Saturday, May 8, 2010

Browse securely from a public WiFi connection with SSH

If you are on the road and jump on your hotel's free WiFi be afraid.  Be very afraid.  Why?  All of your network traffic is being broadcasted in all directions with no security protection whatsoever, and it is insanely easy for anyone to read that traffic using freely available tools.  Using ARP spoofing it is possible for a snooper to associate his MAC address with the network's gateway, thereby routing all internet-bound traffic through his or her machine.  Even SSL is not entirely safe as an attacker can use SSL's renegotiation capability to trick a server into giving the attacker access to your session.

What's a Linux geek to do?  Simple: SSH!

Using SSH you can create a secure tunnel from your laptop to your home computer, and pass all of your web traffic coming from your laptop through that connection to your home computer, then out to the internet.  It's simple; here's how it's done:
  1. Before you leave your home, make sure your SSH server is set up properly (see my instructions on how to harden it).  We'll say for simplicity that you have configured your SSH server and all of your clients to run on port 1234.  That means that your SSH server is listening for incoming connections on port 1234.
  2. Log into your router's configuration interface and configure it to forward all incoming traffic that arrives at port 1234 to your SSH server's IP address.
  3. Go to www.whatismyip.com and write down your public IP address.  For our example, we'll say that it is 200.200.200.200.
  4. When you arrive at your hotel, coffee shop, library, etc., pick a port above 1024 to use on your laptop.  The SSH client will listen on that port and forward all traffic to your home machine; for our example it will be port 4321. 
  5. Open a terminal and run the following command: ssh -D portNumber -N publicIPAddress (in our example, it would be ssh -D 4321 -N 200.200.200.200).  If your SSH client is not already configured to use your custom port, add "-p 1234".  After you hit Enter, your cursor will move to the beginning of the next line and sit there blinking.  This means that the tunnel has been established and it is ready to start forwarding traffic.  Leave the terminal open.
  6. Go into Firefox and go to Edit, then Preferences.  When the Preferences menu pops up, click the Advanced icon at the top, flip to the Network tab and hit Settings at the top of the screen.  That will pop up yet another window.  Put the bullet in "Manual Proxy Configuration" and in the box next to "SOCKS Host" enter "localhost", and enter the port you selected in step 4 (in our example, 4321) into the Port box.  Below is a screenshot of what it should look like.
  7. Hit OK, then Close, and restart Firefox.
  8. Browse to www.whatismyip.com and verify that it detects your home IP address as the one you are browsing from.  If whatismyip.com display's your home IP address, you have successfully configured Firefox to tunnel through SSH!
 Now you can browse in peace, and when you are finished simply flip back over to your terminal window and do a Ctrl + C to stop the SSH client.  Good luck!