HowTo: Set Up Reverse SSH Tunnels to Forward Ports

~~   Forward   ~~

VideofunnelSometimes, we have a powerful machine on our LAN, where we would like to run -all- our services like Squid, CUPS, MythTV, TOR, and so on.   In my case this is my Home Theater PeeCee.   I have all the appropriate daemons running on that machine and their listening ports are only on 127.0.0.1, and not on any outside interfaces (which would be a security problem).

But I also want these services on the other machines of my LAN, like the laptop and so on.   With reverse SSH tunnels, on the laptop I instigate a tunnel to the HTPC, and the HTPC’s daemon port is then forwarded through the encrypted tunnel to the laptop.   That port now appears on the laptop at 127.0.0.1 as if it’s local.   When I use that service, the laptop reaches into its bellybutton, goes through the encrypted tunnel to the remote server, and accesses the service running on the remote HTPC.   All of this is done through SSH with military-grade encryption, so you can do this no matter where you are, securely.   No matter what daemon, only port 22 is ever open to the outside.   And, it’s fast.

(more…)

*POOF*, BitCoins Gone

Silk Road 2.0 ‘Hack’ Blamed On Bitcoin Bug, All Funds Stolen

Oh.   dear.   I’ve been tracking this bug and should have known that if Mt Gox got hit, so would SR.   After this hit the news and I researched it, it looks like numerous SR users warned them beforehand too.   It may be that these warnings tipped off the perpetrator and gave him the idea.

This is why you keep coins in your own wallet and avoid leaving them lay on third-party accounts like SR.   Only transfer coins when you’re about to buy something.   (but not at SR)

(more…)

HowTo: Render SSL on your Hosted Websites

openssl

~~   Forward   ~~

With all the websites that still do not use SSL, and the clear benefits that SSL provides, the only reason I can see that people are still not using it is that it’s not straightforward for the time-challenged and the uninitiated.   So let’s do this.

Secure Sockets Layer is currently the most common method of encrypting access to websites.   It’s used by all manner of e-commerce, banking, security and other websites, and is highly advisable for all sites as it provides protection for your visitors and you.   SSL is a streaming cipher (as opposed to a block-cipher, i.e. for disks) which offers perfect forward secrecy as it uses a long-term public/private keypair, to exchange short-term symmetric keys for streaming.

This HowTo assumes that you have one or more websites residing with a hosting firm, and that you control them with cPanel.   It also assumes that you’d like to have your SSL certificates, eh, without cost.

(more…)

HowTo: Set Up TOR for a Single User, or as a LAN Gateway

~~   Forward   ~~

The TOR Project (“The Onion Router”) is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.   It provides the foundation for a range of applications which allow organizations Torand individuals to share information over public networks without compromising their privacy.

  • Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, email, instant messaging services, IRC, or the like when these are blocked by their local Internet providers.   Tor’s ‘hidden services’ let users publish web sites and other services without needing to reveal the location of the site.   Individuals also use Tor for socially sensitive communication:   chat rooms and web forums for rape and abuse survivors, or people with illnesses.
  • Journalists use Tor to communicate more safely with whistleblowers and dissidents.
  • (more…)

HowTo: Cache Web Objects with Squid

Squid

~~   Forward   ~~

Be kind to the Internet.   Practice good web hygiene and help yourself at the same time.   Squid is a venerable web object caching server, which optimizes the data flow between your browser and that distant webserver to improve performance and cache frequently-used content to save bandwidth.

(more…)

HowTo: Prevent DNS Cache Poisoning

~~   Forward   ~~

There has been a long history of attacks on the domain name system, ranging from brute-force DoS attacks to targeted attacks requiring specialized software.   A ne’er-do-well could send a few packets, which result in many packets to the target, an effect called ‘amplification’.   In July 2008 a new DNS cache-poisoning attack was unveiled that is especially dangerous because it doesn’t require substantial bandwidth or CPU nor does it require complex techniques.

With ‘cache poisoning’ an attacker inserts a fake address record into a Domain Name Server.   If the DNS accepts the false record, the cache is poisoned and further requests for that domain are sent to the attacker’s server.   The fake entry is cached by the DNS for as long as the ‘time to live’ (TTL), usually a couple of hours.   So you might think you’re going to your bank or to pay a bill, but you’re handing over your login info to the attacker.

(more…)