SSH tunnels: secure through server
Good day. Let's try to add and expand the article SSH-tunnels - we forward the port . Considered examples we kill 2 tasks at once:
1. Internetwork communication through an intermediate server, when there is no path between networks.
2. Creating a secure connection through a non-trusted network.
Suppose we have a unix like machine on the network running sshd.
The first option to create a crypto tunnel is a connection, which can be called point-to-point. In particular, when the server connects, the client opens a local port, calls to which will be transmitted to the remote machine through the established crypto tunnel. To be clear, consider an example:
Our machine: IP 10.0.0.2
Server: IP 10.0.0.1 (external network is where we are) and 192.168.0.1 (internal network where the target host is located)
Target host: 192.168.0.10
In order to safely pass through an external, uncontrolled network 10.0.0.0, we establish a connection with the server using the following pattern:
')
I.e
If the connection is established successfully, the local port 12345 opened on our machine, when accessing it we will go to the web server (port 80) 192.168.0.10. You can try typing in the browser
In fact, by doing so, we protected ourselves from information leakage through a non-secure communication channel and gained access to the internal resource of the network from outside.
Consider the second option. Being in a non-trusted network (for example, in an Internet cafe or foreign controlled networks), we want to use a service that does not have encryption. Whether it is http (confidential not only correspondence, but also the account), icq, pop3 or any similar. To do this, we first establish a connection with our server, thereby opening the crypto tunnel, and work through it already. In this case, the local port opened with us will work similarly to socks5. Consider setting up a connection:
As is obvious, everything is quite simple. Further, it is already easy to set up our clients to work through open socks on localhost.
In GNOME, this can be done by clicking System-> Parameters -> Proxy Settings:
Separately, you can easily configure the browser settings, icq and more in the connection settings.
Naturally, you can take advantage of this opportunity in Windows. Similar connections can be made via the ssh putty client:
Making socks work on most applications through socks can widecap
And some tips:
1. To further enhance the security level in some cases, you can use non-third-party software (in the sense of someone else's computer), but using the X forwarding feature in the same sshd. But this is a separate issue. I can only say that in the role of the X server in Windows can Xming act
2. Do not forget about the possibility of Firefox and Chrome private viewing mode.
Successes.
1. Internetwork communication through an intermediate server, when there is no path between networks.
2. Creating a secure connection through a non-trusted network.
Suppose we have a unix like machine on the network running sshd.
The first option to create a crypto tunnel is a connection, which can be called point-to-point. In particular, when the server connects, the client opens a local port, calls to which will be transmitted to the remote machine through the established crypto tunnel. To be clear, consider an example:
Our machine: IP 10.0.0.2
Server: IP 10.0.0.1 (external network is where we are) and 192.168.0.1 (internal network where the target host is located)
Target host: 192.168.0.10
In order to safely pass through an external, uncontrolled network 10.0.0.0, we establish a connection with the server using the following pattern:
')
ssh -L _:_:_I.e
ssh -L 12345:192.168.0.10:80 192.168.0.1If the connection is established successfully, the local port 12345 opened on our machine, when accessing it we will go to the web server (port 80) 192.168.0.10. You can try typing in the browser
http: // localhost: 12345.
In fact, by doing so, we protected ourselves from information leakage through a non-secure communication channel and gained access to the internal resource of the network from outside.
Consider the second option. Being in a non-trusted network (for example, in an Internet cafe or foreign controlled networks), we want to use a service that does not have encryption. Whether it is http (confidential not only correspondence, but also the account), icq, pop3 or any similar. To do this, we first establish a connection with our server, thereby opening the crypto tunnel, and work through it already. In this case, the local port opened with us will work similarly to socks5. Consider setting up a connection:
ssh -D _As is obvious, everything is quite simple. Further, it is already easy to set up our clients to work through open socks on localhost.
In GNOME, this can be done by clicking System-> Parameters -> Proxy Settings:
Separately, you can easily configure the browser settings, icq and more in the connection settings.
Naturally, you can take advantage of this opportunity in Windows. Similar connections can be made via the ssh putty client:
Making socks work on most applications through socks can widecap
And some tips:
1. To further enhance the security level in some cases, you can use non-third-party software (in the sense of someone else's computer), but using the X forwarding feature in the same sshd. But this is a separate issue. I can only say that in the role of the X server in Windows can Xming act
2. Do not forget about the possibility of Firefox and Chrome private viewing mode.
Successes.
Source: https://habr.com/ru/post/88728/
All Articles