SSH Tunnel Security

Printable View

09-23-2011
not_the_messiah

SSH Tunnel Security

Hi there,

The fun police at work have blocked a number of previously accessible sites. Due to this, I am considering setting up and SSH Tunnel to my machine at home (using port 443) and browsing the web through that connection. Before I do this however, I just want to know if there are any security risks to my company in doing this? For example, if my machine was compromised, would it be possible for a virus/hacker to piggy back on the tunnel and access the company's systems? Are there any other security concerns?

I am running Ubuntu 10.10 on my home server with OpenSSH. To access the company network from home, we need to authenticate using a Cisco VPN.

Cheers

James
09-23-2011
Roxoff

Hmm, if you're putting up an SSH connection to home, then you'll be running on port 22 normally, no? Surely you don't want to use the SSL port for SSH? Or perhaps you've just mixed them up.

I did this when I was at a former employer - and they didn't really like it but...

I set up SSH using strong keys (2048 bit a the time), and stuck the key on a memory stick. I set up my SSH using a different port (> 1024) for my SSH connection, to prevent lots of stupid log entries telling me that script kiddies had tried to connect.

On my home network I ran Squid proxy, and I also set up my home machine with VNC server running all the time.

At work I just needed to connect over ssh and use port forwarding to connect my local 8080 port to my squid proxy at home and I could browse anywhere I liked. I also forwarded the VNC port to my local machine and I could open the VNC session whenever I wanted and use the browser on the remote vnc session - usually this was more convenient anyway.

Eventually I set up a virtual machine on my desktop at work from and did all my connections from that - it just hid the trail a little more. It also meant that my keys weren't stored on my main desktop machine, but in my VM.

Unless you keep your keys on a memory stick and run something like Putty to connect, you'll end up with your private key on your work computer, and that's a route to being compromised if anything breaks and your work computer has to go in for maintenance, or if they go poking around it. Also, if they monitor network traffic, then you could get into deep trouble if what you're doing is against your company policy (you really will be not_the_messiah, but a very naughty boy :D).

I don't do this stuff nowadays. If I want to talk to my home computers, then I use my own laptop and my own 3G dongle. On principle I don't trust any network that isn't my own in these kinds of circumstances - and that includes the one at work.
09-24-2011
sml156

Sounds like a great reason to get fired . If I was your admin you would be going home early the day you set it up
09-24-2011
unspawn

Quote:

Originally Posted by sml156

Sounds like a great reason to get fired . If I was your admin you would be going home early the day you set it up

Exactly my thoughts: if they own the network and equipment they set the rules.