SSH tunnelling made easy (part three)

In the previous two parts of this series, I covered simple tunnels to access services you couldn’t reach, and tunnels which let you hop from one server to another on an otherwise unreachable network.  In this article I’ll cover a powerful feature of SSH, the ability to provide port forwarding via the SOCKS mechanism.

SOCKS is a standard method to allow clients to connect to services via a proxy server.  SSH can turn any computer you can connect to (over SSH) into a proxy server for you, and you alone (so it’s secure).

Example 3 – using SOCKS proxy to access multiple services on a network via a secure server

There are several different reasons why you may need to employ SSH to deliver a SOCKS proxy.  Two common reasons are if you’re connected to a public network you don’t trust (like a cafe Wi-Fi network), or if you want to get to a range of services inside a secured network to which you only have SSH access.

Since the process is identical in both cases, I won’t cover them separately.

The diagram below shows a shared workstation (maybe in a library) connected to a public Wi-Fi network.  You can’t trust the network, anyone could be intercepting unencrypted traffic on it.

There is however a sever somewhere to which you have SSH access (and which in theory, you control and so trust).  What you would like to do is browse several websites or connect to some other SOCKS supporting services, without anyone on the public Wi-Fi being able to intercept that traffic.  If you were only connecting to a single service you could use simple tunnelling as per the previous two examples, but this time, you want to browse a few websites, and it’s not sensible to try and create a tunnel for each one.  In this instance, you use SSH to set up a dynamic tunnel, which provides a SOCKS proxy.

The command is even easier.

ssh -D 127.0.0.1:9090 fred@shell.example.net

Similar to the previous commands, but you’ll notice there is no target destination, only a listening address and port.  The -D tells SSH to listen on 127.0.0.1 port 9090 in this case, and operate as a SOCKS proxy, starting at the server you’ve connected to.

In PuTTY you would configure this as below,

Note that the destination address is left blank.

In order to use this tunnel, you need to do a little more work than previously.  Assuming we’re going to use it primarily for web browsing, you would need to tell your web client to use a SOCKS proxy.  In Firefox, you would configure it like this,

Now, when you try and browse anything in Firefox, it sends the requests to what it believes is a SOCKS proxy server (127.0.0.1, port 9090).  That’s really your SSH connection to shell.example.net.  At the other end, your SSH connection sends the data on to the correct web server, receives it, and passes it back to your workstation and into Firefox.

The net result (pun intended) results in a diagram which looks like this.

So your browsing is secure as far as the Public Wi-Fi is concerned.  SOCKS supports a number of different protocols, and different clients are configured in different ways.  But as long as your tool supports SOCKS, you can point it at the 127.0.0.1 9090 server, and it will work as above.

SOCKS via SSH is extremely powerful.  Here’s a further diagram of another situation where you may want to use it.

Your company has a number of web servers internally which provide time recording, project planning and other information.  While working away from the office you need to access those services.  There are too many to set up individual tunnels.  There is an SSH server in the company’s control which can be reached from the Internet.  Using the -D option, you can turn that server into your own SOCKS proxy and browse to the company web servers to complete your work.

While not intended as a replacement for a VPN (mainly because it only really supports a subset of network protocols), this SOCKS implementation is very useful.

SSH tunnelling made easy (part two)

In part one of this set of posts, I covered using SSH tunnelling to access a service on a server, from a particular machine that can SSH to the target server, but not access the service directly (due to firewalls or sensible security reasons).  In this post, I’ll cover a three computer scenario.

Example 2 – three computers – can’t access third server directly

This situation covers a few different scenarios.  Perhaps you can SSH to a server in a DMZ (i.e. firewalled from all sides), and from there you can SSH to another server, or perhaps access a website on another server, but you can’t get directly to that server from your computer (you always have to use the middle hop).  Maybe you want to interrogate a web management GUI on a network switch which is connected to a network you’re not on, but you can SSH to a machine on the same network.  There are plenty of reasons why you might want to get a a specific service, on Server 2, which you can’t access directly, but you can access from Server 1, which in turn you can SSH to from your local computer.

The process is identical to the steps followed in the first example, with the only significant difference being the details in the SSH command.  So let’s invent a couple of different scenarios.

Scenario 1 – remote MySQL access

In this example, your web server (www.example.net) provides web (port 80) and ssh (port 22) access to the outside world, so you can SSH to it.  In turn you have another server on the same network as your web server (mysql.example.net) which handles your MySQL database.  Because your sysadmin is sensible, mysql.example.net is behind a software firewall which blocks all remote access except for MySQL and SSH access from www.example.net.

So your workstation can’t SSH to mysql.example.net and hence you can’t use the simple example in the previous article.  You can SSH to www.example.net but you can’t run the GUI up on that computer.  So you need a way to tunnel through to the third machine.  I’ll show you the command first, and it will hopefully be obvious what’s going on.

ssh -L 127.0.0.1:3306:mysql.example.net:3306 fred@www.example.net

So as before, we open the tunnel by connecting to www.example.net as fred via SSH.  The tunnel we are creating starts on our local machine (127.0.0.1) on port 3306.  But this time, at the other end, traffic ejected from the tunnel is aimed at port 3306 on the machine mysq.example.net.  So rather than routing the traffic back into the machine we’d connected to via SSH, the SSH tunnel connects our local port, with the second server’s port using the middle server as a hop.  There’s nothing naughty going on here.  SSH is simply creating an outbound connection from www.example.net to mysql.example.net port 3306, and pushing into that connection traffic it is collecting from your local machine.

Once the tunnel is in place, you would start up the MySQL GUI exactly the same as previously, filling 127.0.0.1 as the ‘server’, and the correct credentials as held by mysql.example.net.  SSH will pick up the traffic, encrypt it, pass it over port 22 to www.example.net, un-encrypt it, and then pass it to port 3306 on mysql.example.net, and do the same in reverse.

The only difference between this and the example in part one, is the destination for our tunnel.  Rather than telling SSH to talk back to the local address on the server we connect to, we simply tell it which server we want to connect to elsewhere in the network.  It’s no more complex than that.

Here’s the setup for PuTTY.

Scenario 2 – network switch GUI

Maybe you support a set of servers which you can SSH to, but which also have their own private network running from a switch that itself isn’t connected to the public network.  One day you need to use the web GUI on the switch (perhaps management have asked for a screenshot and they don’t understand why you sent them an ssh log file first time around) which runs over port 80.

So, we can ssh as user fred to say, the server endor using ssh fred@endor.  We can’t connect to our network switch (192.168.0.1) from our own workstation, but we can from endor.  What we need to do is create a tunnel from our machine, which goes to endor, and then from endor into port 80 on the switch.  This time, we won’t use port 80 on our local machine (maybe we’re already running a local web server on port 80), we’ll use port 8000.  The command therefore is this,

ssh -L 127.0.0.1:8000:192.168.0.1:80 fred@endor

So, make SSH listen locally (127.0.0.1) on port 8000, anything it sees on that port should be sent over port 22 to endor, and from there, to port 80 on 192.168.0.1.  SSH will listen for return traffic and do the reverse operation.

This is how that looks in PuTTY.

Once we’ve connected to endor, and the tunnel is in place, we can start a web browser on our own local machine, and tell it to go to the url,

http://127.0.0.1:8000

At that point, SSH will see the traffic and send it to the network switch, which responds, and the tunnel is in place.

Once again, this process works for all simple network protocols such as POP3, SMTP, etc.

SSH tunnelling made easy (part one)

SSH tunnelling is powerful and useful.  If you can get your head around networking and ports it’s pretty easy to set up, but it’s one of those things that either sticks or doesn’t, and it’s easier to work out when you’ve got a specific problem to solve by using it.  I personally use Cygwin under Windows and so my tunnelling is done using the command line OpenSSH client, however I used to use PuTTY which will do tunnelling as well, and there are plenty of other options.  If you’re already on a UNIX-like setup with OpenSSH then the same command line options are valid as for the Cygwin version.

I wanted to run through some simple examples, and then show how the tunnelling is configured to support them and what actually happens.  But first, a general statement.  SSH tunnelling allows you to make a connection from your local computer, to a service on another computer than your local computer can’t get to directly, via a computer you can get to over SSH.  That includes a two machine situation where you want to get to service X on a computer but can’t because of say a firewall, but you can SSH to the very same machine.  It also includes a three computer scenario where you hop from a middle computer to a computer it can access but you can’t.

Example 1 – two computers – can’t access service directly

So in this example, we have your local computer (your laptop for example, but this could be any computer you are logged on to), and a remote web server.  The web server has MySQL installed but the sensible sysadmin has ensured it’s only listening to local connections so that evil people can’t connect to it and do bad things.  You want to use a nice MySQL GUI you’ve got (say MySQL Query Browser) but can’t connect.

We assume for this example that you have a shell account on your web server with the username of fred.  What you need to achieve, is to let software running on your workstation access a local port, which SSH then picks up, shoves across to the remote server, and dumps onto the local port at that end (i.e. a tunnel).  To keep things easy, we’ll use the same local port on our workstation that MySQL is listening on at the other (3306) end but you don’t have to.

In plan English then, we need to convince SSH to listen for stuff on our workstation arriving on port 3306, tunnel that across to our server, and pass it to the local port 3306 over there, and bring back any traffic in the opposite direction.  To achieve that, SSH has to make a connection over it’s own regular port first, and then it sets things up.

The OpenSSH command line to achieve this is,

ssh -L 127.0.0.1:3306:127.0.0.1:3306 fred@www.example.net

That’s the long hand version, you might see that written as,

ssh -L 3306:127.0.0.1:3306 fred@www.example.net

or

ssh -L 3306:localhost:3306 fred@www.example.net

They will all work and achieve the same thing, but the long hand version for me, is the easiest to take and apply elsewhere.  So reading it, you get the following.

Using PuTTY you would set up a normal SSH configuration to get to www.example.net, and then you would add the following to the Connection / SSH / Tunnels section,

and clicking Add makes it look like this,

You would then connect to the server using PuTTY.

Once all this has been configured, and you have connected to the remote computer and logged in over SSH normally, any traffic sent to 127.0.0.1:3306 (i.e. port 3306 on your own local computer) is spotted by SSH, tunnelled over to www.example.net and pushed out to 127.0.0.1:3306 from there (i.e. that server’s loopback network connection, onto port 3306 on which we hope, MySQL is listening).

From this point, you treat any application you run that wants to connect as if you were running the MySQL server locally, for example with Query Browser you would start it, and tell it to connect to the localhost on port 3306, and then fill in the credentials of the MySQL service running on your remote server.

This example covers all cases of trying to connect to simple services, running on remote servers where you can SSH to them, but not connect remotely to the service due to either a firewall or local configuration.

Maybe your server runs a POP3 service that you don’t want anyone connecting to remotely and you want to encrypt all your traffic to and from.  Configure the POP3 server to only listen to local connections and then use the following tunnel,

ssh -L 127.0.0.1:110:127.0.0.1:110 fred@www.example.net

Now you can point your local mail client at 127.0.0.1 port 110 to collect mail, and it will be tunnelled to the remote POP3 server in the background.

Moria – Epic Quest line

Turbine launched the Moria expansion to Lord of the Rings online in November 2008.  Last night, I finally finished the epic quest line (Volume 2), along with some friends.  We put in a lot of effort to finish that quest line, and even with a few extra levels from the Mirkwood expansion some of the group quests were challenging.

It feels good to finally get it complete.  We’re almost up-to-date with all the epic quests, despite the new stuff added with Enedwaith.  That’ll be an interesting situation if we finally catch up – it’ll be the first time since the game went live that any of us are ahead of the game in terms of all the epic content.

Inception

Some films are there to purely entertain, some are to encourage you to think and ask questions.  It’s a rare flick that manages to include both elements to sufficiently please a diverse crowd of people.  I knew the basic premise of Inception before I watched it,  and I was expecting to be confused after hearing some comments.  But it’s not actually a confusing movie.  I was expecting to be left asking questions when I saw the ending, but for me personally, I think the questions were answered.

Inception is a story of dreams and the people who can enter them to extract information.  Much more detail than that and you begin to ruin the story, which I’ll try to avoid.  It’s set in a contemporary or very-near-future setting, and sees our main protagonist Cobb (Leonardo DiCaprio) unable to return to his family and seeking employment as an extractor.

This leads us on a journey across continents and into dreams, where we being to question what is truth and what is real, along with Cobb and the supporting cast.  The story is truly interesting, the characters are engaging and the pace is pretty solid.  There are some moments where I felt things were under-explained, not to add mystery but almost because they ran out of time, but overall it’s a solid, cohesive story.

I didn’t find the visual effects particularly breathtaking and I think too much emphasis has been placed on them in the trailers or hype running up to the film.  This is a pretty personal story and any effects are really there to encourage us to believe what we’re seeing is not real.  There is however one set of scenes in which one of the characters operates in zero-gravity, that I thought were exceptionally well done.  This isn’t an action movie, although it has a lot of action, and it’s not a sci-fi movie although it has some speculative fictional elements, and it’s not a love story despite a core element of it being about a relationship between two people.  It’s hard to place it into a single genre.

What it is, is very engaging.  You do have to think, not to keep track or work out what is going on, but to question what you’re seeing and why, and if what the characters believe is even true.  Through multiple layers, both on a story level, and a dream level, we are encouraged to consider whether what is happening is real or not, at every stage.  It’s very hard to write a review without giving away too much.

I enjoyed watching it, and I’ll want to watch it again to see nuances I may have missed first time, but it didn’t leave me punching the air or grinning like a fool.  It left me considering Nolan’s brilliance, and the performances of some of the actors (personally I think Joseph Gordon-Levitt is excellent, and likewise Ellen Page), and the self referential ending.

The movie starts with the concept that ideas are like viruses, and it ends with a question that plants an idea and leaves you wondering, if you want to.  Well worth watching, well worth talking about, and considering it’s an original screenplay, pretty impressive stuff.

Giving Blade a second chance

So, given recent posts and memories of movies, I’m going to give Blade 2 a second chance.  This has nothing to do with my man crush on Guillermo del Toro in any way.  And I’ll swear to that in a court of law!  We saw Blade 2 in the cinema and we were expecting a very specific kind of movie and we didn’t get it.  I wonder now, knowing what to expect, whether the flick will be any more enjoyable?  I’ll let you know when it arrives and after we’ve watched it.

The A-Team

In a year filled with ensemble action movies, The A-Team was surely the one with the best known back story?  Maybe that didn’t do it any favours.  While many of us loved the series, at the time, countless repeats and plenty of piss taking later meant there were concerns about it transferring to the big screen.

Would the new actors be able to pull off the old characters?  Would it feel like a sad pastiche?  Would we accept the new faces in the old roles?  Would they be bogged down by the memories of countless episodes in which no one gets seriously injured, not even the bad guys?  Would a modern audience accept the ludicrous solutions the team are well known for?

I’d heard mixed reviews about the film before sitting down to watch it – and I have to say, I was pleasantly surprised.  Someone I know said ‘do they expect us to believe this shit?’  Well, my answer is no, they don’t.  They know it’s unbelievable, but they don’t care.  If you want to enjoy this movie you’ll take the step and willingly suspend your disbelief.  If you have no intention or ability to do that – then the director isn’t interested in trying to entertain you.

The A-Team tells the story of how the famous four get together, the crime they are supposed to have committed and the attempt at clearing their own names.  It’s a contemporary set-up for the series, a prequel, and as such a very clever decision.  Just another long episode would have been harder to pull off, but giving us the start of the story in an up-to-date setting worked very well.

The actors take on the roles without ever really trying to do second rate impressions of the previous team, for which I was quite grateful.  There’s a moment early in the movie where they crush BA’s van which is almost a statement from the director – yes, these are the same guys, but no, this is not the same cheesy 80’s series.

From that moment the action ramps up and we are led through a series of chases, captures, and betrayals that get us to the defining moment – when the team must break out of prison, prove their innocence and save the girl.

It’s funny, it’s totally entertaining and it’s entirely insane.  It’s everything that was good about the A-Team without the 80’s cheese, instead, it brings along the 80’s vibe and the 80’s good feeling.  There’s clearly room for a sequel, and I’d quite happily go and see it.

Scott Pilgrim vs. The World

I didn’t see Scott Pilgrim vs. The World in the cinema, because at the time there were some other movies that I felt would be better on the big screen.  Scott Pilgrim looked, from the trailers, like it would do okay on the smaller screen.  I was wrong.  This is why.

Scott Pilgrim is visually the most memorable and exciting movie I’ve seen since The Matrix.  Sure, Avatar was pretty to look at and the CGI was a step beyond anything we’ve ever seen.  Yes, 300 was a revelation in terms of colour and style.  I agree that Sin City brought us comic book visualisations like we’d never really seen.  But Scott Pilgrim vs. The World presented a mixture of real life, comic book and computer games in a single visual package that blew me away.

The clear craftsmanship that went into every single shot, the attention to detail, the mixture of sound effects, on-screen visuals and cinematography working together in a way I’ve just not seen before.  If Scott Pilgrim vs. The World was an ice-cream flavour, it would be Strawberry Mint Choc-chip with Raspberry Ripple and Cookies.  And it would work.

Stunning visuals alone don’t make a good movie, and therefore it’s with some relief that we discover Scott Pilgrim has a heart, a plot, an excellent sound track and some very funny and touching moments.

Based on a graphic novel, the reasonably simple story plays out thus.  Scott (Michael Cera) plays in a band, hangs out in the arcade, and finally meets the girl of his dreams.  But early in their relationship he discovers he must battle and defeat her seven evil exes in order to date her.  The brilliance comes from the mixture of the real and the unreal.  The fights are done very much in the style of computer games, the movie is strewn with on-screen flashes of comic book style text and computer game style popups.  They never get in the way – they simply enhance the sense of involvement.

The girl of Scott’s dreams is the enigmatic Ramona (Mary Elizabeth Winstead).  The character is both engaging and interesting.  The supporting cast around them is also excellent, the rest of the band in which Scott plays, and a small circle of friends and past-partners.  Alison Pill (as Kim Pine) steals every scene she’s in though, she is superb and delivers some of the funniest moments in the whole movie.

As we and Scott work our way through the various evil exes we learn more about all the characters, and in parallel we watch the band (Sex Bob-omb) rise in status.  The interplay between the characters is really the soul of the story and I’ve intentionally not mentioned a lot of that.  While the battle against the evil exes is the part the trailers focus on, the real story is the continuing personal development of everyone involved.  That’s where the heart of this story lies.  Although not constantly laugh out loud the movie has some excellent comic moments.  But again, it is the quality of the shots, the care with which each frame has been prepared and the beautiful cinematography that give that soul and comedy something to stand on.

The finale is both brilliant and satisfying and the final outcome was just what I hoped for.

Not everyone will like this movie.  It speaks in a language that may put some people off (some gaming culture and comic book references), although it’s more accessible I think than Watchmen.  I get that, it’s fine.  But a world with only one flavour of jam would be a terrible place (even if it was Strawberry).  And likewise, a world in which we only see huge action movies do well in the box office, or even get funding, would be a sad place.  I should have gone and supported Scott Pilgrim at the cinema.  Not just because it would have been an incredible movie going experience, not just because it’s probably the most enjoyable movie I’ve seen for a very long time, but because it deserved to get better box office numbers to show that people do want this kind of stuff.

And we do.  The DVD / Blu-ray sales will be excellent I’m sure.  But it should have gotten better box office takings.  I already apologised to Edgar Wright for my part in that.  You can do your bit.  Buy this movie, watch it, love it, and next time, go and support movies like it in the cinema.

The Hobbit – ready for 2012?

In July 2008 I wrote this,

So this is it. The Hobbit. The movie everyone denied they were even thinking of making. And we’re not getting one, we’re getting two. The news was announced at the end of 2007, but I’ve not been thinking about it much since we’re not going to see anything until 2011 and I don’t want to end up in a fever 2 years too early.

So the news broke in 2007, and because ‘we weren’t getting the movies’ until 2011, I didn’t want to post too soon.  Well, it’s 2011 and they haven’t started filming yet.  But they are, finally, about to.  In a tale almost as complex as the Lord of the Rings we’ve had issues with rights, issues with financing, issues with timing and issues with ownership.  Not to count the issues with unions.  But we are here, on the cusp.

From Deadline,

MGM and Warner Bros have finalized a deal that gives Warner Bros worldwide theatrical distribution on the Peter Jackson-directed The Hobbit. MGM will retain international television rights. This solves another problem on Jackson’s eagerly awaited followup to The Lord of the Rings, which has overcome an MGM freeze because of angry creditors, and the threat that the films would move away from New Zealand after local unions blacklisted the production.

Shooting begins next month [February] …

The only bad news, is they’re shooting them in 3D.

Due on our screens December 2012 and December 2013 – I’ll be getting my tickets soon.

Predators

When Arnold stepped out of the jungle, covered in mud, and stabbed the alien predator thing in the face (metaphorically), he was doing so with the weight of the 80’s action movie genre behind him.  Any movie which tries the same post year 2k does so with the weight of the 80’s action movie clichés crushing them from above. The 80’s gave us the new face of the Action Movie, and then it was caved in mercilessly during the 90’s and early 2000’s by the likes of Tarantino and the Wachowskis.

In the late 90’s and 2000 onwards, the action movie had to smarten up and add something new.  And it needed to be cool, otherwise it just got slated and slotted into the ‘another 80’s cliché movie’.  But these days, it seems to be okay to relive the glory of that decade.  Sometimes you have to poke a little fun at your age (The Expendables, Red) and sometimes you need to accept the clichés and deliver some interest and excitement anyway.

Predators is an ensemble movie which takes us back to the jungle and pits a group of natural killers against the universe’s paramount hunter.  There’s no apology and in fact the whole movie setup apes the lack of depth- our ‘heroes’ are dropped into the jungle unconscious, to wake up (hopefully) as they fall from the sky, their parachutes opening at the last moment.

Nimród Antal (director) couldn’t have made the point any clearer – don’t worry about why these folk are here, don’t worry about where they came from, or who they are.  Worry about how they’re going to survive – that’s all they’re doing.

If you do that, and if you settle back to enjoy an action movie which knows that’s all it is – then you should enjoy this.  A collection of unlikely heroes who slowly get hunted and killed by the Predators.  Surprise alliances, surprise treachery and some madness along the way.  The action is exciting, the dialog is kind of interesting and Laurence Fishburne turning on all he has for the lone survivor stint adds some grit.  Adrian Brody pulls off action hero better than I thought he would.  A simple complaint is that although I don’t think anyone should artificially bump up or down gender roles in a movie, would it have hurt to have a few more women in the pack of killers?

The surprise turn is from Topher Grace but I’ll leave you to guess why.

The pace is quite tight, it doesn’t try to tease us with aliens we’ve already seen, and it adds plenty of fun.  Predators is better than I expected, and as good in it’s own way as the original movie it makes reference to.