In my last post I covered a ssh tunnel, and hopefully it made sense. In this post I'm going to expand on that method by adding an SSL tunnel. We'll use the SSL tunnel to get through web proxies, like WebSense.
What you'll need:
Linux server running something like OpenSSH Server.
Stunnel installed on the server and the client.
A client machine
A quick note about stunnel. I know that it's broken in Ubuntu 12.04 LTS, as of today. So you'll either have to compile it yourself or download a good version.
We'll start with the server configuration. Make sure you have openssl installed, 'which openssl' should show you if you have it.
Create a certificate for your stunnel server:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
Create a config file for stunnel, here is what mine looks like:
cert=stunnel.pem
sslVersion = SSLv3
pid=/tmp/stunnel.pid
[stunnel443]
accept = 10.1.1.5:443
connect = 10.1.1.5:22
The IP address in connect and accept is the IP of eth0 on the server, which is inside a NAT'd network. Next we'll run stunnel using this new config (which was named server443). This needs to be run with root privileges:
stunnel server443
If there are no errors it will just return you to a new line, and won't display any info. You can test the connection with openssl:
openssl s_client -connect localhost:443
It should spit out a bunch of stuff, and then the SSH banner at the end. Just hit enter and it'll say protocol mismatch, and spit you back out to the CLI.
Next we'll configure the client.
Create another config file:
sslVersion = SSLv3
pid=/tmp/stunnelclient.pid
#foreground=yes
client=yes
[21222]
accept=21222
connect=<remote ip>:443
Edit the <remote ip> to be your ip or hostname. You can change the accept port, if you want, you just have to remember what it is. Save the file as client443
Next run this command with root privileges:
stunnel client443
Now try to ssh:
ssh -p 21222 localhost
If all goes well, you should now be connecting to your remote server. Please review my previous post on configuring a proxy with ssh, and how to set up firefox to use it.
Thursday, February 14, 2013
Wednesday, February 13, 2013
Bypassing Firewalls Part 1: SSH
This problem has been bothering me for a while, and I just recently put in the effort to solve it. This is the first installment of ways to bypass a firewall. In this method we're going to use SSH to create a tunnel to a system that is outside of the firewall. We will need two systems for this, one is your client machine, and the other is a Linux server.
NOTE: Sometimes a company will use a proxy (like websense) along side a firewall. If that is the case, this method will most likely fail. I will cover how to solve that problem in my next post.
Step one.
You need an external system to connect to for this to work. You can build your own Linux server from old systems, or run a VM on existing hardware. You can even purchase a RaspberryPi for around $30. You can also run a cloud server using Amazon EC2 (which is free right now), or one from Rackspace. In the end you'll need a simple Linux server running sshd.
Step two.
If you're running your server from a home network, you will probably need to enable port forwarding from your home router. Depending on the firewall rules that you are trying to bypass, you'll probably want to set the incoming port to 443 (https), and have it forward to port 22 (ssh) on your server. The reason why I say 443 is because that is usually not blocked by most firewalls because it's used for https. You can also use port 80 (http).
Step three.
Try out your setup. Using either PuTTY for windows, or a terminal in Linux/Unix/OSX ssh to your server on your external IP using the port you set up in your router for forwarding (443 in our example). A quick and easy way to find your external IP is to search google for "whats my ip", and it should give it to you. If you can, good, you're ready to try ssh'ing from behind the firewall. If it doesn't work you'll have to do some troubleshooting. I would first try to ssh to your server on your internal network instead of the external IP. If you can connect, then you probably did something wrong with port forwarding. If you can't then you probably set up your server wrong.
Step four.
Try to SSh from your firewalled network. If all goes well, and you can connect, then you'll need to use the ssh application to set up a SOCKS 5 proxy.
Windows PuTTY proxy config.
This is taken from http://www.techrepublic.com/blog/security/use-putty-as-a-secure-proxy-on-windows/421
NOTE: Sometimes a company will use a proxy (like websense) along side a firewall. If that is the case, this method will most likely fail. I will cover how to solve that problem in my next post.
Step one.
You need an external system to connect to for this to work. You can build your own Linux server from old systems, or run a VM on existing hardware. You can even purchase a RaspberryPi for around $30. You can also run a cloud server using Amazon EC2 (which is free right now), or one from Rackspace. In the end you'll need a simple Linux server running sshd.
Step two.
If you're running your server from a home network, you will probably need to enable port forwarding from your home router. Depending on the firewall rules that you are trying to bypass, you'll probably want to set the incoming port to 443 (https), and have it forward to port 22 (ssh) on your server. The reason why I say 443 is because that is usually not blocked by most firewalls because it's used for https. You can also use port 80 (http).
Step three.
Try out your setup. Using either PuTTY for windows, or a terminal in Linux/Unix/OSX ssh to your server on your external IP using the port you set up in your router for forwarding (443 in our example). A quick and easy way to find your external IP is to search google for "whats my ip", and it should give it to you. If you can, good, you're ready to try ssh'ing from behind the firewall. If it doesn't work you'll have to do some troubleshooting. I would first try to ssh to your server on your internal network instead of the external IP. If you can connect, then you probably did something wrong with port forwarding. If you can't then you probably set up your server wrong.
Step four.
Try to SSh from your firewalled network. If all goes well, and you can connect, then you'll need to use the ssh application to set up a SOCKS 5 proxy.
Windows PuTTY proxy config.
This is taken from http://www.techrepublic.com/blog/security/use-putty-as-a-secure-proxy-on-windows/421
First, configure a PuTTY session to connect to the UNIX/Linux system you will use as your proxy server. Fill in the following data:
- Host Name (Or IP Address): This may be the domain name for your network, if you have domain name resolution via a dynamic DNS service or other means set up to allow access to your network via a domain name, or it may be the IP address for your router/firewall.
- Port: SSH normally uses port 22, but this may be different, depending on how port forwarding may be set up on your trusted network.
- Protocol: Select the SSH option.
In order to facilitate creating these encrypted proxy sessions quickly in the future, you may wish to give the session a name under the Saved Sessions heading and save it for future use. Do not click the Open button to connect yet, though.
Here’s a screenshot to help:
Second, configure an SSH encrypted tunnel through which your HTTP requests can be forwarded to the system you’re using as a proxy server. Open the
Connection > SSH > Tunnelsinterface using the hierarchical Categories pane on the left-hand side of the PuTTY dialog box, and fill in this data:- Source Port: Fill in a port number that will be used locally, on the laptop, for this connection. For instance, you might use port 8080 for forwarded HTTP requests.
- Destination: Leave the text field empty. Select the Dynamic and Auto options.
Click the Add button to commit these encrypted tunnel settings. When that happens, you will see a character string appear in the Forwarded Ports field, as shown in the following screenshot:
Linux/Unix/OSX Config.
To connect in a *nix system, you simply run 'ssh -D 8080 <server ip> -p 443'
Now, you'll need to configure your browser to use a proxy. I usually use Firefox, just because I'm more familiar with it. You'll need to configure firefox to use the proxy for DNS requests. This is done by typing about:config into the address bar, and accepting the warning. Next, search for proxy and find network.proxy.socks_remote_dns and set it to true.
You can also configure the proxy settings directly here, or you can go to Preferences->Advanced->Connection settings
I could have missed something. Feel free to comment if you're having issues, and I can try to help.
Subscribe to:
Posts (Atom)