Ssh dynamic port forwarding and tcpdump shows cleartext

dumpport-forwardingssh

I'm trying to encrypt my web traffic using SSH dynamic port forwarding in case I happen to be in moot places such as internet cafes, hotels and so on.

On my laptop I installed an SSH server and executed:

ssh -C -D 1080 myuser@localost

I then configure my browser to use a socks proxy on localhost:1080

I tried to browse a few sites to see what was sent but I guess I'm doing clearly something wrong because upon a tcpdump:

sudo tcpdump -A -i eth0 dst www.example.com

I see everything in clear text, even some fake password I tried on forms.

I thought I was setting up and encrypted tunnel, impossible to snoop.

What am I doing wrong?

Thanks for your time.

Best Answer

You are creating SOCKS proxy with tunnel from your local computer to your localhost. But from the localhost to the target server (example.com), the data re not encrypted anymore. Diagram:

[browser] ==SOCKS== [localhost:1080] ==SSH== [localhost] ==HTTP== [example.com]

(where only the SSH part, meaning SSH tunnel, is encrypted)

You can encrypt this SOCKS proxy only point-to-point (from your client to your ssh server) and not further. The HTTP server expects normal HTTP requests and not SOCKS messages.

If you would like to be safe from the snooping in the hotel or somewhere else, you need to have an SSH server in some location other than on your computer (e.g. VPS, home). But it won't protect you from snooping "around" the other computer.

Related Solutions

SSH tunnelling with multiple dynamic port forwardings

Am I right in thinking you've got your computer (computer A), and say two servers (A and B) which you can't connect to directly on a certain port and so want to tunnel to them over SSH?

If so, you create two tunnels from your machine (one to each target server) on different local ports using -L not -D, and then in your monitoring tool you connect to your local machine (no proxy settings) as if it was the remote server you want to check.

ssh -L 9000:localhost:<local port jstatd listens on> user@server1
ssh -L 9001:localhost:<local port jstatd listens on> user@server2

Then using your local monitor you connect to localhost:9000 and localhost:9001 and those tunnels connect you to your target jstatd's.

If there's an intermediate server, then a two hop tunnel,

ssh -L 9000:server1:<local port jstatd listens on> user@bastion-host
ssh -L 9001:server2:<local port jstatd listens on> user@bastion-host

Hmm, if bastion-host can talk to all the JVM's, then

ssh -D 9000 user@bastion-host

Is enough to create a socks proxy you can then just use over port 9000.

SSH Over Socks Proxy – How to Connect Without Username or Password

It sounds to me like you need a socks client, or a ssh client that understand socks. -D is for ssh to be a socks server/proxy.

You could use ssh under tsocks, or another SOCKS wrapper. Or use ssh's ProxyCommand in conjunction with socat or nc -X:

ssh -o ProxyCommand='socat - socks:B:%h:21,socksport=1080' C

To have a HTTP proxy that uses the SOCKS server to send HTTP requests, you can run a small proxy (like tinyproxy) under tsocks.

Note that not all applications play nicely with tsocks or any similar wrapper that relies on LD_PRELOAD, but tinyproxy does.

Also note that you may have issues with domain name resolution (depending on whether you want the names to be resolved on either side of the tunnel). tsocks doesn't work well for resolving names remotely. The only way it can work is when your nameserver (in /etc/resolv.conf) is reachable from the other end and you're using TCP for domain resolution (which tsocks can attempt to enforce but generally fails in my experience). socksify from dante's SOCKS client/server works better in that instance as it also wraps resolving functions and can also use a nice little trick to fake name resolution so that SOCKS by-name connections can be used.

Best Answer

Related Solutions

SSH tunnelling with multiple dynamic port forwardings

SSH Over Socks Proxy – How to Connect Without Username or Password

Related Question