Hack 46. Proxy Web Traffic over SSH

Protect your web traffic using the basic VPN functionality built into SSH itself.

In the search for the perfect way to secure their wireless networks, many people overlook one of the most useful features of SSH: the -D switch. This simple little switch is buried within the SSH manpage, toward the bottom, and is described like this:

Specifies a local "dynamic" application-level port forwarding. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS 4 protocol is supported, and SSH will act as a SOCKS 4 server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

This turns out to be an insanely useful feature if you have software that is capable of using a SOCKS 4 proxysuch as all modern web browsers, for instance. It effectively gives you an instant encrypted proxy server to any machine that you can SSH to. It does this without the need for further software, either on your laptop or on the remote server.

Just as with SSH port forwarding [Hack #45], the -D switch binds to the specified local port and encrypts any traffic to that port, sends it down the tunnel, and decrypts it on the other side. For example, to set up a SOCKS 4 proxy from local port 8080 to remote from your wireless laptop, type the following:

$ ssh -D 8080 remote ip

That's all there is to it. Now you simply specify localhost:8080 as the SOCKS 4 proxy in your application, and all connections made by that application will be sent down the encrypted tunnel. For example, to set your SOCKS proxy in Firefox, go to Preferences images/U2192.jpg border=0> General images/U2192.jpg border=0> Connection Settings, as shown in Figure 3-9.

Select "Manual proxy configuration," and type in localhost as the SOCKS host. Enter the port number (8080) that you passed to the -D switch, and be sure to check the SOCKS 4 button.

Figure 3-9. Proxy settings in Firefox

Click OK, and you're finished. All of the traffic that Firefox generates is now encrypted and appears to originate from the remote machine that you logged into with SSH. Anyone listening to your wireless traffic now sees a large volume of encrypted SSH traffic, but your actual data is well protected.

SOCKS 5 support is planned for an upcoming version of SSH, which will also make tunneled DNS resolution possible. This is particularly exciting for Mac OS X users, as there is support in the OS for SOCKS 5 proxies. Once SSH supports SOCKS 5, every native Mac OS X application will automatically be able to take advantage of encrypting SSH SOCKS proxies.

Категории