What is a proxy server? According to Wiki page, it is a server that acts as an intermediary for requests from clients seeking resources from other servers. There are many types of proxy servers out there and in this tutorial it will only show one type of it which allows someone to bypass most, if not all, of the poorly designed and/or implemented web content filtering services.
There are many ways to filter websites to avoid employees going to adult, gambling, social networking sites, and etc. The ones that I know of are the following: OpenDNS, Blue Coat, and Websense. While I haven’t been on a network were OpenDNS has been implemented, I’ve been on networks with Blue Coat and Websense appliances. With this tutorial, someone will most likely be successful in bypassing these web content filtering appliances if they are not properly configured or if a firewall is allowing outbound SSH traffic. In organizations where they allow any websites to be accessed, this tutorial can also hide HTTP/HTTPS traffic by encapsulating all of user’s traffic inside SSH, which is encrypted.
What you need
- Extra computer or a new Virtual Machine (VM)
- Know how to install and update Linux with OpenSSH installed. This tutorial will use Ubuntu Server edition.
- Know how to use text editor on Linux. This tutorial will use VI editor.
- Know how to configure port forwarding on your router
- Account from DynDNS or other free Dynamic DNS
- PuTTY (Windows) or Terminal
- Firefox installed
Steps
Step one is to download, install and update Ubuntu Linux Server. In this tutorial, I used Ubuntu Server 12.04 LTS. My original installation still works with 16.04.
Step two is to install Squid package. To install the package, please follow the command below. If you want to learn more about Squid, then you might want to check out this book. I have no experience with the book so please read through the reviews.
networkjutsu@ubuntu:~$ sudo apt-get install squid Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: linux-headers-3.2.0-23-generic linux-headers-3.2.0-23 linux-headers-3.2.0-34 linux-headers-3.2.0-36 linux-headers-3.2.0-34-generic linux-headers-3.2.0-36-generic Use 'apt-get autoremove' to remove them. The following extra packages will be installed: libltdl7 squid-langpack squid3 squid3-common Suggested packages: squidclient squid-cgi smbclient The following NEW packages will be installed: libltdl7 squid squid-langpack squid3 squid3-common 0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded. Need to get 2,012 kB of archives. After this operation, 7,122 kB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://us.archive.ubuntu.com/ubuntu/ precise/main libltdl7 amd64 2.4.2-1ubuntu1 [37.6 kB] Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/main squid-langpack all 20111114-1 [307 kB] Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main squid3-common all 3.1.19-1ubuntu3.12.04.2 [123 kB] Get:4 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main squid3 amd64 3.1.19-1ubuntu3.12.04.2 [1,539 kB] Get:5 http://us.archive.ubuntu.com/ubuntu/ precise-updates/universe squid amd64 3.1.19-1ubuntu3.12.04.2 [6,254 B] Fetched 2,012 kB in 2s (753 kB/s) Selecting previously unselected package libltdl7. (Reading database ... 128431 files and directories currently installed.) Unpacking libltdl7 (from .../libltdl7_2.4.2-1ubuntu1_amd64.deb) ... Selecting previously unselected package squid-langpack. Unpacking squid-langpack (from .../squid-langpack_20111114-1_all.deb) ... Selecting previously unselected package squid3-common. Unpacking squid3-common (from .../squid3-common_3.1.19-1ubuntu3.12.04.2_all.deb) ... Selecting previously unselected package squid3. Unpacking squid3 (from .../squid3_3.1.19-1ubuntu3.12.04.2_amd64.deb) ... Selecting previously unselected package squid. Unpacking squid (from .../squid_3.1.19-1ubuntu3.12.04.2_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... ureadahead will be reprofiled on next reboot Processing triggers for ufw ... Setting up libltdl7 (2.4.2-1ubuntu1) ... Setting up squid-langpack (20111114-1) ... Setting up squid3-common (3.1.19-1ubuntu3.12.04.2) ... Setting up squid3 (3.1.19-1ubuntu3.12.04.2) ... Creating Squid HTTP proxy 3.x spool directory structure 2013/02/18 11:32:01| Creating Swap Directories squid3 start/running, process 1894 Setting up squid (3.1.19-1ubuntu3.12.04.2) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place
Step three is to configure the Ubuntu box to use static IP address or do address reservation on the home router. Since there are a lot of home routers available on the market, this tutorial will only cover assigning a static IP on Ubuntu box, which is shown below.
networkjutsu@ubuntu:~$ sudo vi /etc/network/interfaces
A new screen will show and will look like the one shown below.
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp
Change the configuration to something like this:
# The primary network interface auto eth0 iface eth0 inet static address 192.168.1.10 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-nameservers 192.168.1.1
Make sure to save and exit out of the text editor. Once saved and back to Linux prompt, make sure to restart the networking services to take effect of the new IP information.
networkjutsu@ubuntu:~$ sudo /etc/init.d/networking restart * Running /etc/init.d/networking restart is deprecated because it may not enable again some interfaces * Reconfiguring network interfaces...
Since this was done remotely, the SSH session was terminated once the changes took effect.
Step four is to configure port forwarding on the home router. Again, since there are many home routers available on the market, it is difficult to compile each and every model out there to include in this tutorial.
Step five is to sign up to a Dynamic DNS service like DynDNS. This is useful for folks that are using dynamic IP address for home Internet connection. How to configure the router with DynDNS service is out of the scope of this tutorial.
Step six is to verify that the Ubuntu box is reachable via another computer on a different ISP. This is the perfect time to use the office network to connect to the Ubuntu box. If the SSH session was successful, then that means the firewall is not blocking TCP port 22 (SSH) connection outbound. If the SSH wasn’t successful, this can mean two things: port forwarding wasn’t configured correctly or the firewall is blocking SSH. Try another computer on a different ISP with no firewall blocking SSH sessions.
Step seven is to change or add SSH port to port 80 (HTTP) or 443 (HTTPS). This step can be skipped if step six was successful using the default port of SSH. To change or add port what SSH service is listening on please follow the commands below.
networkjutsu@ubuntu:~$ sudo vi /etc/ssh/sshd_config
A new screen will show up and will look like this:
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22
Change the configuration like the one shown below. Delete Port 22 line if desired. I’ve added port 80 and 443 in this configuration but either one is fine. Save and exit the text editor and reboot the server. I tried doing sudo service ssh restart or sudo /etc/init.d/ssh restart but didn’t work. Please feel free to let me know another way to do this other than rebooting the server.
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 Port 80 Port 443
Step eight is to reconfigure the port forwarding reflecting the new port that was configured earlier.
Step nine is to try connecting to the Ubuntu box from the office network using port 80 or 443, depends on how it was configured on Ubuntu box. This should be successful unless the deep packet inspection on Blue Coat or Websense has been turned on. Another one that will prevent this connection to be successful is when the organization has Palo Alto Networks firewall installed or any appliance that is capable of doing application layer filtering. That being said, this tutorial is useless for this type of network.
Assuming that step nine is successful, then step ten is to create a new SSH session but this time with different parameters. If Windows and PuTTY is being used, please follow the guide below. Please go to page four if Apple OS X is being used.
Windows and PuTTY
Enter the host name or IP address of the Ubuntu box and the port number as normal.
On the left side of the PuTTY (category section), expand SSH menu which is under Connection menu and click Tunnels option. A screenshot has been included below for your reference.
Once there, we need to add forwarded ports both local and remote. Screenshots has been included below for your reference.
Local ports
Remote ports
Since this SSH session will be used a lot, it is a good idea to save it so all the parameters will be populated when we use it again. Please see below for a screenshot.
Apple OS X and Terminal
With Apple OS X and Terminal, it is really simple compared to Windows and PuTTY combination. Please see below on how to connect using Terminal on OS X.
ssh networkjutsu@networkjutsu.com -L 3128:localhost:3128
Since this is a long command, we should create an alias to shorten the command we need to issue when connecting to the Ubuntu box. To create an alias, we need to edit the .bash_profile which is on our home directory.
NetworkJutsu-MacBook-Pro:~ NetworkJutsu$ ls -ah . .bash_profile Documents .. .cups Downloads .CFUserTextEncoding .filezilla Library .DS_Store .putty Movies .Trash .ssh Music .anyconnect .viminfo Pictures .bash_history Desktop Public NetworkJutsu-MacBook-Pro:~ NetworkJutsu$ sudo vi .bash_profile
A new window will show up that will look like the one below.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ".bash_profile" 2L, 120C
Enter the line shown below then save and exit out of the editor.
alias networkjutsu='ssh networkjutsu@networkjutsu.com -L 3128:localhost:3128'
By creating an alias, we save keystrokes every time we connect to our Ubuntu box as shown below. The command above is assuming that we’re using the standard SSH port which is 22. If we’re using port 80 or 443, we need to add -p 80 (or 443) in the command.
NetworkJutsu-MacBook-Pro:~ NetworkJutsu$ networkjutsu networkjutsu@networkjutsu.com's password: Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-37-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Mon Feb 18 13:44:53 PST 2013 System load: 0.0 Processes: 74 Usage of /: 47.1% of 6.62GB Users logged in: 0 Memory usage: 25% IP address for eth0: 192.168.1.10 Swap usage: 32% => /boot is using 91.2% of 227MB Graph this data and manage this system at https://landscape.canonical.com/ 0 packages can be updated. 0 updates are security updates. Last login: Mon Feb 18 11:58:59 2013 from networkjutsu.com
Browser settings
Most organizations lock down their Windows machines so most likely the Internet Explorer’s Internet Options will be grayed out or parts of it will be. Having said that, we need another browser that will support changing out settings that is not tied with Windows GPO. Google Chrome does not do the job since it is tied to Internet Explorer’s Internet Options. Another popular browser is Firefox which does the job that we need it to do. While I know there are other browsers out there, this tutorial was only done on Firefox. Please feel free to test other browser of your choice. See the picture below for the configuration details to use our Ubuntu proxy server.
With all steps are successfully performed, we can now start browsing to virtually all websites that we want to access from anywhere. While the tutorial mentioned only bypassing web content filtering appliances, this can also serve as our protection when we are in an open-authentication wireless network like the ones that you connect to local coffee shop, restaurants, and etc. With open-authentication, the wireless traffic are not encrypted so someone who knows what they’re doing can definitely decrypt your SSL sessions when connecting to your bank and/or email. To prevent that from happening, we can use this same method to tunnel all our HTTP and/or HTTPS traffic to our Ubuntu box. It won’t be as fast but at least our traffic is secure.
Thoughts
Tutorial such as this can easily be found on the web so I encourage network engineers who are also responsible for the network security or network security engineers out there to really find ways to mitigate ways to bypass the security in place. As more and more savvy users entering the workforce, it is becoming harder to really prevent users accessing what they shouldn’t be able to access while on organization’s network. As newer products or technologies gets introduced, always be open minded what these can do for the organization. Fortinet, Check Point, Palo Alto Networks, Cisco (with their ASA-CX), and etc they can definitely help with this type of situation. Yes, I understand that money can be tight since our economy hasn’t recovered fully yet but there are other ways to at least mitigate this type of bypass as briefly mentioned in the tutorial – deep packet inspection of the HTTP/HTTPS traffic on Blue Coat or Websense appliance and outbound firewall rules.
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.