This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: SSH connection to a trusted location near (or even on) a remote server, in- secure protocols can be protected from eavesdropping and attack. While this technique may be a bit advanced for many users, network archi- tects can use SSH to encrypt traf f c across untrusted links, such as wireless point-to-point links. Since the tools are freely available and run over stan- dard TCP, any educated user can implement SSH connections for them- selves, providing their own end-to-end encryption without administrator inter- vention. OpenSSH ( http://openssh.org/ ) is probably the most popular implementation on Unix-like platforms. Free implementations such as Putty ( http://www.putty.nl/ ) and WinSCP ( http://winscp.net/ ) are available for Windows. OpenSSH will also run on Windows under the Cygwin package ( http://www.cygwin.com/ ). These examples will assume that you are using a recent version of OpenSSH. Internet All traffic sent from SSH server is unencrypted SSH Server SSH listens for a TCP connection on localhost port 3128 Web browser uses localhost port 3128 for its proxy All web traffic is encrypted by SSH Figure 6.6: The SSH tunnel protects web traf f c up to the SSH server itself. To establish an encrypted tunnel from a port on the local machine to a port on the remote side, use the -L switch. For example, suppose you want to forward web proxy traf f c over an encrypted link to the squid server at squid.example.net . Forward port 3128 (the default proxy port) using this command: ssh -fN -g -L3128:squid.example.net:3128 squid.example.net Chapter 6: Security & Monitoring 171 The -fN switches instruct ssh to fork into the background after connecting. The -g switch allows other users on your local segment to connect to the lo- cal machine and use it for encryption over the untrusted link. OpenSSH will use a public key for authentication if you have set one up, or it will prompt you for your password on the remote side. You can then con f gure your web browser to connect to localhost port 3128 as its web proxy service. All web traf f c will then be encrypted before transmission to the remote side. SSH can also act as a dynamic SOCKS4 or SOCKS5 proxy. This allows you to create an encrypting web proxy, without the need to set up squid. Note that this is not a caching proxy; it simply encrypts all traf f c. ssh -fN -D 8080 remote.example.net Con f gure your web browser to use SOCKS4 or SOCKS5 on local port 8080, and away you go. SSH can encrypt data on any TCP port, including ports used for email. It can even compress the data along the way, which can decrease latency on low capacity links. ssh -fNCg -L110:localhost:110 -L25:localhost:25 mailhost.example.net The -C switch turns on compression. You can add as many port forwarding rules as you like by specifying the -L switch multiple times. Note that in order to bind to a local port less than 1024, you must have root privileges on the local machine....
View Full Document