SSH – helping you stay secure when away from home

This past weekend Kay and I took a trip to Osage Beach, MO for a long weekend with family. We left Friday evening and stopped in St. Louis to stay at a friends place, finishing up on Saturday morning. We were staying through Tuesday afternoon and even though Kay took both days off I only had Tuesday. So again that left me with working remote, but that’s what I do every day so no big deal as long as I had a internet connection.

For work being remote doesn’t have many security concerns as I VPN into the network. But when dealing with personal business away from the comforts of the home network is a different story. That is where SSH can come in very handy.

Anytime your using a public internet connection your at risk to someone sniffing traffic to get information. A good rule of thumb is if your at an internet cafe, Starbucks, local hot spot, etc never enter login credentials without the url starting with https. Most of us by now have come to look for the lock at the bottom of the browser when purchasing products but one place that’s forgotten is email. Most who access email do so via POP or IMAP, both of which have secure capabilities but some hosts don’t enable it or us users don’t bother to check. That means your username and password, that more than likely is automatically entered for you, is subject to capture as it’s not encrypted. This is where SSH can be your friend.

If you have shell access to a machine/server on the internet and ssh is runing you can forward the POP requests, including the SMTP (sending of emails), to add a layer of security to your sharing of the internet with the 10s or 100s of others using the same hotspot. The -L switch in the SSH client allows for forwarding of ports and this is what you’d use. Some details from the info page:

-L [bind_address:]port:host:hostport
 Specifies that the given port on the local (client) host is to be
 forwarded to the given host and port on the remote side.  This
 works by allocating a socket to listen to port on the local side,
 optionally bound to the specified bind_address.  Whenever a con-
 nection is made to this port, the connection is forwarded over
 the secure channel, and a connection is made to host port
 hostport from the remote machine.  Port forwardings can also be
 specified in the configuration file.  IPv6 addresses can be spec-
 ified with an alternative syntax:
 [bind_address/]port/host/hostport or by enclosing the address in
 square brackets.  Only the superuser can forward privileged
 ports.  By default, the local port is bound in accordance with
 the GatewayPorts setting.  However, an explicit bind_address may
 be used to bind the connection to a specific address.  The
 bind_address of ``localhost'' indicates that the listening port
 be bound for local use only, while an empty address or '*' indi-
 cates that the port should be available from all interfaces.

You’ll want to make sure your root, or have admin privs, on the machine your running the ssh client and execute the following from a command line:

ssh -L 110:<your mail server name>:110 <ip of your remote server> -l <account on the remote box>

This logs you into your remote server and forwards port 110 traffic, to your mail server, from the machine your on to your remote server encrypting the connection. If you wanted to do this for sending emails substitue the 110 for 25 and if you wanted to do them both at the same time use:

ssh -L 110:<your mail server name>:110 -L 25:<your smtp server>:25 <ip of your remote server> -l <account on the remote box>

This comes in very handy for me since, I’ve noted in the past, emails sent from my domain sometimes are seen as spam. So I can ensure when I’m on the road, connected to the internet via XYZ ISP, that I don’t have to change any email setup just execute the command before opening my email client.

Cheers !!!

Leave a Reply

Your email address will not be published. Required fields are marked *

WP-SpamFree by Pole Position Marketing