SSH Tunnels

Account Security

ssh tunnels

Whenever you need to send your password across the Internet, there is a chance that it can be sniffed. For this reason, many services have secure authentication methods or secure alternatives. (For example, APOP authentication for e-mail and SCP instead of FTP for file transfers.) However, some services do not have secure alternatives, or some clients do not support the standard alternatives. (For example Microsoft Outlook does not support APOP.) In the majority of cases, it is possible to set up an SSH tunnel for such a service. If you have the SSH package on your system (see: openssh.org) then you can follow the instructions that came with it to set up a tunnel, but if you are already using the TTSSH extension to the Tera Term terminal program, you already have everything you need to easily set up SSH tunnels. This document will explain how to do so. There is also a description of how to set up an SSH tunnel using the popular PuTTY program.

First, a brief explanation of an SSH tunnel may be in order. Basically, what this does is to pass any data you send to a port on your local machine across a secure, encrypted connection to our server, where it is then redirected to the appropriate port. What this means is that your password and data is only sent in cleartext from your machine TO your machine, and from our server TO our server. When it is actually sent from your machine to our server (and back), it is encrypted. This pathway is known as a "tunnel", and anything going through that tunnel (including passwords) is encrypted; safe from sniffers.

Using PuTTY to set up an SSH tunnel:

Download and install PuTTY from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (Be sure to get the Windows-style installer).
Create a batch file named tunnel.bat (you can put it anywhere you want) containing the following:

@echo off "C:\Program Files\PuTTY\plink.exe" NAME@twistedbits.net -pw PASS -L 110:127.0.0.1:110 -ssh call tunnel.bat (Or if you prefer, you can download a copy by doing a right click and "save target as" on this link: tunnel.bat)

Now, make the following changes to the tunnel.bat file:
- If you have installed PuTTY in a different location, be sure to change the C:\Program Files\PuTTY\plink.exe path to point to wherever the installation put plink.exe
- Replace NAME with the usercode you use to log into the mail server, and PASS with your password
In your mail program, set your POP3 server to "localhost" and port 110 (should already be set) and use the same username and password as before
Anytime you want to be able to check your email, tunnel.bat will have to be running. You can place a shortcut to it in your Startup menu, just make sure in the properties to set "Run" to "Minimized" so you don't have to do it yourself.
tunnel.bat will leave a command prompt window running in your taskbar all the time. The connection might drop, but the batch file will restart it if that ever happens.
To kill the connection, simply close the tunnel.bat command prompt window.

(Many thanks to Andy Levy for the above PuTTY info!)

Note that if you would like to set up additonal SSH tunnels to other services such as Web, etc. all you need to do is to duplicate the plink.exe line and change the port numbers. (If you need any help with this, please feel free to contact us at the e-mail address at the bottom of the screen.)

Using the TTSSH extension to Tera Term to set up an SSH tunnel:

In this example, we will show you how to use the TTSSH extension to Tera Term to set up an SSH tunnel to download your e-mail and use the web based account manager via a tunnel. However, the procedures listed here can be used for most any service.

First, you will need to open up TTSSH, and connect to our server. (Well, any server really, you just need to get the program open so that you can go to the setup menu.) Once the program is running, go to File, Setup, SSH Forwarding, as shown at right.

That will bring up the window to the right. As you can see, a tunnel has already been set up which directs anything locally on port 80 to port 80 at www.twistedbits.net. (Port 80 is the default WWW port.)

Ok, lets set up a tunnel for downloading e-mail via POP3.

Click on the Add button to set up a new tunnel.

This will bring up the dialog box shown to the right. You want to forward the local port "pop3" to the remote machine "mydomain.com", port "pop3". (When you are actually setting this up for yourself, don't use "mydomain.com", replace it with your own domain name or "mail.twistedbits.net". Click the OK button.

You are now back at the previous window, where you can see local port 110 (POP3) has been forwarded to "mydomain.com", port 110.

Click the OK button to exit this window.

Now you must save your configuration, or else when you exit Tera Term, these settings will be lost. Go to File, Save setup, as shown at right.

Save the settings to the default TERATERM.INI file.

Now, go to your e-mail client and change the settings. For this example, we would have our POP3 server set to "mydomain.com", or "mail.twistedbits.net". Change this to "localhost" instead. Essentially, you are telling your e-mail client to download your mail from your own machine, port 110. (Of course, since the tunnel is set up, it will really be downloading via the secure tunnel because the port is forwarded.)

To use the accunt manager in a secure window, you can open up your web browser and to to http://localhost, as shown at right. Remember, we directed the local port 80 to port 80 on www.twistedbits.net. Now, when you enter your password on the web page, it isn't going across the Internet in clear text.

Here are the somewhat annoying things about setting up the tunnels. Firstly, you must open up a connection to our server with Tera Term via SSH and log in successfully before the SSH tunnels will be set up. Secondly, if you open up a second Tera Term window, you will get the error message shown to the right. Its nothing to worry about, just annoying. What it is telling you is that it couldn't set up some of the tunnels because the ports are already in use. That's because the first Tera Term window you opened has ALREADY set up the tunnels, so of course the ports are in use.

What you should be asking yourself whenever you use a program that connects to our server and which requires a password is, "is this password being transmitted via plain text, or is it encrypted?" If the program itself doesn't have provisions for encrypting the password, then you may want to think about setting up an SSH tunnel as described above. For example, if you are in the habit of viewing your WWW log analysis, you know that you go to http://www.whateveryourdomainis.com/wwwlogs/reports, at which point you are asked to input your password. This password is being submitted via plain text, and because it is the same as your account password, you really should think about using an SSH tunnel instead. To do this, you'd just set up Tera Term as described above to go from a local port to port 80 at www.whateveryourdomainis.com. Now, if you have already set up local port 80 to www.twistedbits.net, you will need to choose a different local port, 8080 for example. Another alternative is to simply use the tunnel which has already been set up by going to http://localhost/~yourusercode/wwwlogs/reports.

Yet another alternative for viewing your log reports is to you can access our web site via SSL. To do so, type the following URL into your browser:

https://www.twistedbits.net/~usercode/wwwlogs/reports

(Obviously, change "usercode" to your own actual usercode. The squiggly looking thing in front of usercode is a tilde, and it is usually located to the left of the " 1" key on your keyboard.)

Here are some links where you can download the software described on this page:

PuTTY - http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Tera Term Pro - http://hp.vector.co.jp/authors/VA002416/teraterm.html

TTSSH - http://www.zip.com.au/~roca/ttssh.html

If you have any problems, questions, etc. please feel free to contact us at support@twistedbits.net