel access (we chose 10001 as a first example but you can use any port as long as it is not already in use). Also note that for every tunnel type you need to use a different local port ! - Type the IP “ localhost ” and use the default surfing port “ 4111 ” (or the default surfing port that you receive with your account). It should look like this: “ localhost:4111 ” - With SSH tunneling you can tunnel to any service directly running on any port, we have only used as example the default surfing port that should be replaced with the one provided with your account. Click “ Add ” to list the new SSH Tunnel setup. In order to check if you have followed all steps correctly to this point see Image5 of how the settings should look. Image5 – PuTTY SSH Tunnel Configuration In the Category panel, click on Session and: Enter the hostname of the machine with a public IP address through which you want to establish your tunnel (we use server.example.com). Select SSH as your protocol. This should set the port number to 22. You should now be able to see the GUI of PuTTY as in Image6 : Image6 – PuTTY Session Management Click Open. If Putty warns you about keys, you can now click okay. Enter your username and password when prompted. Do not underestimate the fact that SSH tunneling allows you to connect to any service that has an open port. Please refer to the surfing ports that you receive with your account details. 2. Using “The Tube” SSH tunneling tool The Tube is meant for creation of encrypted tunnels to transmit the data between client application (for example your WEB browser or mail client) and the remote server (for example proxy-server) using SSH protocol. The Tube allows to setup SSH connections for a certain client, to create tunnels between local user applications and remote server. In the main window of The Tube, on the SSH tab, the following information is presented: Indicator of SSH connection status (On/Off) SSH hostname SSH port number Remote user name Cipher algorithm If SSH connection is established the SSH connection status indicator will be green, otherwise it will be grey. Creating a new SSH connection that will be later assigned to a tunnel can be done by following these steps: In the main The Tube window click on “ Tunnel wizard ” and you will now see the following window as in Image7 Image7 – Tunnel wizard – Create or choose SSH connection With the “Create new SSH connection” option selected as above you will have to input: SSH host : server.example.com User login : your username SSH port : 22 (default port) User password : your account password Encryption cipher selection : Blowfish (default and recommended) If you do everything ok The Tube “Create or choose SSH connection window should look as in Image8 Image8 – The Tube Wizard - Creating a new SSH connection After the SSH connection parameters are entered click Next to go to Create or choose tunnel window. Note that if any parameter field of SSH connection is empty the Next and Finish buttons are not available. If the Create new tunnel option is selected (as in Image9 ) you can create a new tunnel. Image9 – The Tube – Create or choose tunnel To create new tunnel enter the following information: Local port number in the Local port field Remote server IP address or remote server hostname in the Remote host field Remote server port number in the Remote port field Image10 – The Tube – Create or choose tunnel After the parameters are entered click Next to go to configure client applications that will work through the tunnel. You can configure the following browsers using The Tube: Internet Explorer Firefox Opera Mozilla See Image11 for the graphical reference of the web browsers list available for tunneling with The Tube.