Wireless security: Making OpenSSH a secure Web server

In some ways, securing your computer is a full-time job. The problem is even more complicated when you think about wireless security. For those traveling outside the wireless network, whether they use a wireless access point in a café, an airport, or a hotel where they spend the night, one important concern is that they never know the security of the network they use unless they know it is not. For example, for a network of coffee shops, this is true: because they are open to everyone, you can't trust them. If they are not open to anyone, they are worthless. When you use a laptop on a public wireless access point, the only sound way to solve the security problem is when you access resources through its network, pay attention to the choice of content and how to access those resources. To a large extent, this means you have to avoid logging on to your bank's web site, not to shop online, or to send sensitive data over the network. Even if the suspected Web site uses the encryption of a login session, it does not mean that you will not be attacked by some kind of middleman or by some other deception that you cannot control. However, there are ways to protect you, so you can access resources that require sensitive data to be transmitted over the network multiple times. One way is to use a secure, transparent proxy service. Any kind of Web Proxy service is difficult to install and configure for a typical user, but if you need only one encrypted connection to a transparent proxy without any additional measures, and you use the right tools, the Web Proxy service is relatively simple to implement. Fortunately, this "right tool" is easy to get. In the following example, we assume that you are using a Linux, BSD UNIX, or commercial UNIX system as a proxy server in your home. We also assume that you have a continuous Internet connection at home, such as an Internet connection that is implemented through a typical DSL connection. Server access settings The first step in accessing your transparent proxy is to configure the firewall on your home network so that it can transfer an SSH port to a computer that you want to use as a transparent proxy. You have a firewall on your home computer to provide secure access, right? If you have not yet, then I suggest you do not read this article, first to correct the problem. Connecting directly to the Internet without a firewall is definitely a bad unsafe practice. The process of configuring a firewall to implement port forwarding on a fire wall can be said to be very different. You can buy most consumer-level router/firewall devices that provide port forwarding functionality that users can easily handle. If you're running your own linux-based or BSD-UNIX firewall on some old hardware, you might want to know how to do it. We assume you've configured the Internet-facing fireWall to receive SSH connections on port 2200 and transfer these connections to port 22nd on a UNIX-like system on your internal network. You'd better not use a firewall as a proxy server, although this is possible and even easy to implement. You have to be sure that you secure SSH on your proxy server, and you can safely deal with common brute force password attacks. You must also ensure that your server accesses the Internet via the firewall in HTTP. Finally, to connect to your home network from an external network, you must know which IP address you can use. This may need to be treated with caution. For a service provider that assigns a relatively stable IP address, you must find out what this IP address is and make sure you don't lose it. You can save it to a text file in your notebook computer. If your ISP often changes your IP address, you may need to take more stringent measures. Now there are many services that can resolve DNS domain names to dynamic IP addresses, for example, you can point to a domain name on a Web server in a home, even if your IP address changes frequently. This is a possible solution to this problem, and possibly the simplest one. When an IP address changes, a client of these services needs to be installed on a computer in the home to notify the service's DNS server. Encrypted proxy connection The rest of the steps to a Web proxy encryption connection at home are done on the client computer, possibly on your laptop, where a generic Unix-like operating system such as a Debian GNU or FreeBSD) is not difficult. We will assume that you are currently using one of these operating systems. If you are using a dynamic DNS resolution service, you may need to replace the IP address in the following example with the domain name that you are using. In this example, for convenience, we assume that you are using static IP address 25.10.101.250. Creating your encrypted proxy connection requires you to enter a command similar to the following: $ ssh-d 8080-p 2200 username@25.10.101.250 the "username" section should be replaced with a regular user account name on the proxy server. This command creates a local transparent proxy on port 8080 that forwards all incoming traffic to the 25.10.101.250 2200 port. The last thing you need to do to make things work is to tell your Web browser application to use 8080 ports on the local system for all connections. For example, in Firefox, you can open the Options dialog box, click the Advanced tab, click the Network tab under it, and click the Settings button to the right of the Connection tab box, as shown in figure: 498) This.width=498 ' OnMouseWheel = ' javascript:return big (This) ' style= ' border-right:black 1px solid; Border-top:black 1px solid; Border-left:black 1px solid; Border-bottom:black 1px solid "src="/files/uploadimg/20080222/1158110.jpg ">498" this.width=498; ' OnMouseWheel = ' Javascript:return big (This) ' style= ' border-right:black 1px solid; Border-top:black 1px solid; Border-left:black 1px solid; Border-bottom:black 1px solid "src=/files/uploadimg/20080222/1158111.jpg" > then make sure that the "Configure agent Manually" radio button is selected, on the "Socks host" Enter the local host in the text box on the right, and enter 8080 in the corresponding port field. If for some reason, use "SOCKS V5" can't work, can try to change to "SOCKS V4". In this way, you can use OpenSSH as a secure Web server. Have a good time! "Responsible Editor: Yutie TEL: (010) 68476606" Original: Wireless security: Make OpenSSH a secure Web server return to network security home