Skip to content

bypassing the internet police at work using SSH...

Featured Replies

I've a cunning plan, although with most cunning plans they normally fail!

I've been doing some reading and seen its possible to open an SSH tunnel to my computer at home and use that as a proxy server.

Right most work firewalls allow traffic out on port 443 for secure internet sites. But SSH uses port 22.

Now would the correct thing be to change my pc to listen on port 443 and open this port up on my router or leave ssh listening on 22 and forward port 443 on my router to port 22.

This was prompted by this article http://www.buzzsurf.com/surfatwork/ and the fact briskoda is now blocked! Even though car websites are aloud, in fact if anyone works for surfpatrol sort out the categories!!

Although it will work (in principle at least), the real problem comes when the company also checks traffic destinations for secured connections such as SSH.

The company I work for does, and they'd shut it down as an unauthorised VPN.

Most companies don't go that far though ;) so you should be cool :)

I dunno if Briskoda has ratings to indicate it's a safe site etc?

Of course if you drop via a proxy on your home network via SSH you'll be restricted to the upload link speed of your connection (plus your work one). Should be fine though :)

  • Author

port 22 is defo blocked! Didn't change that. But port 443 is meant to be.

I work in IT to, we should have free access...

what I'd really like to do is fool it into thinking my ip address was the internet polices computer so it looks like he's looking at the net all day... can that be done?

  • Author
Although it will work (in principle at least)' date=' the real problem comes when the company also checks traffic destinations for secured connections such as SSH.

[/quote']

what would an SSH connection show up as? just a secure page and my host name at home?

There's so much to this networking stuff... company I used to work for someone found out we could change the default gateway so we were on a different segment of the network and it bypassed the monitoring...

I got into serious trouble when they got the surfpatrol software, left my work pc logged into gmail all week, even at night... 50'000 hits! Apparently I was surfing more hours than was at work, they didn't notice that fact until I pointed it out!

  • Administrators

You should be able to do the following:

Find a back up adsl line or similar

Set your home router to accept tcp on a port, lets say 443 and forward that to a port inside, which is either a dmz machine or internal lan with a proxy listening. It will also need dns.

I use our backup router and do this command:

route add -p

If this is too problematical, that is sites with lots of ip's then connect to your local proxy.

Quicker still go for a vpn to home *cough* backup reference media for work ;) *

Of course none of this is offered with warranty or onsite support ;) But it is at a better rate than normal ;)

One other item; if your caught breaking work rules it can be the ganglies and brick time. Part of the reason I'm so busy now is I can't surf any more...Charlie don't surf; why does that sound so familiar. :D

It is exactly what I (have to) do. I have a server at home which listens on port 443 for ssh. I then use Putty to connect to my home server, and use it's tunneling function to tunnel any connections made on my work pc at 127.0.0.1:8080 to my squid proxy server at home. I then use Firefox with the proxy set to 127.0.0.1:8080 to surf the net.

:rofl: - it's amazing how many IT-related workarounds you can find when you try ;)

In our office everything is logged, every packet that goes out via the main router. This includes literally all traffic, analogue modems excluded but they are to sh*te to consider :P

SSH traffic does show up on the logs for sure, and although it's encrypted the packet sniffer will show where it's going. Not a big deal generally, it's only when you have total paranoia.

In the future it's likely I won't be able to get to hardware sites as it has the word 'hard' in it, which used to trigger the US' blocking software. In the UK we're slowly being forced to use the same kinda thing as our IT is pushed from the US.

Local IT guys aren't keen on it either but they're starting to struggle to work around it (read: they've tried as per above, which works for most places where you can get to the net at all) without getting noticed.

Must have a play about with putty again soon :D

my mate configures all the switches and routers at work, so we've got PCs with static IP addresses that don't get filtered or logged

If you only want to use it for HTTP traffic you can try setting up a HTTP proxy (with authentication and SSLing the "last-mile" channel from you at all times)

This way it will look as normal SSL traffic to a webpage (the session hello packet and stuff).

Run your SSH server at home on port 443, then connect from work and setting up ssh port forwarding. Tunnel your local port 80 so that it gets tunneled over the SSH tunel and bobs your uncle.

Works very well and on port 443 it looks like you are connecting to an SSL webserver as there is no way for them to distinguish the packets.

You could of course always set up a https tunneling proxy on a server at your home. Obviously if they catch you you are likely to get a good talking to at the least.

The joys of being in control of all the logging, firewalls, blocking software and network config. My PC has the ability to bypass the whole hog except the firewall, and just has direct unproxied access to the web.

Would something like logmein work, from www.logmein.com free to use for basic remote control functions.

Im in the same boat as manny... I AM mr websense :rofl:

but because we are kinda bolting all this on to a new infrastructure plan, we cant just route all connections through ISA as theres alot of legacy apps that go via borderware.. so firefox with no proxy is enough to get round it in our company ;)

I use Remote Desktop from work to my home PC and can browse the net, download BitTorrents, even virus scan the home PC. Slightly slow, but that'll depend on your broadband speed.

As the IT guys use RDC to do all the tech help the ports not blocked, it's free, and only takes 30 seconds to set up without needing any specialist knowledge.

I'm sure it's not secure, but we don't have very restricted access here anyway. But means you can still check out NSFW posts in the office. And can do all the bits and bobs you need to do at home from the office. And check on your downloads etc.

I love it.

RDP 5 (eg win 2k3) is pretty secure :)

Is it possible to bypass ISA server and connect directly to the web via the router? If I were to install Firefox could I have different gateway etc. settings for that to IE? I tried changing the IE gateway etc. but that just screwed up my connection to the Exchange server.

Is it possible to bypass ISA server and connect directly to the web via the router? If I were to install Firefox could I have different gateway etc. settings for that to IE? I tried changing the IE gateway etc. but that just screwed up my connection to the Exchange server.

It depends how your organisation is set up... worth a shot tho, i just mentioned firefox because it can have separate proxy settings to IE/windows. It may be that your work force proxy via GPO but still have a open firewall, or maybe they have two proxys (my old company had a inbound and outbound proxy, but i managed to jump onto the inbound proxy which wasnt logged) :thumbup:

I have access to the server easily, but I have no idea how ISA works.

Where do I need to go to find the settings I can try in Firefox?

If your pc is able to do local dns lookups, then its just a case of allowing your pc outbound on port 80 and 443. To test the dns, on your office pc, drop to a command prompt and type nslookup www.google.co.uk, if you get an IP address back that means your pc can get an external IP. If it doesnt work, then you may have problems getting round isa.

I get:

server: prospotserver.smallbusiness.lan

Address: 10.0.0.2

Non-authoritive answer:

Name: www.1.google.com

Addresses: 64.233.161.99' date=' 64.233.161.104, 64.233.161.147

Aliases: [url']www.google.co.uk[/url], www.google.com

Does that look hopeful or not?

Yes, thats good. it means your pc can do dns, all you need is to get those ports opened to your pc. As we dont use ISA as a firewall I cant tell you how to add your pc IP to the rulebase, but its just a case of adding a rule that says allow all port 80 and 443 (http & https) for your IP address or hostname.

Just had a look on ISA managment on th eserver an dhave no idea where I need to add such a rule :(

I assume there is no way to connect directly to the router, bypasssing the ISA all together (short of running a cable from my pc)

Yep you could have a different gateway, but thats assuming the network routing hasn't been set up to route all packets off the network via ISA.

Eg you can try, but i doubt it will get you very far.

I'v ebeen browsing some ISA forums and it seems this is a common querey. It would seem theat if the ISA server is the onyl thing between me and th erouter then ther eis no way around it.

However, if I knew how to create a rule that would allow my PC to travel through the ISA server without being logged that'd be good.

Just to clarify, the MD is fine with web surfing, but the IT "consultant" keeps sending him logs of most visited sites etc.

The "consultant" is a former solicitors clerk who seems to hate me for no reason at all - other than he sees me as a threat to his 12 month contract which ends soon.

If I could bypass his ability to show logs to people I'd be happy - if only from the satisfaction that I've beaten the guy.

Its nothing personal.......... actually, it is !

check out corz.org and in particular the section on the BT Voyager 205 ADSL router hacking. Even if you don't have this router (I do) it's a worthwhile read and shows you neat tips and tricks to essentially mask your IP address and stealth your router and close all none essential PC ports.

Hmm a consultant you say...

Use a remote comprimise on his desktop box to get yourself access to the box and run a small proxy server on the box with absolubtly no logging on incomming connections.

The make a load of connections to sites of a dubious sounding nature (which are not really dubious). Now watch him show the ISA logs when 'he' has been browsing dody sites from his own IP address.

:)

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.