Hacker News new | past | comments | ask | show | jobs | submit login

For anyone who has SSH access to a server (but not VPN) and is wondering what to do when you need some security in a pinch, here is a quick fix...

Open an ssh connection to a server you have access to using something like the following:

ssh -ND 8887 -p 22 rufus@

where 8887 is the port on your laptop that you will tunnel through, -p 22 is the port the ssh server is on (22 is the default but I use a different port so I am used to specifying this) and the rest is your username and the address of the server

Set your network to point to the proxy. On a Mac that would be…

... Open Network Preferences…

... Click Advanced…

... Click Proxies…

... Check the SOCKS Proxy box then in the SOCKS Proxy Server field enter localhost and the port you used (8887)

... OK and Apply and you are done!

Now you can surf safely.

Also, remember that some programs don't respect the system's proxy settings and instead use their own. Firefox is one of those, you can find its proxy settings in "Advanced -> Network -> Settings"

Also Firefox doesn't put DNS through a socks proxy by default, which has some security implications and doesn't allow you to reach internal-only names. In about:config set: network.proxy.socks_remote_dns to True.

After Firefox 3.6.4, the default proxy selection policy is to use the system default, instead of no proxy.


That link has screenshots to help you configure Firefox to use the ssh proxy.

Unfortunately Opera doesn't support SOCKS proxies. http://www.opera.com/support/kb/view/194/

Also unfortunately I think Flash and Silverlight media streaming don't respect proxies, leaving me unable to stream Hulu and Netflix when I'm in the UK.

They _should_, and do for me typically using Chrome.

alanstorm of stackoverflow answers that deal with Magento fame (well, fame being a relative term but famous to me, anyway)?

Yeah, I'm that Alan Storm. NOT the WCW scrub wrestler.

  ssh -ND 8887 -p 22 rufus@
just hangs and doesn't look like it's doing anything ... if you want to see stuff happening, so you know it's working, use verbose mode:

  ssh -vND 8887 -p 22 rufus@
and you'll see delightful ssl debug information scroll by every time you hit a page in your browser.

I wouldn't say it "hangs" as everything is actually working fine and "hang" means that the process is stuck. It's just there is no output to provide feedback that it is working as expected.

You can remove the N option and you'll get a shell.

You, sir, made my day! I just set this up with my home Linksys router which is reachable from the internet and it works like a charm.

I am using the Tomato firmware (http://www.polarcloud.com/tomato) which has an SSH daemon.

Wow, great idea! I was thinking of using my root server, but worry about wasting traffic. That would not be an issue with my DSL router at home.

Awesome! Happy to help.

And, make sure you already have the key in your known_hosts, otherwise you could be subject to a MITM attack :)

You proxy through the NSA? How brave!

You win a cookie! I was wondering how long it would take for someone to comment on that. :)

I thought the whole point of this mechanism was to avoid giving away cookies?

Insecurely transmitted cookies. I think it safe to assume these two will negotiate a means of exchanging keys to their respective cookie jars.

On a similar note, I have this aliased in my shell (.profile) so I don't have to think before getting a proxy up:

alias socks="ssh -ND 8887 -p 22 rufus@"

That way I can just open a shell and type "socks" and be good to go (well and then do the system preferences deal, but I have an AppleScript that does that automatically).

Also, if you host your ssh server on 443 rather than 22, you can also tunnel through most corporate firewalls.

And if the firewall does protocol blocking, solutions like http://dag.wieers.com/howto/ssh-http-tunneling/ might be able to get through.

Client -> SSH_Server == Encrypted

SSH_Server -> FaceBook == Unencrypted

SSH proxies are not end to end encryption. They only protect part of the path. Not sure why this is being down voted. It's true. The tunnel is only between the client and the SSH server. The HTTP websites that you visit beyond the SSH server see your clear text packets.

This is true but not relevant to the discussion because the attack in question depends sniffing clear-text wireless traffic at the local access point.

Tunneling over SSH protects your traffic for that portion of the network (and out past your ISP as far as the remote end of the SSH tunnel).

An attacker would need different tools and resources to intercept your traffic between remote hosts.

So? The problem is insecure WiFi and local networks.

The network from the SSH_Server to Facebook and much larger and more secure.


Silence Is Defeat provides SSH accounts for a small donation.

(I am not affiliated with them)

I provide ssh accounts on 2 VPSs (and growing), free of charge. http://nipl.net/ http://ai.ki/

In case this isn't clear: if you ssh to someone else's machine and use it as a proxy or VPN, the owner of said machine can of course still steal your HTTP cookies. (not trying to say anything about the trustworthiness of the above 2 posters, just a general statement)

This is a stupid question, but what about a guy like me who has no access to a server?

I'm going traveling for all of next month, the only sites I'll be checking where I'll be logged in is my hotmail account, and I might check my bank account (Chase) - both use https, so I suppose I'm in the clear then? (also when I click "log out" on these sites, it logs me out, but if my session has been hijacked, will it log the hijacker out of the session he's hijacked of mine as well?)

A cheap linux VPS is a couple bucks a month. Mine is three. If you aren't looking for a deal, there are many many options at the 5 dollar price point. If five bucks is worth peace of mind for the next month, then that's your answer. This will also have the benefit of getting around filters that are operating on WiFi network you are on.

Wow, three? I thought prgmr.com's $5 system was the best deal I'd be able to find.

It was a special deal featured on http://www.lowendbox.com/. If you can pay by the year, there are even cheaper deals.

BuyVM.net has some good-for-my-purpose VPSes for cheap, so long as you can get them "in stock" (whatever that means...). Lowest one is a 15 bucks a year(!)

An Amazon EC2 micro instance is free for a year.

So I could go get a free VPS for a year through Amazon with this?

Generally websites will delete the login token on their side, leaving hijackers with an invalid token and a 'log in again' page.

Generally, watch out for older sites or sites made by people that haven't learnt much in this area which may store some kind of account id in place of a key generated on each login. In that case just because the website invalidated/deleted your cookie the hijacked cookie would still be good.

I would consider paying for VPN access. I travel a bit and use Witopia for this. It's not very expensive and is quite convenient.

Would the free Amazon EC2 deal for a year be good for this?

I'd like to buy such a server at low purchase and maintenance cost.

The Pandaboard[1] looks like a good fit, but the instructions to install a Linux distro are a bit scary [2]. I guess I could do it, from my Mac, but I'm a bit afraid to mess things up with the low-level disk utilities.

Does someones sells SD cards with a distro pre-installed? Or an equivalent device with an easier setup?

If not, there's probably a market for that...

[1] http://pandaboard.org/

[2] http://omappedia.org/wiki/OMAP_Pandroid_Main#Getting_Started

Instead of a dedicated server, use a router that can run DD-WRT or Tomato. I use a cheap(35$) refurbished wireless router from Linksys[1] and I am sure there are other models. These will be more energy efficient and easier to maintain than running a dedicated server. Additionally, of course, you can use these as routers for your home network.

[1] http://www.amazon.com/Cisco-Linksys-WRT160N-RM-Refurbished-W...

There are lots of dirt-cheap Atom-based Mini-ITX systems out there. A basic motherboard with CPU will cost you about €60, a bit more for a dual-core. You can probably scavenge some DDR2 ram from an upgraded laptop and install the OS on a USB stick. Mini-ITX cases/PSUs tend to be cheap too. If this going to sit in your office or home, you might want to watch out for noise/heat with both motherboard and PSU and pay a bit more for a fanless motherboard & PSU and get a case with a large, slow-rotating fan. All in all you can probably come in under €200 plus a multiple of that for your time for research, assembly and installation. Or just rent a VPS.

Exactly my question. Are there any cheap and reliable(very important in this case) VPS service I can use to do this? Using ssh thru internet as proxy seems to be the best approach. Unfortunately I cannot setup my own ssh server to do this as both power and internet connectivity is not reliable where i live.

You might want to look at http://prgmr.com/xen/ It's run by a Hacker News member, lsc.

He has plans starting at $5/mo but you'll want to take notice of the of the monthly transfer limit. The $5/mo plan is 10GB transfer a month (which will come to 5GB in/5GB out if you're using it as a proxy) so you won't want to tunnel video or downloads through it. If you go for the $8/mo plan though you can get 40GB data transfer.

I've never had an account with him so I'm not sure if there's a way to check how much of your data allowance you've used for the month. Someone else might be able to chime in about a program you could run on the server to notify you when you've reached a transfer threshold.

You can also just put DD-WRT or Tomato on your router and use that.

Are there public SSH servers that are safe?

Not that I know of, but decent VPSes are relatively cheap - for instance: $5/mo - http://prgmr.com/

If you can't afford that, you can always run a SSH server from your residence and use that.

Surely you jest, sir!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact