In most educational institutions, businesses, libraries, etc.. There is a firewall (usually a ISA Server) that restricts Internet access to certain ports, this is done to prevent users found by accessing Firewall dentreo apliciones and protocols that the Administrator has marked unsafe or consuming bandwidth, such as MSN Messenger, Internet Radio or online games (like Lineage II).
For all of us that we are trapped inside the firewall that is frustrating, but it's over. No more worrying about that, there is a way to skip any firewall and does not raise any suspicion
* because it uses ports 80 (HTTP) and 443 (HTTPS) to establish the connections, everything looks like an innocent link to a page Internet. * As long as the firewall that we are trying to jump does not have a packet sniffer. Neither will anyone be surprised by the continuous flow of data through HTTP (although this could be for example a video on YouTube).
Well, for all you impatient you are reading now if you do it: That
need:
Having a team outside the firewall you have installed OpenSSH and we have credentials. (I use my home PC).
have an SSH client on the computer that is inside the firewall from which we connect to the protocol / service restricted.
"No big deal right? Preparing
relay team
relay team is the team we have outside the firewall, install the OpenSSH Server and configure it to serve through port 80. This is because the firewall only allows connections to that port.
The OpenSSH can be downloaded from the Internet for free if the relay team is a Linux machine simply search for the package OpenSSH Server in the package manager and install it. If it is a Microsoft ® Windows ® then you can download the OpenSSH for Windows, an open source project that is on SourceForge: Once installed
OpenSSH Server must be set: Set
OpenSSH Server (Windows)
Well, first you need to configure the port that the server will (forgive the redundancy) as stated should be OpenSSH port 80 as the default used by 22 you have to change this setting default, to do it:
Open with WordPad file C: \\ Program Files \\ OpenSSH \\ etc \\ sshd_config file
- Then locate the line # Port 22
- and below it add the line Port 80
- The file must look something like this:
# $ OpenBSD: sshd_config, v 1.65 2003/08/28 12:54:34 markus Exp $ # This is the sshd server system-wide configuration file.
See # sshd_config (5) for more information.
WAS # This sshd compiled with PATH = / usr / bin: / bin: / usr / sbin: / sbin # The strategy
Used for options in the default sshd_config shipped with # OpenSSH is to Specify options with
WHERE Their default value # possible, But Leave Them commented. Uncommented options change a # default value
.
# Port 22 # Protocol Port 80 2.1
# Protocol 2 # ListenAddress
ListenAddress 0.0.0.0: [...]
- Ready, the server is already configured to serve port 80 Now all that remains is to prepare the Key Based Authentication which is what will allow us to authenticate our SSH server (if we do not always denied access) to do: Open a console and we went to C: \\ Program Files \\ OpenSSH \\ bin \\
They write these commands:
mkgroup-l>> .. \\ etc \\ group
then:
mkpasswd-l-u username
>> .. \\ etc \\ passwd
These commands set the key based authentication , making it the first command is to save the local group information in the file .. \\ etc \\ group and the second creates a password for the user username in the file .. \\ etc \\ passwd.
[NOTE:] username must be a user name of the local machine, the name we use to log into Windows ®. After that the OpenSSH allow username and username just start a remote console on the machine, if you want another user then simply execute the same command with another user name and now.
Ok, that's it, now you just have to upload the service by running:
sc start "OpenSSHd"
After that the SSH server is running on the computer serving on port 80. Set
OpenSSH server (in Linux)
- Configure the OpenSSH server on Linux is as easy as in Windows, what we do is: Locate
- sshd_config file located in / etc / ssh and edit it with super user permissions in the file we will see something like this: # Package
generated configuration file # See the sshd (8) manpage for details # What ports
, IPs and protocols we listen for Port 22
[...] There
edit the harbor line, instead of 22 write 80 or 443 according to the port we can use our ISP. I normally use the 443 for me that 80 is blocked.
Once we've edited the file down and re-upload the SSH Server service, to do so:
$ sudo / etc / init.d / ssh stop
$ sudo / etc / init .d / ssh start
and ready. In linux it is not necessary to prepare the key-based authentication because the server SSH authentication system uses the operating system so you do not have to do anything else. Make
Port Forwarding
Well, now comes the fun part if you connect to a port "banned" from this point we are on the machine that is dento Firewall. Recall that in this equipment should be installed SSH client. If you do not have permission to install an SSH client can find that does not require it, do not know if Putty
Poer
can do it would be worth trying
(post your comments if you try)
To make this easier to understand we to take a simple example, say we want to hear Anime Academy Radio
within the University, normally it can not be that the port is closed but as we have our relay machine outside the firewall so if we can.
Then, well, when we entered the station page to unload a. M3u which essentially points us to the URL where the server publishing point, the direction is pointing the m3u is: rs1.animeacademyradio.net: 8500
We have to make the machine that is outside to relieve us rs1.animeacademyradio.net server port 8500 for it then run this command:
ip_maquina ssh-p 80-l username-L 8500: rs1.animeacademyradio.net : 8500 write our password and you're done, that opens a remote console Port Forwarding does, and I'll explain how it works, but first a step is needed after that go to the Anime Academy Radio page and we click in the link as usual, the connection will fail because the proxy of the University does not allow connections to port 8500, then we give the WinAmp right click the entry in the playlist and select Edit Entry and there where it says rs1. animeacademyradio.net write localhost and give back to play, it should work.the command that we not only open a remote console only do the Port Forwarding in Windows ® as the console window is blocked then it gives the same. Explanation
[NOTE:] You can add the option-N
Well, now the explanation of what we did. In the command that we write the following: ssh
is the command name (no explanation is needed)
ip_maquina is IP (or if you are) the name of Creaser
-p 80
is to tell SSH to connect to port 80 instead of port 22 (which is the default port)
-l usernameOpenSSH is to tell the Loge in the remote machine using the user name username. If you do not specify this option, SSH logeara with the current user.
-L 8500: rs1.animeacademyradio.net: 8500 This is the tex command, which is part of the command tells the OpenSSH is: All packets arriving on the local machine through port 8500 Send them to the remote machine (ip_maquina) and when you get there tell the SSH Server to send them to rs1.animeacademyradio.net on port 8500. Do you understand?
For example you can do other things, let's say for example we have a MySQL server that is running in nustro PC in the house, but of course, the pig university proxy not allow us to connect to port 3306 then: ssh
ip_maquina-p 80-l username-L 3306: localhost: 3306
and ready, this command is sometimes a little confusing but I will explain in detail: We are telling the local machine, everything that comes from the 3306 send it to the remote machine (ip_maquina) and tell the SSH Server is that when you get there send them to localhost port 3306 on localhost "is the machine where you run the ssh or where the SSH Server? Is where the SSH Server, which colocquemos at the command ssh-L is solved by the sercvidor SSH and the SSH server is localhost pc is running.
- In the same way we redirect any port. It is very useful if used well. SSH manual offers more information on using these features, there are also other interesting options, such as the-R option, I recommend you see it, for now I will explain how it works the-L:
- Option -L has three arguments, call them local port, destination
- and remote port , these arguments are placed separated by: and:
- puerto_local
- :
- destination: puerto_remoto
puerto_local
is the port that the ssh listen on the local machine. When you run the ssh command opens a port on the local machine and listening out there, we can verify this with a netstat-n-
to.
destination is the FINAL
machine where we want to access (where the service can not access because of the proxy). Remember that name and address solved by the SSH server, so in the example of the MySQL localhost is still the machine where the SSH Server is running, not where you run the ssh.
Finally he is the port puerto_remoto we want to connect to the machine FINAL.
takes me .... : C but I will not port 80
Sometimes we have on our machine actually an HTTP server running at 80, in which case we can use the 443 (HTTPS) to make the OpensSSH Server serves out there, then the command would look like this example : ip_maquina ssh-p 443-l username-L 8500: rs1.animeacademyradio.net: 8500 Note the change in the -p. Note that this
Port Forwarding allows you to connect to port on the machine you want you want and it seems that the connection provided for through the port 80. This means (I guess you have noticed) that if you have a machine running the SSH Server on port 80 no limit about what can be done, no firewall that can stop us! Take that accursed of Danica!
For now I'll stop here, if you have questions or want more explanation you can write me e-mail or post your comment here, I will be pending. Even those who know me can comment on MSN.
There are other tricks in the bag there but I do not want to write more for today, then I'll post more. They take care
さようなら
0 comments:
Post a Comment