SSH downloads

[pcm81]

Good day all.
I think i know the answer to the question i am about to ask, but want to check if i am correct.

I would like to not have unencrypted traffic going to my machine. In particular i am interested in downloading some data from server X (I have permission to download it) to my home machine H. I am thinking of renting a torrent seed box, SB, somewhere far and essentially establishing an SSH tunnel from H to SB with connection to X from SB. The traffic from X to SB is not encrypted, but traffic from SB to H should be encrypted via SSH2. Server X authenticates via password and stores cookie on logged in machine. My question is: "is SSH tunnel the correct tool to secure incoming traffic to my home machine H from eavesdroppers or do i need to download data to SB and then sftp it to H? Can cookie authentication from H to X work via SSH tunnel through SB or do i have to authenticate SB via login webpage presented by X, download files to SB and then SFTP into SB from H?

Thanks ahead

 

[ViviTheMage]

The real question is, what are you using that seedbox for .

If you can, I would VPN into the server and use whatever protocol you want to transfer the files.

You could also SSH and SCP the files across back home. That should be secure enough.

Or use SFTP and run that, you can sign your own SSL cert, or get a legit one.

 

[pcm81]

The real question is, what are you using that seedbox for .

If you can, I would VPN into the server and use whatever protocol you want to transfer the files.

You could also SSH and SCP the files across back home. That should be secure enough.

Or use SFTP and run that, you can sign your own SSL cert, or get a legit one.

Server X is an http file server. I have account to download files via http; don't have ssh account of server X. So the connection to the server X needs to be http connection with password/cookie authentication.

Don't have a seedbox yet; considering getting one to essentially use as encrypted gateway to bypass local ISP sniffing.

 

[ViviTheMage]

Even with deep packet sniffing, they'll see bits of the content though. Someone who works at the bigger ISPs can speak more about that though.

If you don't have SSH, not sure there's much you can do, if you can't install anything on the box.

 

[pcm81]

Even with deep packet sniffing, they'll see bits of the content though. Someone who works at the bigger ISPs can speak more about that though.

If you don't have SSH, not sure there's much you can do, if you can't install anything on the box.

For the sake of the argument, lets say i want to download "Adult movies" from server X which i have website account for. This is an http server with http (not https) authentication. Server X is in Europe. If i do not want my ISP in US to know what files i am downloading from server X, wouldn't an SSH tunnel to SeedBox some place in Europe prevent Comcast from seeing unencrypted "adult movies"? It seems to me i can either download them to the seedbox from server X (both of them in europe) and then scp to my machine or i could ssh tunnel from my machine through seedbox to server X? Correct? What i am not sure about is if cookie based authentication from my machine through ssh tunnel would work on server X or if seedbox itself has to be authenticated to server X.

 

[sdifox]

VPN would provide encrypted pipe, not ssh.

 

[pcm81]

VPN would provide encrypted pipe, not ssh.

Problem with vpn is that frequently they do not use strong encryption like SSH2 suit of encryptions. I have seen VPN servers that use MPPE, which is an implementation of PPTP, which in turn has had some security problems exposed... But i agree that a vpn with strong encryption wold solve the issue.

I tried creating a tunnel like this: ssh -L 9000:www.zombo.com:80 account@myremotewebserver.com -p 2222 but the reliability is questionable; for example going to localhost:9000 on my machine shows directory listing for zomgo.com, yahoo.com throws an error page and google breaks out of the frame/tunnel and loclhost:9000 in address changes to google.com...

What am I doing wrong? Is what i am trying to do at all possible? This is as much of a learning project as anything else, so the more info the better; don't be afraid of making my brain hurt. With vpn i am essentially placing my machine on their network; and to be honest i am not sure if i want to do that; at the moment my machine is behind a NAT router and placing it on some foreign network via a vpn client might bring more problems than benefits...

 

[sdifox]

Aes256 plus 2k rsa ought to be enough for your purpose.

 

[pcm81]

Aes256 plus 2k rsa ought to be enough for your purpose.

Correct, and that is exactly what is used by TLS (new SSL) but i think the server like k2s.cc or rapidshare.cc only will only use TLS to secure authentication and it will broadcast file transfers via http...

 

[matricks]

I tried creating a tunnel like this: ssh -L 9000:www.zombo.com:80 account@myremotewebserver.com -p 2222

What am I doing wrong?

You are using the -L option. You want the -D option.

Turn any Linux computer into SOCKS5 proxy in one command

ssh -D 9898 [username@]remoteserver [-p remoteport]

Set your browser/client to use 127.0.0.1:9898 as a SOCKS proxy. All activity from the application now goes to the SSH server, and from there to wherever you have requested.

Even better, set up a HTTP proxy (Privoxy, Polipo, tinyproxy...) on your computer running the SSH client, and configure it to use the above SOCKS proxy as upstream proxy. This provides some benefits:

- You can explicitly tell the HTTP proxy server that the SOCKS proxy uses SOCKSv5. Not all client applications with SOCKS support let you do this, and SSH will support both SOCKSv4 and v5. SOCKSv4 is less secure in some cases. It can't resolve domain names, so an application using a SOCKSv4 proxy uses its locally configured DNS servers, which will cause a DNS leak (whether this is an issue depends on if you trust the DNS servers you use).
- You can proxy applications that do not support SOCKS proxies, but only support HTTP proxies (which is more common).