Have you ever been in a situation where you feel like someone is watching you whilst you are working on your computer? Be it at the airport, restaurant, hotel, coffee shop, at a client or on the move!? By watching you I mean, closely monitoring your network traffic, that is, your web browsing, your POP3 emails , your FTP file transfers, open VNC sessions and last but not least your remote desktop (RDP) sessions. Well, the good news is, you can make it difficult for someone to easily spy on you or intercept your traffic. The process of preventing people from snooping or eavesdropping your traffic requires one to force or redirect all the traffic to go via or through an artificial and encrypted electronic passage irrespective of whether you are connected to the internet via a public or private network. SSH Port tunneling using PuTTY is the process that enables this to happen!
What exactly do I mean by SSH Port tunneling? Before I go into more detail on what it means, requires and how to go about setting it up, I will take a step back! Normal day to day internet browsing sees your traffic going ‘to and from’ across, let us say, the current network you are connected to’s firewall, their Internet Service Provider’s firewall and the particular organisation hosting the website you are currently viewing’s firewall. The process can involve your traffic being filtered or throttled along the way. Basically your traffic can be snooped in transit, that is, as an example, your ISP or WiFi (hot spot) administrator can check out what you are currently viewing, internet services that you are running or websites you have visited. Depending on their policies, they can act accordingly, that is, by blocking particular sites and services or redirecting you to another page as an example. Public WiFi Hot spots are always unsecured connections, you might be on the same network with people with malicious intentions. This makes it easy for say, Hackers to tap into your traffic (using man-in-the-middle attack techniques) and sniff out any personal information from your laptop.
Using the following diagram on your left as an example (click on image to enlarge). When user Kell Larten visits his favourite coffee shop and decides to connect to their free Open Wireless network so he can check out the latest news on the internet (from his laptop, that is, Laptop # 1), his web traffic goes in and out of the coffee shop’s network to the internet via their firewall (as shown by the Red arrows). Who ever manages the firewall and depending on the type of configuration can check out the website links Kell is viewing or viewed and the internet traffic moving to and from his laptop. They can block or filter what he has access to on the outside world and in some instances can sniff his traffic. Such an environment poses risks when say, the Administrator sniffs or captures the traffic from Kell’s laptop whilst Kell is connected or tries to remotely access his FTP server at home behind this firewall as the FTP user authentication process is unencrypted and in clear plain text. To add onto this, the ISP that the traffic passes through to hit the remote web server hosting the news web pages (plus the remote web server administrators) can filter the traffic.
All this can be overcome by tunneling. By tunneling your traffic, you basically bypass the local firewall, router and ISP’s network and connect directly to the internet. As shown in the diagram on your left (click on image to enlarge), Kell created a SSH tunnel (highlighted by the Green arrows) between his laptop and his remote Linux Home Server using PuTTY. The SSH tunnel is an encrypted tunnel created via the SSH protocol. It enabled him to route all his unencrypted traffic via it (highlighted by the Red arrows). By using this technique, Kell can safely transfer FTP files across his laptop and Home based FTP Server, we know the FTP protocol is not encrypted by default.
Once a tunnel has been established, the only traffic coming from Kell’s laptop that can be seen in the firewall log (assuming the Administrator checks again) is the remote SSH connection. As shown below (it’s just that entry from his laptop in the log being displayed. Here as an example, his Laptop’s (Source) I.P address is 192.168.1.50 and the Destination – Public (or External I.P Address) that he uses to access his Home Network, in this case Linux Server is xxx.xxx.xxx.xxx (I.P Address has been hashed or x’ed out for security reasons). SSH on his server is listening on it’s default Port, that is, Port 22. See firewall log entry below:
Without the tunnel, we can clearly see that the firewall log (see below) shows us that Kell is accessing internet services running on I.P Addresses 220.127.116.11. and 18.104.22.168 and both are listening on Port 80 (HTTP), which turned out to be Google and Facebook websites. Lastly he is connected to his home network via his Public I.P address (xxx.xxx.xxx.xxx). The services currently being accessed are FTP and RDP, that is, Port 21 and 3389 respectively.
As mentioned earlier, this post assumes you are working on a Windows Machine (as you will be tunneling from the machine) and have remote and external access to a Linux Machine that has SSH running. Those who have remotely managed Linux Boxes should be familiar with PuTTY. SSH stands for Secure Shell, which basically is a network protocol that allows encrypted communication between two hosts. PuTTY is a SSH client and we will use PuTTY for accessing and creating the tunnel. Besides having PuTTY, in order for one to be able to tunnel via SSH, they need to also meet the following requirements:
- Have remote access to a Linux Server running SSH. In the event one doesn’t have access, you can rent out a Virtual Private Server (VPS) running Linux. In some cases when you host a website or websites, depending on the package, if the site uses Apache chances are one can have access to the Linux back-end behind your site.
- Outgoing SSH traffic is allowed through the firewall you are connecting from or through.
Proceed to download PuTTY. Once done, run PuTTY and type in the details of the remote Linux machine. Make sure the external I.P Address or Hostname (Fully Qualified Domain Name – FQDN), you can use a memorable host name, as an example, DynDns provides such a service. You are required to register though for the service. In this demonstration, Kell’s External I.P Address is xxx.xxx.xxx.xxx and memorable hostname (fake one in this example) is kelllarten.dnsdyn.net. Remember to replace xxx.xxx.xxx.xxx with your I.P Address or Hostname.
Before (tunneling came into play) Kell was accessing the Internet, RDP and FTP via the Coffee Shop as follows:
Web browsing (HTTP) – Kell accessed Google and Facebook via his favorite browser Firefox which is configured to go via the Coffee Shop’s Firewall. Note, Kell’s FireFox Proxy settings are set to No Proxy but that does not mean he is not going via a Proxy Server. The Coffee Shops’s Firewall (which also acts as an Proxy Server) is set up as a Transparent Proxy, which basically means any traffic destined for the internet is intercepted as it goes via the Firewall without requiring any special client configuration. Clients don’t need to be aware of the Proxy’s existence. See image on your left.
Remote Desktop (RDP) – Kell remotely accessed his Home Windows Server, Server labelled Windows Server # 1 via the RDP application which is also configured to go via the Coffee Shop’s Firewall. Accessing of Server via RDP involved typing in the Public I.P Address of his Home Network, which is xxx.xxx.xxx.xxx. See image on your left.
File Transfer (FTP) – Kell remotely accessed his Home File Server, Server labelled Windows Server # 2 via the Filezilla application which is also configured to go via the Coffee Shop’s Firewall. Accessing of Server via FTP involved typing in the Public I.P Address of his Home Network, which is xxx.xxx.xxx.xxx. See image on your right
In Kell’s case, he needs to be able to tunnel his Web browsing (HTTP) traffic, Remote Desktop (RDP) traffic and lastly File Transfer (FTP) traffic. SSH Port Tunneling using PuTTY is what Kell will be setting up below. It involves Port forwarding which is basically a process that involves (in Kell’s case) the redirecting of traffic from his laptop, remotely over the internet to another particular computer or service within a Private Local Area Network. After running PuTTY and inputting the details shown in the image shown earlier.
Step 1 – Click on the Connection > SSH > Tunnels option shown under the different ‘Category’ listed on the left. Then do the following:
Under Add new forwarded port: Enter the following information; find the radio boxes under the Destination field and make sure Dynamic and Auto are selected.
Source port: [Port on local machine (8080), in our case, Laptop # 2 ]
We will come back to this step, that is, Step 1, which is an entry that deals with the Port forwarding configuration that we will use for the setting up of a Socks Proxy to bypass any website access restrictions via or using the FireFox web browser.
Under Add new forwarded port: Enter the following information: find the radio boxes under the Destination field and make sure Local and Auto are selected.
Source port: [Port on local machine (3456), in our case, Laptop # 2 ]
Destination: [hostname or I.P Address of Kell’s Home Windows Server # 1, whose I.P Address is – 10.0.16.120]:[port on Kell’s Home Windows Server # 1, whose Port Number is 3389 (Default RDP Port]
We will come back to this step, that is, Step 2, which is an entry that deals with the Port forwarding configuration that we will use for the setting up and accessing of Kell’s Windows Server # 1 using the RDP.
Under Add new forwarded port: Enter the following information: find the radio boxes under the Destination field and make sure Local and Auto are selected.
Source port: [Port on local machine (3457), in our case, Laptop # 2 ]
Destination: [hostname or I.P Address of Kell’s Home Windows Server # 2, whose I.P Address is – 10.0.16.125]:[port on Kell’s Home Windows Server # 2, whose Port Number is 21 (Default FTP Port]
We will come back to this step, that is, Step 3, which is an entry that deals with the Port forwarding configuration that we will use for the setting up and accessing of Kell’s Windows Server # 2 (FTP Server) using FileZilla.
After setting up the port tunnel, select Session from the category list on the left side. Save the session for future connections as shown earlier. In our case we gave it the name Kell’s Home Linux Server. You will notice that for Steps 1 – 3, we used Local and Dynamic Port Forwarding. Local Port forwarding enables us to securely transmit data from another client application running on the same computer as SSH. Dynamic Port forwarding enables us to securely use the SSH server as an intermediary server that transmits data to and from other destination server(s). The 127.0.0.1 address usually replaced by localhost is known as the loop back address, quoting from Wikipedia, “it is a virtual network interface through which network application clients and servers can communicate when running on the same machine”. So the Tunnel which sees HTTP, RDP and FTP all running via SSH which happens to be running on the same machine will see us making use of it, that is, the 127.0.0.1 address.
Let the games begin!!! Now this is the part were it get’s interesting. Proceed to click Open at the bottom of the PuTTY windows and a new window will pop up asking for your Login name; type it in and press Enter. Proceed to also type in your password and press Enter.
Once kell successfully logs in, it now basically means he has an Open SSH Tunnel. We will now be configuring FireFox, RDP and FTP accordingly to go via the Tunnel. Please Note: One will only be able to use the tunneled applications (or Applications via the Tunnel) for as long as they are connected (also logged in successfully) to the remote SSH Linux Server via PuTTY. Unlike the normal ‘untunneled route’, everything will go down (disconnect) once you exit PuTTY. Now proceed to configure and access the Internet, Server # 1 via RDP and Server # 2 via FileZilla without having to go via any Firewall restrictions. See screen shots below with the corresponding Steps configurations and settings as discussed earlier.
With reference to Step 1 proceed to make the necessary FireFox Manual Proxy settings as shown on your left in order to access the internet. In this case the Port we choose is 8080 and Port forwarding via SSH enables us to securely use the SSH server as an intermediary server that transmits data to and from other destination servers. By entering Google and Facebook in the URL in the Firefox address bar, you’ll be browsing from the remote end of the SSH connection, that is, Kell’s Home network. His home network acts as the break out point and any web traffic to the internet from his Home network is unencrypted but between the Coffee shop and his Home Network is encrypted since it goes out via the Tunnel!
With reference to Step 2 proceed to type in the details that will enable you to access Server # 1 via RDP. In this case the Source Port is 3456, Destination I.P is 10.0.16.120 and Destination Port we chose is 3389. Port forwarding setup in PuTTY via SSH enables us to securely transmit data between RDP and SSH as they run on same computer as SSH via the Tunnel. Remember by putting the Tunnel into play the SSH Server whose private I.P Address is 10.0.16.122 is on the same network as the Windows Server # 1 whose I.P address is 10.0.16.210. By Tunneling we more or less create a VPN that allows any application whose Port forwarding is configured to go via it to be part of the Tunneling Servers Private I.P Address range. It’s this type of setup, that I advised people to opt for (in my previous post) and disable external RDP access for security reasons and only access the internal Home network’s Windows machines via RDP via the tunnel. Tunneling your RDP traffic creates an extra layer of encryption. In the event Kell also wants to access the Windows Server # 2 running FTP via RDP, all he needs to do is add another PuTTY Port forwarding entry, example:
Source port: [Port on local machine (3458), in our case, Laptop # 2 ]
Destination: [hostname or I.P Address of Kell’s Home Windows Server # 2, whose I.P Address is – 10.0.16.125]:[port on Kell’s Home Windows Server # 2, whose Port Number is 3389 (Default RDP Port]
Click Add. In the end, to connect to the Windows Server # 2 Server via RDP you will use 127.0.0.1:3458 instead. Port XXXX can interchangebly be substitued or added to or for the Local Port whose linked application needs to be tunneled.
With reference to Step 3 proceed to type in the details that will enable you to access the Windows (FTP) Server # 2 via FileZilla. In this case the Source Port is 3457, Destination I.P is 10.0.16.125 and Destination Port we chose is 21. This way Kell can safely transfer FTP files across his laptop and Home based FTP Server as it is going via the encrypted tunnel.
SSH Port Tunneling using PuTTY can be used for many purposes, applications and services. As an example, suppose the organisation blocks access to www.google.com, (as demonstrated earlier) creating a tunnel will help circumvent these restrictions as the encrypted tunnel helps bypass and at the same time hide one’s traffic from being monitored, blocked or restricted. Citizens in Countries that Censor the Internet, that is, block certain websites or services at national level usually remotely connect to other servers in different parts of the world and tunnel their web browsing and internet services based traffic across so as to access those blocked sites or services. That being said, the purpose of this post is not to show, demonstrate or teach people how to illegal bypass firewall restrictions. I will not be held liable for any network activities that breach the organisation’s Misuse Policy! The objective of this tutorial is to raise awareness especially to mobile users who hop or roam around from and connect to different Hot spots (or Free WiFi) points. Treat all open networks as a security risk, you should not trust these unsecured networks. There are ways to protect your activities while you are out and about with your laptop. Those behind private networks, tunneling adds that layer of encryption, it also protects one from packet sniffing that may occur on the local Area Network (LAN).
In a nutshell, when going anywhere away from your home network and connecting to someone else’s network, you definitely need some form of added security especially if it involves you needing remote access to ‘sensitive’ resources over the internet. As a regular ‘Tunneler’ and talking from experience, from a legal perspective, SSH Port Tunneling using PuTTY is definitely a good starting point!