[KLUG Members] SSH through a firewall

[Andrew Thompson]

On Fri, 2005-07-22 at 11:56, bill wrote:
> I've got the classic "relative far away and you're a computer guy"
> scenario.  My question is how to do SSH through a firewall.  
> 
> Relative runs a Win98 computer, unwilling to upgrade, only uses it for
> "just a few things."  Uses a DSL modem. 
> 
> The system is regularly corrupted and slows down intolerably, after
> which it's rebuilt, often over the PHONE.
> 
> My idea: bring an old box when I go out there (soon) and put a linux
> firewall on it (I prefer floppyFW).  Then set up VNCserver on the Win98
> box.  Thus, I could tell her to turn it on and leave it alone while I
> VNC in and remove all the spyware/viruses, etc.
> 
> I think I can set up VNC and port forwarding o.k., but I'm wondering how
> to set up the SSH tunnel.  Usually I set up sshd on a box behind the
> firewall.  I won't have that option here.
> 
> Do I really want to set up the firewall with an ssh server?  I could set
> it up to listen on an obscure port, I suppose.
> 
> What do you guys recommend?

I'm not quite sure I see what sort of layout you're planning, but I
would recommend this:

	(INET) <-> DSL <-> FW <-> W98

Tell her she's going to have to keep the firewall on all the time, or at
least whenever she wants to get to the net from the Win98 box. Then, you
just need to find an SSH server for Win98. Cygwin
(http://www.cygwin.com/) looks like it can give you this through
Portable OpenSSH (http://www.openssh.com/portable.html). I'm NOT sure
you'll be able to tunnel through to VNC, though. (Oh, and check out
http://www.freedownloadmanager.org/downloads/143_s/ to get an idea what
your free stuff like sshd could be WORTH to a Windows user.)

Also, from someone who's been there, you should probably be aware that
this might NOT be enough to clean the winbox. I used to have a Win98
installation on this machine, and happened to discover a rather nasty
infection on that side a couple years back. With no real anti-spyware
already in place, I found it all but impossible to download any of the
known packages, let alone install them. The spyware in place had the
knack of killing any browser windows that happened upon one of these
"unfriendly" sites, and could kill an installer before it got going,
too, On top of that, it turned out the little bleeder had managed to
commander a couple dozen of the basic system apps (Notepad, etc), AND
make sure the config files were ALWAYS set to start it up at boot time.
It took a text search through binary executables (try THAT in XP!), plus
an assault running under Linux to finally isolate and NAIL each and
every instance of the bugger. Without the Linux cohabitant, I'm not sure
how I would have managed it. (This was before live distros were a real
Thing, see).

Well, that was more fun than useful, but my point is, you may not be
able to fix everything remotely, unless you can bypass Windows itself.
You might try giving her a "live" Linux CD to boot, if you want to do
what I did, but the best thing to do would be to get her to install an
antivirus and anti-spyware, BEFORE anything tries to get in. If you can
get her to keep the firewall on between the DSL and her Win98 box, that
could cut the risk way down right there. Don't know if any of this helps
you, but those are my suggestions.

-- 
Andrew Thompson <tempes at ameritech.net>
The Imagerie