'터널링'에 해당되는 글 3건

  1. 2013.10.29 Firefox Proxy 통한 SSH 터널링 (2)
  2. 2011.04.24 방화벽 우회 ssh 터널링 (포트포워딩)
  3. 2008.10.16 SSH 터널링을 활용한 MySQL Replication 구축
2013.10.29 05:38

Firefox Proxy 통한 SSH 터널링

a fast, privately secured tunnel to transfer web pages and dns queries


Have you ever wanted to visit sites during the day from a location that denied access to those sites? Perhaps the company has denied access due to bandwidth considerations or you might have decided that the site you want to go to might not always be work safe depending on the story or pictures? What you need is the ability to create a secure and encrypted ssh connection to tunnel your browser traffic through.

Using a ssh tunnel to retrieve the data from websites is significantly faster than trying to use X forwarding to open a remote copy of Firefox on the remote machine. If a remote browser is used the connection will be saturated by the graphical front end of the remote browser window. Use the tunnel for the web site's data and leave the rendering of the browser to the local machine. This is the most efficient solution.

If you have access to a remote machine by way of ssh you can set up Firefox, or any other SOCKS v5 enabled application, to tunnel its connection through ssh. This way, if you were at work and wanted to browse your favorite sites like MySpace, Facebook or Maxim that are blocked at the company firewall you could.


Getting Started

First you must have ssh access to the remote machine you want to proxy to. Let it be a home machine or a free shell you signed up for on-line. You must also make sure you can ssh from where your browser is to where you want to tunnel to. No need to set this up if port 22 is not open to you from your location to your destination.

ATTENTION: We are proud to announce our Firefox add-on called, "Calomel SSL Validation". It will grade the security of your SSL connection. The link has screen shots too!

IMPORTANT NOTE: The Firefox tunnel using SOCKS5 (option 1) is the easiest and quickest proxy to setup. If you just want to get the proxy working then follow the SOCKS5 options.


Configure Firefox for the proxy

You need to configure Firefox to use the proxy. Find the section to add a proxy to the browser. On *nix systems of Firefox you will find the settings in File, Preferences, Advanced, Network, Settings. The setting by default is "Direct Connection to the Internet". We need to setup the "Manual proxy configuration".

You have two(2) options to pick from. You can proxy directly to the remote machine and then connect directly to web sites. This is the SOCKS5 method and is the easiest to setup. Or, you could use a Squid web proxy (if available) on the remote machine to accept the traffic from the ssh tunnel. Squid would then request the traffic from web sites. Pick one of the options below.

NOTE: For our example, ssh is going to listen on localhost (127.0.0.1) and port 8080 of the local machine.

Option 1: ssh and direct connect (SOCKS5) : If you are going to use the ssh tunnel with the option "-D 8080" then you need to setup the browser to use a SOCKS5 proxy. Setup the proxy config page with the following entries and leave the rest of the entries blank.

Manual proxy configuration:
  SOCKS Proxy  127.0.0.1  Port 8080
  check the box for "SOCKS v5"

Option 2: ssh tunnel to squid proxy (HTTP/SSL Proxy) : If you are going to use the ssh tunnel with the option "-L 8080:localhost:2020" to connect to the remote machine's Squid proxy then configure the browser to use a HTTP/SSL proxy. Setup the proxy config page with the following entries and leave the rest of the entries blank.

Manual proxy configuration:
  HTTP Proxy:  127.0.0.1  Port 8080
  SSL Proxy :  127.0.0.1  Port 8080 


Optional Step: DNS proxying through SOCKS5 is highly recommended

This step is optional, but since we are going to be proxying the data over the ssh tunnel then we should also proxy the DNS requests as well. The purpose of this exercise is to get to a site we might not otherwise be able to retrieve or just to anonymize our browsing from your location. If we tunneled our data through ssh and then asked the local DNS server for the ips it would defeat the purpose. So, add a boolean option into the URL "about:config" page in Firefox. Name the entry "network.proxy.socks_remote_dns" and set it to true.

This method will only take affect if you use the SOCKS5 proxy method. If you are proxying using the squid method (HTTP/SSL Proxy) you could always check if you can query another, independent DNS server like OpenDNS.

##Preference Name                 Status     Type      Value
  network.proxy.socks_remote_dns  user set   boolean   true


Making the ssh tunnel

Lastly, we need to start the ssh tunnel. You have two choices depending if you want the packets to be forwarded to squid on the remote machine or not.

Option 1: ssh and direct connect (SOCKS5) : The following line will start the ssh client and connect to username@remote_machine.com. Port 8080 on localhost (127.0.0.1) will listen for requests and send them to the remote machine. The remote machine will then send the packets out as if they originated from itself. The ssh options are in the man page of ssh, but to summarize them in order: Compression, SSH2 only, Quite, Force pseudo-tty allocation, Redirect stdin from /dev/null, and Place the ssh client into "master" mode for connection sharing.

ssh -C2qTnN -D 8080 username@remote_machine.com

Option 2: ssh to squid proxy (HTTP/SSL Proxy) : The following line will also start the ssh client and connect to username@remote_machine.com. Port 8080 on localhost (127.0.0.1) on the current machine will listen for requests and ssh tunnel them to the remote machine. On the remote machine ssh will forward the packets to localhost port 2020. If squid is listening on localhost port 2020 on the remote machine then all requests sent though the ssh tunnel will then be forwarded to squid. You can use squid to block ads and speed up web access. If you need assistance with squid, check out the Calomel.org Squid "how to" page.

ssh -C2qTnN -L 8080:localhost:2020 username@remote_machine.com


Testing the ssh tunnel

Once you execute the ssh line the encrypted and compressed ssh tunnel will be active in the xterm. We used the "quiet" options in ssh so there will not be any logging or output to the terminal.

Make sure Firefox is working by checking the proxy is active and then try to go to a web page. You can also try a site like WhatIsMyIp.com to verify the ip you have with the proxy is different than without.

If everything is working then you can be assured that all of your browsing traffic is being encrypted through the tunnel and no one at your current location will be able to see your traffic over the network.

Once you are done with the proxy just exit the ssh xterm or kill this instance of ssh with Ctrl-c. Remember to set Firefox back to "Direct Connection" if you want to directly browse from your location otherwise you will not be going anywhere.

Interested in setting up Squid or Samba? Check out our guides covering the Squid Proxy and Samba file share servers. We offer clear explanations and fully working example configurations.


Questions?

How can I setup two or more ssh tunnels through two or more machines ?

At some point you may need to tunnel through multiple ssh tunnels through multiple machines. This is quite easy to do as long as you have ssh access to every machine you want to tunnel through. In this example we will be tunneling from a desktop machine through a machine called host1 and then to a machine called host2 which will then access the internet. Something like so:

Firefox desktop -> host1 -> host2 -> internet

First, make sure you went through the beginning on this page and know how to get firefox to proxy through a SOCKS5 proxy on localhost port 8080. Then run the following ssh command on the desktop running Firefox. This will setup an encrypted ssh tunnel to host1 from the "Firefox desktop".

desktop$ ssh -C2qTnN username@host1 -L 8080:localhost:8080

Now, you need to ssh to host1 directly. Once you are on host1 run the following. This will collect any data from the first tunnel originating from the "Firefox desktop" to host1 and tunnel that data to host2.

host1$ ssh -C2qTnN -D 8080 username@host2

So, how does this setup work? Firefox on the desktop will initiate a SOCKS5 connection to localhost port 8080 on the desktop machine. Since a ssh tunnel is listening on localhost:8080 it will ssh tunnel the traffic to host1 which will forward this traffic to host1's localhost:8080. On host1 the second ssh command will tunnel all traffic it receives on localhost:8080 from the desktop machine to host2. On host2 the traffic will then be able to go out to the internet at large. If you have DNS SOCKS5 resolution on as well then all web traffic _and_ dns queries will goto host2 through both tunnels. From the view of the internet all queries originating from the "Firefox desktop" will look like they come from host2. Nice and anonymous.

What if I need to tunnel through more then two machines? Then just keep repeating "ssh -C2qTnN username@host1 -L 8080:localhost:8080" command for each incremental host. Once you decide you very last host you want the data to access the internet with then use the "ssh -C2qTnN -D 8080 username@host2" command.

To make sure you tunnel is working correctly using a site like ipchicken.com to see what ip address you are coming from. In the case of our example above ipchicken should report the ip address of host2.

Do you have any recommended modifications for Firefox in "about:config" ?

First, make sure to check out our Firefox Add-on "Calomel SSL Validation".

More open proxy connections: When you use a proxy, Firefox limits the amount of concurrent open connections to 8. This is too small for most users as many people open multiple tabs to many sites. When more then 8 connections are made the browser seems to be "stuck" because Firefox will wait till an open connection is closed before making a new one. To avoid this problem it is highly suggested to increase the persistent connections value from 8 to 25.

network.http.max-persistent-connections-per-proxy 25

Turn off pop-up tips: If you are annoyed by pop up text when your mouse hovers over a web element you can turn that function off.

browser.chrome.toolbar_tips  false

No animations: Stop all animated gifs and pictures like ads and annoying dancing cartoons characters.

image.animation_mode  none

No blinking text: Blinking text is annoying. Webmasters should not use it. In case they do, we will disallow the function in the browser.

browser.blink_allowed  false

Parallel connections: An easy way to speed up Firefox is to increase the amount of parallel connections the browser makes to the server. Open up Firefox and type in "about:config" in the URL. Then search for the string "conn" You should see the following entries listed. Modify them as follows:

network.http.max-connections                        25
network.http.max-connections-per-server             25
network.http.max-persistent-connections-per-proxy   25
network.http.max-persistent-connections-per-server  25

It is _not_ recommended to use more then 25 parallel connections due to abuse of the remote server and concurrency bottlenecks on the local system. Understand that if you have a slow system then more parallel connections can actually slow the browser down considerably. Also, if you try to open too many connections to a server then that server many consider you hostile and block or blacklist you.

Pipelining Enabled: The fastest and most efficient way to implement a browser is to use pipelining. This is where a single persistent connection is used, but instead of waiting for each response before sending the next request, several requests are sent out at a time. This reduces the amount of time the client and server are waiting for requests or responses to cross the network. Pipelined requests with a single connection are faster than multiple HTTP/1.0 requests in parallel, and considerably reduce the number of packets transmitted across the network. Apache supports both HTTP/1.0 keep-alive and HTTP/1.1 persistent connections. Pipelining is implement entirely at the browser end if supported by the remote web server, using persistent connections.

To enable pipelining in Firefox browser goto the url about:config . Then search for "pipe" and set the following:

network.http.pipelining              true
network.http.pipelining.maxrequests  8
network.http.pipelining.ssl          true
network.http.proxy.pipelining        true

TLSv1 with AES256, AES128 and 3DES 168 Only: When connecting to SSL based servers (https) you only want to use the strongest ciphers available. Most web server admins can setup their servers to prefer weak ciphers over strong ciphers for any reason; sometimes they want a less CPU intensive encryption or perhaps they just configured the server wrong. Even Google's encrypted pages prefer RC4 instead of AES and this is not our idea of good security. We want to make sure that our version of Firefox only uses AES 256 bit, AES 128 bit or 3DES 168 bit ciphers.

Open up a window and type "about:config". Then in the "Filter" bar at the top search for the following. Double clicking on each line will change the value.

  • tls and set the lines to true.
  • ssl2 and set every line entry to false.
  • ssl3 and set every line to false _except_ lines containing the strings "aes_256" and "aes_128".
  • security.ssl3.rsa_des_ede3_sha and set it to true. This is the weakest cipher and may be needed for some older SSL sites.

Now your browser will _only_ accept the TLSv1 protocol in AES256 bit cipher encryption no matter what previous weaker ciphers a web server prefers. This configuration also makes your browser FIPS 120-2 compliant (year 2030 specs).

Is there any way I can switch proxies faster?

There are add-ons, also called extensions, for Firefox called FoxyProxy or SwitchProxyTool you can use. They offer the ability to setup multiple proxy settings and choose the one you want, or turn them off, using a drop down menu.

I noticed you use compression in the ssh tunnel proxy. Why?

The majority of the data you are retrieving using the browser is text or HTML data. This type of data compresses very well at up to 80%. Using compression in the tunnel will speed up the delivery of the data considerably.



출처 : calomel.org



Trackback 5 Comment 2
  1. Favicon of https://blog.pages.kr 날으는물고기 2013.10.29 05:47 신고 address edit & del reply

    You do not need to use SOCKS proxy to connect to a HTTP proxy through SSH. You can use the following command:

    ssh -f -N -L $portlocal:$machineproxy:$portproxy $machinegateway

    $portlocal - the ssh client on your machine will listen on this port, you can chose for example 55555. In the web browser you will then set the HTTP proxy as localhost on port 55555.
    $portproxy - the port the Squid proxy is listening on.
    $machineproxy - address of the Squid proxy machine (as seen from the gateway).
    $machinegateway - address of the gateway machine as seen from your PC

    The SSH server on the gateway must allow port forwarding. If it is not allowed you will have to ask administrator of the server to do so.

  2. 2013.10.29 05:50 address edit & del reply

    비밀댓글입니다

2011.04.24 23:24

방화벽 우회 ssh 터널링 (포트포워딩)

1. 방화벽으로 ssh를 제외한 다른 모든 포트가 막혀있는 경우 ssh 터널링(포트 포워딩) 을 이용하여 해당 서버의 다른 포트로 우회하여 접근하는 방법

 -  로컬 머신에서 다음과 같은 명령으로 방화벽이 설정되어있는 서버로 접속한다.

ssh -L 8080:remoteServer:8181 user@remoteServer

    이 명령은 로컬 8080번 포트를 접속한 서버의 8181번 포트로 포워딩한다
    이후 localhost:8080 번으로 접속하여 해당서버의 8181번 포트로 접근 가능하다

    putty를 사용한다면 다음과 같이 세션 설정에 Source port 를 8080으로 Destination 을 remoteServer:8181로 하고 추가한다. 

* 만일 터미널에서 다음과 같은 에러 메세지와 함께 포트 포워딩이 동작하지 않는다면 /etc/ssh/sshd_config 파일의  AllowTcpForwarding  셋팅이 no 인지 확인한다  (no  로 설정되어있다면 yes로 바꾸도록 한다)

[channel 3: open failed: administratively prohibited: open failed ]




2.방화벽으로 막혀있는 어떤 서버가 우리쪽 일부 IP에게만 접근을 허용했을때 접근이 허용된 서버를 경유하여 접근하는 방법

  - 접근이 허용된 머신에서 다음과 같은 명령으로 해당 포트로의 접근을 방화벽으로 막혀있는 서버의 포트로 redirect 시킨다

ssh -gR 8080:remoteServer:8181 user@localhost (또는 로컬 머신에서 ssh -gR 8080:remoteServer:8181 user@[접근이 허용된 서버] ...)

   이 명령은 로컬포트 8080으로의 접근을 remoteServer 8181번 포트로 redirect 시킨다 ( -g 옵션을 사용하지 않는 경우 외부접근을 허용하지 않고 local 에서의 접근만을 허용하게 된다)

* 만일 -g 옵션을 주었는데도 외부에서 해당 서버의 8080 포트를 이용하여 방화벽으로 막혀있는 서버의 8181번 포트로 접근할 수 없다면 /etc/ssh/sshd_config 파일의 GatewayPorts 옵션이 no 인지 확인한다(디폴트는 no 이다) .. yes로 바꾼다


출처 : schatzt.springnote.com

Trackback 1 Comment 0
2008.10.16 14:59

SSH 터널링을 활용한 MySQL Replication 구축

Mysql 서버의 데이터를 미러링 할 목적으로 replication 을 셋팅하던 도중에...
갑자기 생각이 나서 한번 해봤습니다.
딴거는 다 포트가 막혀있거나 또는 SSH 터널링을 이용하는데 replication 을 위해..
mysql 포트를 열어야 하는것과 mysql 권한에 원격 로그인을 허용한다는게 좀 맘에 안들어서... ^^

replication 을 구축하기 위해 최소 2개의 mysql 서버가 필요하겠죠.
master 서버 : insert, update, delete 등이 일어나는서버..
slave 서버 : select 를 주로 하는 서버...
우선 두 서버가 리눅스라는 가정하에 설명하겠습니다.
한쪽이 윈도우거나 두쪽다 윈도우인 경우는 별도의 툴들이 필요하니...
대체적으로 replication 을 사용하시는 분들은 둘다 리눅스를 많이 사용할듯 싶으니...

설치 환경
master : fedora4 mysql.4.1.16
slave : centos5 mysql.5.0.41

SSH 터널링
우선 ssh 터널링을 만들어야 합니다.
ssh 터널링은 slave 서버쪽에 셋팅합니다.

# ssh -CNf -L3307:127.0.0.1:3306 ssh계정@master서버IP
패스워드를 입력하자.
이제 slave 서버와 master 서버간에 터널링이 되었다.

# netstats -an | grep LISTEN
하면 3307 포트가 열려있는것을 확인할수 있다.

잠깐 ssh 터널링을 설명하자면 slave 서버에서 로컬(-L)의 3307번 포트로 접속하면 slave의 ssh를 통해..
master 의 ssh 에 접속하여 127.0.0.1의 3306번 포트로 접속한다는것이다.

주의 : 여기서 127.0.0.1 은 slave의 client ssh로 master 서버의 ssh 서버에 접속한 다음에 IP를
의미하는것이므로 127.0.0.1 은 master 서버 자신을 의미한다.
mysql 계정들의 host 권한을 모두 localhost 로 만들어둔 상태라..
127.0.0.1 이 아닌 master 서버의 도메인으로 셋팅한 경우에 접속이 되질 않았다.
이것때문에 삽질을 좀했다.

-f 는 백그라운드로 돌린다는 말이고..
-C는 압축한다는 의미이다.
-N 은 명령어 실해없이 시작한다는 ...

그럼.. 실제로 접속을 해보자.

/usr/local/mysql/bin/mysql -u root -p -P 3307 -h 127.0.0.1
db 리스트 및 내용을 확인해보면 master 로 접속된걸 확인할수 있을것이다.

Tip
위에서 언급한 ssh 터널링은 재부팅되면 초기화 되므로 재부팅시 자동으로활성화 되도록 만들어보자
/root/sshlogin 이란 화일을 만든다음
===========================================================================================
#!/usr/bin/expect
spawn bash -c "ssh -CNf -L3307:127.0.0.1:3306 ssh계정@master서버IP"
expect -re "Password:"
sleep 0.2
send "master서버의ssh계정패스워드\r"
interact
===========================================================================================
위와 같이 입력해준다.
만약 expect 가 없다면 expect 를 yum install expect 해서 설치하거나..
http://rpmseek.com 또는 http://rpmfind.net 에서 찾아서 설치하시길....

이제 해당화일에 chmod 700 권한을 주고... ==> chmod 700 /root/sshlogin
/etc/rc.local 에
/root/sshlogin <== 이부분을 추가..
그럼 리눅스 시스템이 부팅하면서 해당 화일을 실행하고 ssh 터널링이 열린다.

Replication
이제 replication 이 남았다.
일반적인 replication 과 설정이 다른것은 하나밖에 없을것이다.
Slave Server 에서...

Master Server
my.cnf
===========================================================================================
[mysqld]
log-bin = mysql-bin
server-id   = 1
binlog-do-db = db_name1
#binlog-do-db = db_name2
===========================================================================================

Slave Server
my.cnf
===========================================================================================
[mysqld]
server-id       = 2
master-host     = 127.0.0.1
master-user     = 리플리케이션아이디
master-password = 패스워드
master-port     = 3307
# DB 별
replicate-do-db = db_name1
#replicate-do-db = db_name2
# 테이블 별
# replicate-do-table=db_name.tbl_name
===========================================================================================
이제 mysql 서버를 각각 실행시키면 ssh 터널링을 이용해 replication 이 된다.
이문서는 mysql 설치 초기에 replication 환경을 만들기 위한것이다..
mysql 이 서비스 되는 상태에서 replication을 셋팅하는것은 인터넷에 자료가 많으니...

출처 => http://www.phpschool.com/gnuboard4/bbs/board.php?bo_table=tipntech&wr_id=55304

 

sftp를 배제한 ssh 터널링을 이용한 ftp 사용하기

FTP는 암호화되지 않은 형태로 인증과정과 파일이 전송이 이뤄진다.이는 전송되는 중간에
스니핑이 이뤄진다면 고스란히 해커(?)의 손에 ID/PW, 전송 파일이 유출될 수도 있음을 의
미한다. 이글에서는 보다 안전하게 ssh 터널링을 통한 FTP 전송과 vsftpd 설정에 대해 소개
한다.

ssh 터널링 만들기

- FTP 서버에서는 ssh 서버가 동작중이어야 한다. (서버명을 free, ID는 truefeel 이라고 가정)
- client에서는 ssh 클라이언트가 있어야 한다.

연결과정을 그러보면.
로컬의 FTP클라언트 -> ssh 클라이언트 -> 네트워크(암호화 전송) -> ssh 서버 -> FTP 서버

터널링을 만들어보자!

# ssh -P10000 -CNf -L10021:free:21 truefeel@free
-C : 압축해서 전송한다.
-N : 명령어 실행없이 시작한다.
-f : 백그라운드로 실행한다.
-L : 원격서버의 포트를 로컬로 포워딩한다. (즉, 터널링을 만들어줌)
     free서버의 FTP(21번 포트)를 로컬의 10021번 포트로 포워딩한다.
     즉 로컬의 10021번 포트를 통해 free의 FTP서버에 접속할 수 있다. 이 때 원격끼리는 암호화되어 전송된다.
    
만약 원격의 ssh서버가 다른 포트를 사용한다면 -p [포트] 옵셥까지 뒤에 붙여주면 된다.
ps aux 하면 ssh가 백그라운드로 떠있는 것을 확인할 수 있다.

ftp명령으로 로컬의 10021번으로 접속을 하면 원격의 free FTP서버로 접속하게 된다.

$ ftp -p localhost 10021
Connected to localhost (127.0.0.1)
220 Secure FTP 서버
Name (localhost:truefeel): truefeel
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (xxx,xxx,xxx,xxx,80,250)
Security: Bad IP connecting.
ftp>

접속은 정상적으로 이뤄졌는데, 명령어를 입력했더니 'Security: Bad IP connecting.'에러가
발생을 했다. /etc/vsftpd.conf에 다음 한 줄을 추가하면 쉽게 해결할 수 있다.

pasv_promiscuous=YES


Trackback 0 Comment 0