Down By Design

Last post, I talked about my paranoia with getting on-line away from home and how I needed to take some steps to secure my browsing. I found some sites that did a really nice job of explaining all of this, but I found that I was jumping around a lot to get the configuration I thought was best. So, I put together these steps with security and ease of installation in mind.  … 

My goal is to create an encrypted line of communication from my laptop to the internet via proxy. Under normal circumstances, a direct connection to the internet using a public hotspot is crazy. A packet sniffer could take a peak at your browsing and do all kinds of nasty. Think of this data as being transported through the coffee shop on the wings of a pink flamingo. Everyone sees it, easily! A SOCKS proxy is much nicer. We create a secure, encrypted tunnel to our own proxy server that is sitting safely in our home just the way we configured it. Once our request reaches the proxy, it then goes out to the internet on our behalf and sends the data back through the tunnel. At this point the travels of your data are more like that of a gopher with a bulletproof vest and full camo fatigues. (Note: If someone could go ahead and mock up a bulletproof gopher logo at this point, I’d be very pleased.)

Now, with those miserable analogies out of the way, let’s get down to business. I’ve broken up this tutorial into parts instead of traversing several posts as originally intended. Here’s what we’ll hit:

• Create server from old PC.
• Configure DynDNS and your router so you can easily find and get to your proxy server.
• Install and bulletproof your SSH configuration.
• Setup Firefox to use the SOCKS proxy and Tunnel

Step 1: Create Server
The old PC that I used for this project happened to be a Dell Dimension 4100 that I bought in 1999 for $4000. You can find a PC with comparable specs today for less than $200. I chose to use the most popular Linux distribution at the time of this writing, Ubuntu, for my server. Getting and installing Ubuntu is as easy as these three steps:

1. Download Ubuntu.
2. Create an ISO for installation. (jump to the Mac OS X instructions)
3. Insert the CD and double-click.

Seriously, it’s that easy.

Step 2: Configure DynDNS and Your Router
When you’re ready to connect to your SSH server, you’d probably rather type in a name (ssh user@awesome.com) that you set up as opposed to the random IP (ssh user@68.43.78.66) that your ISP handed you that week. This is where dynamic DNS comes in to help us negotiate one of the caveats of DHCP. There are some considerations to make when choosing a dynamic DNS provider. Linux.com has a great post on this with a lot more detail, but the big questions are:

• Is it free?
• Is there an updater for your OS?
• Does the service support port redirects?
• Can you use your own domain name?

DynDNS can handle all of these, but the last one requires an account upgrade which costs about $25/year. No worries, because all we care about for our purposes is that it is FREE — and has been for the last 10 years I found out. So, run over to DynDNS and set up an account. Once you have an account, go to “My Services” > “Host Services” > “Add New Hostname”. You should have a screen like this:

Start by entering whatever hostname you like and then check the wildcard box. The wildcard option allows you to use any subdomain you come up with, like justin.dbd.dynalias.org. This example illustrates how you could hand out custom domains if you wanted to let a friend use your SSH service. Use the default service type “Host with IP address” and click the “Use auto detected IP address xxx.xxx.xxx.xxx” to use your the IP from your ISP. Don’t check mail routing and click “Create Host”. Once you’ve completed this portion, you can pretty much logout of DynDNS for eternity. They do have some nice DNS tools for troubleshooting if you do happen to have problems though.

I know all of my DBD readers are behind some type of router, so installing an updater on their server is not something we need to detail here. Most routers include a section for dynamic DNS, including my 8 year old Netgear router. See…

Fill in the appropriate info and move on to the next step.

Step 3: Install and Bulletproof SSH
Installing the SSH server on Ubuntu is simply a matter of two commands from the shell. One to update you’re computer’s list of software available in the repositories and one to get/install the SSH service. More on how linux software installation works is available from my Eee peeeps.

sudo apt-get update

sudo apt-get install ssh

Installation complete!

Now, if you want to put yourself in even more danger than just exposing your browsing at the coffee house, continue by opening port 22 on the router and walk away. Soccer mom’s script kiddies will thank you. The fact is that most port scanners default to scanning through port 1024. With that said, let’s move on to configuration.

I like to lock down things and restricting SSH connections to public key/private key exchanges pretty much keeps things sowed up. When this approach is paired with eliminating username and password logins altogether, you’re really starting to make things bulletproof. Configuration is simply a matter of changing a lot of the obvious in the SSH server config file /etc/ssh/sshd_config. Things we’ll be doing (among other security changes in the file):

• CHANGING THE DEFAULT PORT
• disabling root login
• enabling authorized keys
• disabling passwords
• setting an authorization attempts threshold

We’ll start with creating our keys setup. I used to think there was some magic going on with public/private keys, but it’s just a matter of the server checking it’s list of keys (a file) to make sure that your laptop’s key (some random string) is in it. To begin, create the key on your laptop (do not supply a password when prompted):

ssh-keygen -t dsa

Now that we have our key, we just need to add it to the list of authorized keys on the server. The easiest way to do this is to simply use SSH to login and concatenate your key to the end of the file with this command:

cat ~/.ssh/id_dsa.pub | ssh user@sshserver_ipaddress “cat >> .ssh/authorized_keys”

At this point, you’ll want to change the permissions on the server’s authorized keys file so that it is only readable by the user:

chmod 600 .ssh/authorized_keys

Now, we’ll want to make those changes we spoke about earlier to the server’s SSH configuration file. First cd to the directory and make a backup of the original file:

cd /etc/ssh
cp sshd_config sshd_config.old

Now, as root, we’ll open the file for editing:

gksu gedit sshd_config

Below is how you’ll want to set up your file exactly. Of course, you’ll want to change your port to something above 1024.

# Package generated configuration file
# See the sshd(8) manpage for details


# What ports, IPs and protocols we listen for
Port #####
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
# HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
# LogLevel INFO

# Authentication:
LoginGraceTime 120
MaxAuthTries 6
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no

AllowTcpForwarding yes

GatewayPorts yes

Compression yes

Restart the server so that are changes take effect:

sudo /etc/init.d/ssh restart

We can’t exactly test yet because we haven’t set up port forwarding on the router. That’s usually just a matter of popping your gateway’s IP into your browser and making the necessary adjustments. Just make sure that the port your using matches what you assigned in the sshd_config file.

Okay, give the SSH server a test with the following:

ssh user@awesome.dyndns.com -p#####

Because we set up the private/public keys earlier you should walk right in to the server. You can test to make sure by entering a non-existent user name to see what happens. You should receive a “Permission denied (public key)” response (look later for a nice little config change to provide a custom error message).

Step 4: Setup Firefox to use the SOCKS Proxy and Tunnel
Setting up Firefox to use your proxy is quick and easy. Before we make our configurations, let’s go ahead and create the secure connection to the SSH server.

ssh -ND 2000 user@awesome.dyndns.com -p#####

The N, D and 2000 parameters tell SSH to keep a non-interactive, persistent connection open on port 2000. The terminal should just hang after that, which is actually good in this particular situation. Now we’ll configure Firefox to use this encrypted channel of communication. You’ll want to go to “Edit” > “Preferences” > “Advanced” > “Network” > “Settings…”. You’ll simply enter “localhost” followed by the port, “2000″ in the respective “SOCKS Host” fields. Click “OK” to finish up.

Test your connection and make sure you can browse pages. If you stop the connection to the SSH server (ctrl+z), you should not be able to continue browsing and receive a connection error message when loading a page.

Oh, and one more thing. You’ll also want to make sure that your DNS traffic is being taken care of too. Codeblog let’s us know how…

To change this, set network.proxy.socks_remote_dns = true in about:config. This makes the SOCKS proxy more like a regular proxy, where DNS is handled by the remote end of the tunnel.

That’s it! B.I.P. - Browse in peace. Oh, and give that soccer mom the bird.

Eventually, I’m going to create a script that connects to the SSH server and then launches a “proxied” Firefox profile to make the connection process on the road much quicker. This will also keep you from having to change your connection settings every time you turn around if you aren’t using something like FoxyProxy.

Sources/Further Reading
The people over at Lifehacker and Linux.com did much better jobs of explaining all of this and you can peep their versions below:
Geek to Live: Encrypt your web browsing session (with an SSH SOCKS proxy)
Linux.com :: Secure your Wi-Fi traffic using FOSS utilities
SSH Tunnel + SOCKS Proxy Forwarding = Secure Browsing « Ubuntu Blog

Dynamic DNS Links:
Linux.com :: Getting started with dynamic DNS
Geek to Live: How to assign a domain name to your home web server
DynDNS — Dynamic DNS — How To

SSH:
Linux.com :: Advanced SSH security tips and tricks - more ways to lock down and tweak the sshd_config file including using a custom error message for unauthorized attempts
Ubuntu:Gutsy SSH - more on setting up SSH under Ubuntu
Geek to Live: Set up a personal, home SSH server - setting up an SSH server on Windows and Mac OS X

Firefox:
FoxyProxy - a free, open-source advanced proxy management tool that completely replaces Firefox’s limited proxying capabilities

Misc:
Sweet “insert the CD” image from Iomega.com.

This entry was posted on Tuesday, February 26th, 2008 at 12:53 am and is filed under dns, firefox, lifehacker, mac, network, security, ssh, tutorial, ubuntu, wifi. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.