Web browsing over an SSH tunnel


This is how I set up my SSH server so that I can connect securely over an encrypted connection whenever I want to browse in private. A powerful tool when combined with a U3 memory stick or the portable apps suite.

The first step is to set up ssh/openssh on your server. Your server needs to be permanently switched on and connected to the internet. You should also aim to have a firewall between your computer and the internet, and leave as few open ports as possible. I have successfully set up openssh on windows XP but it I feel safer running an ssh server on a Linux server. I’ve run (and am still running) ssh servers on both Ubuntu server and on my ‘unslung’ Linksys NSLU2. If you are looking for a low-power web server and ssh server you can’t go far wrong with the NSLU2. I’ll say no more about this clever little device apart from saying that it has its own website dealing with how to unlock the extra functionality and set up the various servers – http://www.nslu2-linux.org/

You will need to forward a port from the router to your server – in the past I’ve given my server a static IP address on the internal network. This means the router will always be able to connect to it on the same IP address. Under ubuntu you can give your server a static IP address by editing /etc/network/interfaces (type sudo nano /etc/network/interfaces ).
It should look like:
auto eth0
iface eth0 inet dhcp

and you need to change it to something like this (assuming your router is 192.168.1.1)

auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

then you can restart the networking components by typing sudo /etc/init.d/networking restart

Setting port forwarding for your router is outside the scope of this guide – searching Google should help you if your manual doesn’t give you any help.

If you are running ubuntu server you get the option to install an ssh server as part of the installation process. You can always install it later if required using the (sudo) apt-get install ssh command.
Once you have a working ssh server you will need to edit the config file and set up a key to log on. Using a simple password is not very secure and not recommended. Also changing the default port from 22 to a higher number prevents many intrusion attempts – port 443 is often open from work networks (recommended if you are wanting to use this technique to surf undetected from work).
You need to edit /etc/ssh/sshd_config (sudo nano /etc/ssh/sshd_config) and check these lines
Port – change from 22 to something like 443
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Once you have a working setup that you can use with a public key you will have to change
PasswordAuthentication to no to prevent anyone logging in by guessing a password.

The next stage is to make a key – use puttygen for this (it’s easiest to do this on the remote pc) http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Generate a random key and save the private key onto your computer. You will need to copy and paste the public key so don’t quit yet. Connect to your server using Putty – it should ask for a user name and password at this stage.

Where to save the file public key depends on the user name you wish to log in with.
Change to that directory – cd /home/user
See if you have a .ssh folder by trying to cd .ssh (if you haven’t you can mkdir .ssh)
Inside the .ssh folder you create a key file by typing echo ssh-rsa = rsa-key-20080210 > authorized_keys
(Right clicking on the putty window pastes the clipboard into the screen).
Set file permissions by typing chmod 644 authorized_keys

Logout with putty and try again using a key. To do this go in the ssh section of the putty config and look for the auth section – this is where you enter the location of the private key you saved earlier.

You also need to set up the tunnel – look in putty under SSH/tunnels and type 8181 into the source port box, click the dynamic button and then add. You should see D8181 appear in the window.
In firefox or internet explorer you need to find the proxy settings and set them for 127.0.0.1 port 8181 (socks 5 proxy). I’d recommend using Firefox since you can also send your DNS requests over your ssh tunnel and no one in the office can tell what you are browsing. Type about:config in the firefox address bar and look for network.proxy.socks_remote_dns = true
If you use firefox in different environments I’d recommend looking for a proxy switching app (eg foxyproxy).

I realise these instructions are pretty brief and require a little technical knowledge – if you require more detailed help, fill in the contact me form on my website and I may be able to help you. Alternatively you could try searching google using some of the terms from this guide. Happy surfing.

More SEN science worksheets uploaded

I’ve uploaded the rest of my KS3 collection of worksheets and all of my KS4 entry level collection.
I was surprised to see how few worksheets I had that were of a quality that I would want to publish on here (or how many were not complete with diagrams scanned in etc).
I plan on adding my AQA GCSE resources next.

Edit: Sept 08 – Follow this link to see where my files are currently hosted

River Trent flooding under Harrington Bridge, Sawley

We’ve had lots of rain in the UK over the last few days. River levels have been getting higher and we’ve been a little concerned about the risk of flooding. Having not been able to see the extent of the flooding during daylight (I’m always at work!), I managed to see today how far the flood water extends. These are some of the photos I took with my phone. Full sized photos are in this gallery:

Trent flooding under Harrington Bridge

Router


I should really mention the Linux firmware running on my router – which is dd-wrt. It gives many features not available in the stock Buffalo firmware which came installed on my router. I use the detailed port forwarding, support for DynDNS (who host my domain), loopback and numerous other features. Unfortunately it only supports routers with certain chipsets – have a look at www.dd-wrt.com (and be sure to read their wiki if you use torrents!).

Added wiki address since I’m getting lots of hits – http://www.dd-wrt.com/wiki/index.php/Torrent

New hardware


I finally took the plunge. After dithering about what to buy I finally purchased a Dell SC440 server (which was on special offer!). I swapped out the 2×80Gb drives that came supplied with 2×500Gb drives of the same type (Western Digital). I tried several different Linux distros (after toying with the idea of Windows XP Pro/Windows home server) and settled on my favourite Ubuntu Server (64 bit). This server is now hosting this blog, serving files to my networked pcs, running torrentflux for those TV downloads and may perhaps soon be doing more. Any suggestions for extra uses welcomed.