One of the best ways to get around the restrictions is to use an ssh connection to create a generic proxy server right on your computer. Today I want to develop this topic and answer the following questions:
1) Where can I even get this "ssh access"? It is very difficult?
2) You are already behind a proxy server that does not allow direct connections to other computers. How do I use the suggested trick?
3) What, the owners of the proxy server really won't see what resources I'm connecting to? Is this really a proxy bypass?
If you are interested in this topic, read on.
Ssh access?
If you do not know what it is at all, I suggest that you read the article at the link. Roughly speaking, this is one through which you can establish a connection with another computer. So where can I get a computer that will accept such treatment? I will offer 4 options.
- Think about where you could be and use a Linux-based computer (for example, some foreign institute). Have you saved your username and password? Then, if they are not deleted, you will most likely be able to use the computer of this organization.
- Do you have your own website? Then it is very possible that the host provides ssh access. If there is no website, then you can buy hosting and domain (or hosting with real IP) specifically for this purpose. For example, the cheapest rate for the previous link will cost about 50 rubles per month. The site is optional.
- I already wrote about using a router for configuration. So, if you follow this procedure and buy from a provider, then your home computer will be a good helper.
- Create an account on one of these services. It may be unstable, but it's free.
ssh from behind a proxy
And it is possible. Once again I will send you to read my article about. As it says, download the putty program and configure it by going to the Connection - SSH - Tunnels tab, type: Dynamic, source port: 8080 (screenshots are in the article at the link). Now it remains to configure putty so that it does not connect directly, but uses a proxy server that is interfering with us. To do this, go to the Connection - SSH tab and register the proxy server settings.
You can find out the correct settings according to the instructions in my article about. If you write everything without errors, putty should connect to the required server and create a socks-proxy on your local computer with port 8080. I already wrote about its use in firefox in the article about.
Is it true that no one will know what resources I visit?
Yes and no. First, the owners of the local proxy will know that you have connected to your ssh computer. Everything. What resources you visit, they will not know - all traffic will go through putty. But they will know about the presence of this traffic. If you are able to explain it or if there is no tight control, then everything will be fine.
But there is also another side. If you connect, say, through your home computer, then for everyone it will look like you connected from home. Good or bad - you decide.
And one more very important point - you must not forget about the permission. The fact is that the domain name you are interested in (for example, the blocked vkontakte.ru) must first be converted to an IP address. And with the default settings, it will not be allowed through the ssh tunnel, but directly. Anything will be blocked, or at least recorded by a local proxy server. Therefore, we do the following: launch firefox, enter about: config in the address bar, click ok on the terrible warning that we can break everything. We are taken to a page where you can change additional firefox settings. In the filter line, enter proxy.
Most likely, the line network.proxy.socks_remote_dns will not be selected, and the value in it will be false. Double-click on it to make it fat, and the value changes to true. That's it, the setup is done. Now dns will also be allowed on that side of the tunnel.
Something not clear about proxy bypass? Ask questions. I hope this article helps you bypass the proxy restrictions.
The first way is easier. Let's say your company doesn't allow you to download the popular live chat software AOL Instant Messenger. You can still communicate with your friends and colleagues using the online version of the program called AIM Express ( AIM.com/aimexpress.adp). In addition, the company Google there is a real-time chat service called Google Talk available at Google.com/talk... Programs such as music players and video games also have their own Internet versions - usually they are somewhat stripped down compared to the original programs.
The second approach to solving the problem is more complicated, but with its help you get access to the very program on your computer. All three of our experts named the company Rare Ideas LLC ( RareIdeas.com), which offers free versions of popular programs such as Firefox and OpenOffice. You can download programs to portable devices, such as iPods or USB sticks, via Portable Apps ( PortableApps.com). After that, you plug this device into your work computer and you're done. (However, if your company prohibits the use of external devices, consider yourself out of luck.)
Risk: Using online services can place an undue burden on company resources. And programs on external media pose a security risk. IT people prefer to have control over the software used by employees so that in the event of a virus or other problem, they can easily fix everything. If you bring programs with you, their control is reduced.
Another thing to keep in mind is that some less reliable programs, especially file sharing programs, may be loaded with spyware.
How to protect yourself: If you bring the program on external media, Lowbel says, at least change the anti-virus program settings on your work computer so that it scans the device for potential threats. This is not difficult to do by going to the "settings" or "options" menu. Likewise, if you use file sharing, configure them so that others cannot access your files, also through "settings" or "options".
3. How to access sites blocked by your company
Problem: Companies often block access to certain sites for their employees, ranging from the really obscene (porn sites) and probably not the most respectable (gambling sites) to the almost innocent (email sites).
Workaround maneuver: Even if your company does not allow you to go to these sites by typing their address in the top line, you can sometimes still get to them in a roundabout way. You go to a site called a "proxy" and type the Internet address you want in the search box. Then the proxy site goes to the site you need and gives you an image of it - so you can see it without going to it directly. For example, Proxy.org, serves over 4 thousand proxy sites.
Another way to achieve the same result is suggested by Frauenfelder and Trapani: use the Google translator, asking him to translate the name of the site from English to English. Just enter the following text: "Google.com/translate?langpair=en|en&u=www.blockedsite.com", replacing "blockedsite.com" with the site you want. Google actually acts as a proxy server, finding a mirror of the site for you.
Risk: If you use a proxy site to view mail or YouTube videos, the main danger is that you will be caught by your superiors. But there are also more serious security threats. Sometimes bad guys on the Internet buy website addresses that are one or two letters different from popular websites and use them to infect visitors' computers with viruses, Lowbel warns. Companies often block these sites as well - but if you use a proxy, you will be defenseless against them.
How to protect yourself: Don't make the use of proxy sites a habit. Use this method only to access certain sites that your company has closed access to in order to increase productivity - for example, YouTube. And more careful with spelling.
4. How to cover up your tracks on a corporate laptop
Problem: If you use a company-owned laptop to work from home, it is very likely that you are using it for personal purposes: organizing family vacations, buying books to read on the beach, compiling photo albums on the Internet, and so on. Many companies reserve the right to track everything you do on this computer because technically it is the property of the company. What happens if ... uh ... your friend accidentally wanders into a porn site or searches the Internet for a cure for some embarrassing disease?
Workaround maneuver: The latest versions of Internet Explorer and Firefox browsers allow you to cover your tracks. In IE7, select Tools, then Delete Browsing History. Here you can either erase your entire browsing history by choosing Delete All, or select multiple links that you want to erase. In Firefox, just press Ctrl-Shift-Del or click on Clear Private Data from the Tools menu.
Risk: Even if you clean up your history, surfing the internet free of charge still puts you at risk. You could inadvertently pick up spyware on some questionable site or create legal problems for your boss with your behavior. If you get caught, at best, you face an awkward situation, and at worst, you risk losing your job.
How to protect yourself: Clean up your personal data as often as possible. Better yet, don't use your work computer for anything that you don't want to inform your superiors about.
5. How to find working papers from home
Problem: You finish your work late at night or on weekends - but the document you need remains on your office computer.
Workaround maneuver: Google, Microsoft, Yahoo and IAC / InterActiveCorp offer software to quickly find documents on your computer desktop. In addition, some of them allow one computer to search for documents saved on the desktop of another. How it works? The search engine company stores copies of your documents on its server. Thus, it can scan these copies when you perform a remote search.
To use Google's software - one of the most popular - you need to follow these steps. First, set up a Google account on both machines by visiting Google.com/accounts... (Be sure to use the same account on both computers.)
Then go to the site Desktop.Google.com and download the desktop search software. When it is installed, again on both machines, click on Desktop Preferences, then on Google Account Features. Check the box next to Search Across Computers. From now on, all documents that you open on both computers are copied to Google's servers so that they can be found from both computers.
Risk: Enterprise tech envisions a catastrophic scenario: you have highly sensitive financial information stored on your work computer. We installed a program to access these files from our personal laptop. And then the laptop got lost. Ah ah ah.
In addition, experts have found vulnerabilities in Google's computer search program that could allow hackers to trick users into giving them access to files, says McAfee's Schmugar. (After that, these problem areas were fixed, but there may be others, he says.)
How to protect yourself: If you have files on your work computer that should never be in the public domain, ask your IT system administrator to help you install Google Desktop in a way that avoids leaks.
6. How to store work files online
Problem: In addition to searching on the desktop, most people who often have to work from home have found their own solution. They save work files on portable devices or on the company's network, from where they can then be retrieved remotely. But portable devices can be too bulky, and connections to a work network can be slow and unreliable.
Workaround maneuver: Use online storage services such as Box.net, Streamload, or owned by AOL Xdrive. Most of them offer a free storage service with a volume of one to five gigabytes, and for a package with additional space they charge a few dollars a month. Another guerrilla method is to send yourself these files to your personal email, such as Gmail or Hotmail.
Risk: The bad guys can steal your password for one of these sites and steal copies of your company's classified materials.
How to protect yourself: When you are going to save this or that file on the Internet, ask yourself what will happen if it becomes publicly available or falls into the hands of the head of a company that is your main competitor. If nothing bad happens, then continue.
Problem: Many companies have the ability to track employee emails both at work address and other email addresses, as well as communication via ICQ.
Workaround maneuver: When you send emails from your personal email account or work email, you can encode them so that only the addressee can read them. In Microsoft Outlook, click on Tools, then Options and select the Security line.
This is where you can enter your password, and no one can open the email without knowing this password. (The people to whom these letters are intended, of course, you must provide this password in advance.)
For personal correspondence using postal services on the Internet, use Frauenfelder's advice. When checking your mail, add an s after the "http" to the address bar of your mail site - for example, https://www.Gmail.com... This will start a secure session and no one can trace your emails. However, not all web services support this.
To encode your real-time communication, use Cerulean Studios' Trillian service, which allows you to work with AOL Instant Messenger, Yahoo Messenger and other real-time communication programs and helps you encode conversations so that no one else can read them.
Risk: The main reason companies track employees' emails is to catch those transmitting sensitive information. By resorting to all of the above tricks, you can provoke a false alarm and make it harder for IT staff to deal with a real threat.
How to protect yourself: Use the described methods only from time to time, do not use them by default.
8. How to get to work mail if your company does not want to go broke on a PDA
Problem: Everyone who does not have a PDA knows this feeling: you went to a restaurant to have lunch or have a beer after work, and then everyone reached into their pockets for their PDA, and only you alone are forced to shake a glass in your hand.
Workaround maneuver: You, too, can keep in touch with your work email using a variety of mobile devices. Just set up your work email so that emails are forwarded to your personal email address.
In Microsoft Outlook, you can do this by right-clicking on any email, selecting "Create Rule" and asking to forward all emails to you to another address. Then set up your mobile phone to check your e-mail following the instructions from your provider (this is the company that sends you phone bills).
Risk: Now hackers can hack not only your computer, but your phone as well.
How to protect yourself: There is a "correct" way to access work email using a variety of personal mobile devices by taking a password and other information from the IT department.
9. How to access personal mail from a working PDA
Problem: If your company provided you with a PDA, you are probably facing the opposite problem. You want to check your personal email as easily as you do your work.
Workaround maneuver: Take a look at the "Settings" section of your personal mailbox and make sure that you have activated POP (postal protocol), which is used to receive mail through other addresses. Then go to the website of your BlackBerry PDA service provider. Click on the "Profile" button, find the Email Accounts section there and select Other Email Accounts. Then click on Add Account and enter your personal email address information. Now your personal mail will arrive in the same place as your corporate one.
Risk: Your company probably has an arsenal of security and anti-virus and anti-spyware tools. When you receive personal mail on your BlackBerry, it comes bypassing these protective barriers. This means that spyware or viruses can enter your PDA via personal mail, says McAfee's Schmugar.
To make matters worse, he says, when you connect your BlackBerry to your work computer, there is a chance that this spyware will be transferred to your hard drive.
How to protect yourself: Cross your fingers and trust that your email provider does everything in its power to protect you from viruses and spyware (which it probably is).
10. How to pretend that you are working
Problem: You are engaged in a vital Internet search, and suddenly your boss appears behind you. Your actions?
Workaround maneuver: Press Alt-Tab quickly to minimize one window (for example, in which you are exploring ESPN.com) and open another (in preparation for today's presentation).
Risk: The good news is that when it comes to the security of the company, this is not a threat.
How to protect yourself: Get to work.
To bypass the blocking of the messenger, you can use a proxy or VPN. In this article, you will learn how to bypass Telegram blocking using 3 ways:
- Through the VPN tunnel;
- By automatically installing MTProxy using a bot;
- Manually by specifying a proxy server for Telegram.
How to bypass VPN blocking
A VPN is a secure channel through which all Internet traffic on a device passes. It affects not only the work of Telegram, but also other programs, such as a browser or an email client.
The main plus of VPN is gaining access to any resources blocked in Russia. All sites will work as if the user is in another country. However, this approach has a number of disadvantages:
- The speed of the Internet may slow down significantly;
- Many sites will open in a foreign language.
When using a free service, the user will be limited by the traffic limit, which is usually several gigabytes. This can cause problems with the connection speed. The paid subscription works without restrictions, but you have to pay a few dollars for it every month. The most trusted companies are NordVPN, ExpressVPN, and PrivateVPN.
Let's look at the process of installing a free VPN on Android and iOS.
VPN for Telegram on Android
The easiest way to install VPN on Android is to use the app from Google Play. Let's list the most popular options and indicate the traffic limit for each of them:
- TunnelBear (1.5 GB)
- Windscribe (10 GB)
- FinchVPN (3 GB)
- ProtoVPN (unlimited)
Let's take a look at the installation process using Windscribe as an example.
- Go to Google Play and download the program.
- Open the app and create an account by choosing the "Free" plan.
- Click "On" on the main screen.
If the speed is too slow, try changing the server location.
VPN for Telegram on iOS
To set up a VPN on iOS, download one of the following apps from the AppStore:
- TunnelBear
- Betternet
- SurfEasy VPN
- FreeVPN
All services except TunnelBear offer unlimited bandwidth. At the same time, they can significantly underestimate the speed and display ads. Using Betternet as an example, let's see how to set up a VPN proxy for Telegram on iOS.
- Go to the App Store and download Betternet.
- Open the program and click the "Install Profile" button.
- Click "Connect".
Setting up a proxy for Telegram using a bot
The easiest way is to configure Telegram through a proxy using the @BestMTProxyBot bot, which will automatically set the connection parameters. This is the official bot of the Telegram team, which is fast and free. In return, the service will display advertisements for sponsored channels at the top of the contact list. Let's consider the process of working with a bot step by step.
There are several different methods you can use to bypass the anonymous proxy, although the method you should use depends a lot on how you set up the proxy. The easiest way is to disable the proxy server in your internet connection settings in your web browser, although this is not always effective. To bypass the anonymous proxy, you can also use another proxy that is causing you problems. But it's important to remember that you can run into serious problems if you bypass the anonymous proxy at work or school.
To bypass anonymous proxy, you need to know how the proxy is used. An anonymous proxy is a server that your computer is connected to, which then connects to the Internet, allowing you to remain anonymous while using your web browser. This is usually done either through software installed on your PC, or through a setting in your web browser that automatically redirects you to a proxy server when you use it. The way in which you can bypass the anonymous proxy server depends a lot on what setting was used on your computer.
If you have software installed on your computer that forces it to connect to a proxy server, you can bypass it by uninstalling that software. But if you do not have administrator rights in the system, then you will not be able to uninstall the program. If this is the case, then you should not bypass anonymous proxy if the computer you are using is the property of a school or is installed in the workplace.
Until you know that you are allowed to bypass the anonymous proxy without losing your job or being severely reprimanded at your school, there are two possible solutions to consider. The first way you can bypass the proxy is to simply remove the proxy settings in your web browser software. This is the program that you use to navigate the Internet and visit different websites. You should check the connection settings for your browser and see if there is a proxy that you can change to bypass it.
If you can't just change your web browser to bypass the anonymous proxy, you may need to try a more complex solution. You can try using a different proxy, for example, one that actually sits between your computer and a proxy that is already in use. This may allow you to use your proxy server to avoid connecting to another. But, if you do not want to connect to an anonymous proxy on a computer on your network, you should simply change your settings to not do this anymore.
And you need to know the minimum required list of ports that must be open. For example, port 80 is required to work with HTTP (almost all WEB browsers use this port to work with the WWW). Port 21 is required for working with FTP servers, etc. For more information on ports, refer to the article: TCP Ports. So, a good rule of thumb is to have a minimum number of open ports. This will reduce the likelihood of an outside attack on your network. Also, depending on the used proxy server, you can set the list of allowed users or computers and the access period.
2. Access to the Internet from a LAN organized as a domain.
Things are a little more complicated here. If your LAN is based on Windows Server, then the most acceptable would be to use Microsoft ISA Server(Internet Sharing & Acceleration). First, this product fully integrates with Active Directory. Secondly, it has many monitoring and audit tools. Thirdly, it does not require special knowledge when setting up, which is done using special equipment. I will not describe the process of installing and configuring ISA Server in this article, since it will require a whole book. In any case, if necessary, you can always find the required manuals and instructions. One of the disadvantages of ISA Server is the need to install a client part (mspclnt) on each workstation in the domain from which Internet access is expected.
3. How to bypass the closed ports of the ISA Server and how to get through it with the Opera browser?
In a fairly large (or not so large) corporate network based on operating systems of the Windows family, system administrators, as a rule, use ISA Server as a proxy server. This is understandable and understandable, due to the affinity of ISA and Windows Server, as well as other, such as Active Directory, properties. To ensure maximum security, the administrator often leaves open the minimum number of ports - 80, 8080, 443, well, and maybe 21, 25 and 110 more. many programs that require opening specific ports for normal operation (for example, like MIRC, which requires port 6667, etc.), cannot function normally under these conditions. In addition, although ISA Server provides two types of authorization - NTLM (when Active Directory is used to authorize a user) and the so-called. basic - when you need to enter a username for access - a password. Some WEB - browsers, unlike Internet Explorer, do not use NTLM authorization (for example, Opera) and therefore it seems impossible to use them. However, it is not. There are ways to get around these obstacles.
Authorization
Let's start by bypassing NTLM authorization. This is necessary for the almost full functioning of the Opera browser (and some others). Why almost? Because, the same Opera has an integrated Chat, for which, in addition to bypassing NTLM authorization, you also need access through a specific port, for example 6667. Currently, one of the best solutions is to use the NTLM Authorization Proxy Server. This is a program written in the Pyton language, and for it to work, you must first install the Python interpreter (a free version can be downloaded from the company's offsite http://www.python.org/). The APS itself can be downloaded from http://www.geocities.com/rozmanov/ntlm/. Pyton is installed without problems, when configuring ASP, you just need to specify the path to the folder with installed Python, and correct the server.cfg file in accordance with your settings and parameters. An example file is placed below:
# here is the port number (default is 5865) LISTEN_PORT: 9000 # If you want APS to authenticate you at WWW servers using NTLM then just leave this # value blank like PARENT_PROXY: and APS will connect to web servers directly. # And NOTE that NTLM cannot pass through another proxy server. PARENT_PROXY: # here the name of your ISA server, for example OurISA.yoursite.org PARENT_PROXY_PORT: 80 # here the port open on the ISA, for example 80 or 8080 # Windows Domain DOMAIN: # here the domain name, as in the example yoursite.org # What user "s name to use during authorization. It may differ form real current username. USER: # here is your (or not your) login to enter the domain # Password. Just leave it blank here and server will request it at the start time. PASSWORD: # here is the password for entering the domain / # Experimental option. Set it to 1 to switch on UNICODE and NT response part in the auth action. # In a nut shell, you may want to try setting it to 1 if you are sure that you have to use NTLM # authentication and it just does not work for you. Most of times everything should work without # this option. FULL_NTLM: 0 # Highly experimental option. Do not touch. See research.txt for details. NTLM_FLAGS: 06820000 # Set to 1 if you want to grant this authorization service to clients from other computers. # NOTE: al l the users from other hosts that will be using you copy of APS for authentication # will be using your credentials in NTLM auth at the remote host. ALLOW_EXTERNAL_CLIENTS: 0 # If you want to allow some other but not all computers to use your proxy for authorization, # just set ALLOW_EXTERNAL_CLIENTS: 0 and put friendly IP addresses here. # Use space as a delimiter. # NOTE that special addesses don "t work here (192.168.3.0 for example). FRIENDLY_IPS: # Requested URLs are written to" url.log "file. May be useful. URL_LOG: 0 # This section describes what and how the server should change in the clients headers. # Made in order to prevent parent proxy from seeing that you are using wget instead of IE5.5 Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / vnd.ms-excel, application / msword, application / vnd.ms-powerpoint, * / * User-Agent: Mozilla / 4.0 (compatible; MSIE 5.5; Windows 98) # for windows 2000 emulation;) # User-Agent: Mozilla /4.0 (compatible; MSIE 5.5; Windows NT5) # You can uncomment these chages in client "s header to mimic IE5 + better, but in this case # you may expirience problems with * .html if your client does not really handle compression. # Accept-Encoding: gzip, deflate # Authentication type. If it does not work as it is, you can put 1 and 1. LM_PART: 1 NT_PART: 1 # You can convert NTLM authentication to the basic form by putting here 1. Then, when starting work, the browser will ask for a username and password. NTLM_TO_BASIC: 1 # Set this to 1 if you want to see debug info in many log files. One per connection. DEBUG: 0 # Set this to 1 to get even more debug info. BIN_DEBUG: 0 # Set this to 1 to see some strange activity on screen. Actually you won "t want it. SCR_DEBUG: 1 # Not actually a debug option but gives you some details on authentication process # into * .auth logs. Also see research.txt. AUTH_DEBUG: 0
After configuration, run runserver.bat and that's it. Next, you need to set up a connection in Opera.
This screenshot shows the proxy server settings for Opera. For other browsers, the settings should be done by analogy.
Bypassing closed ports
Now let's move on to the second part - bypassing closed ports. Here we will be helped by one of the so-called. mappers - HTTPort. By the way, for its normal operation under the conditions of an ISA server with NT-authorization, it is necessary to run the ASP described earlier. Download this program here: http://www.htthost.com/download.boa
Install and configure.
As shown in the screenshot below, in the first line we write the IP and port number (ip of the local computer, port number - according to the settings in ASP). Check the box "Proxy Requires authentication" and enter the username and password to enter the domain. It is better to leave User – Agent as is, and set Bypass mode to Auto. We leave the bottom fields blank, at least until you have a remote host address for HTTPort.
Everything is very simple. To configure other clients, you just need to correctly register the name of the remote host and port numbers.
Now we start the whole chain. First ASP, then HTTPort, and as a result, with an almost completely closed ISA, we get a lot of pleasure from working in our favorite browser and pleasant communication in IRC and ICQ.
It should be noted that the use of HTTPort is not limited to the above example. If ISA Server is configured for "basic" authentication, ASP becomes redundant. And with the help of HTTPort, through the only port open on the ISA server, you can tune in to almost any WEB service, including connecting to game servers or using WEBMoney. (These services, as a rule, use specific ports for access and cannot reach them through port 80). In addition, the manufacturer of HTTPort itself does not guarantee 100% success when using this product, however, in most cases, there are no special problems. It is only important to correctly configure the port mapping. However, in the last window of the program there are several links, including the FAQ on using HTTPort.
