In light of all the “omg, people can hack into my Facebook/Twitter account now” rubbish that’s been headlining around the world in the last week, I faced a similar situation, in constantly being prompted to allow access through a firewall, which seemed to think my access to brain dump material was actually an attempt to access pornographic material.
Now, obviously, I don’t want some security guy tapping on my shoulder and asking what the heck I’m doing looking up pornography, to find that, hey, I’m not. But how can I avoid this altogether? And in addition, how can I browse the internet securely without worrying about people on the same network as me, or anywhere in between?
The solution I’ve settled with is simple.
Squid proxy server is widely used for basic proxy server functions. It may not be overly secure, but it does what I need. I started with one of my hosted VPS servers in an Australian data centre, installing the Squid package using ‘yum’ and starting the service. I didn’t do any other configuration at all, except some firewall rules to ensure only “I” can access it.
Accessing my newly installed proxy server, requires me to be able to get to port 3128 (or a custom configured port in my case). This port isn’t going to be open in alot of cases, so I need a way to bypass this small issue. Additionally, I want my browsing to be anonymous, atleast to the point where my packets hit my proxy server.
Using port 80 as the proxy port, I would be sending all proxy packets through an existing proxy, which could possibly log these request. In addition, these proxy packets would be unencrypted, so anyone on the local network with a NIC in promiscuous mode could potentially run the Fireshark exploit.
This is where things get tricky, and where you will either have to stop completely, or put up with not being so anonymous.
SSH is now used to create a secure, encrypted connection to the proxy server. For Windows users, Putty comes to mind, and is what I am using. Using Putty, you can create an SSH “tunnel” on top of your SSH session, binding a local port to the Putty process, which will route through the SSH session to the server. In my case, the local port 8080 is redirected to my server, using an address similar to ‘myserver:3128’.
Once the SSH tunnel is created, just set your proxy server in Internet Explorer (or whichever browser you use) to localhost on port 8080 (or whichever local port you selected). Then test!
So now, what I have is something similar to this:
- Internet Explorer proxy server – localhost, port 8080
- Putty SSH connection to myserver
- SSH Tunnel – local port 8080 to myserver:3128 (Squid port)
- Myserver running sshd and Squid proxy server, listening on port 3128
To explain the process of accessing a web page:
- Internet Explorer connects to the “proxy server” at localhost:8080 – the packet has not “left” your PC yet
- Putty picks up the “proxy server” connection from Internet Explorer
- The packet is encrypted by Putty, using symmetrical public and private keys, which are used for your SSH session (the default encryption algorithm on SSH, I believe, is AES 128bit CBC)
- The packet is routed through your SSH connection, encrypted, and (hopefully) unable to be discovered
- Squid picks up your proxy request, fetches the page, sending it back over the encrypted SSH tunnel and back to Internet Explorer.
- You get the page displayed on your computer!
Edit: The Squid proxy log shows that requests are coming from the server’s local IP, i.e. the public IP address of my server. This is because of my SSH connection. If I were to point directly at the proxy server without going through the SSH tunnel, it would use whatever public IP address it sees you as coming from (i.e. your router’s public IP address). This is important to note if you wish to drop packets with iptables!! Depending on your firewall rules, you will either need to explicitly allow traffic from the server’s public IP to port 3128, and/or explicitly deny all other traffic to port 3128. If you’re considering this, you should have a firm understanding of what you are doing anyway…