人生在世，看得透，又看得远者prevail everywhere.

ppt.cc/fRZTnx ppt.cc/fSZ3cx ppt.cc/fLOuCx ppt.cc/fE9Nux ppt.cc/fL5Kyx ppt.cc/fVjECx ppt.cc/fIr1ax ppt.cc/fEnHsx ppt.cc/f71Yqx tecmint.com linuxcool.com linux.die.net linux.it.net.cn ostechnix.com unix.com ubuntugeek.com runoob.com man.linuxde.net bit.ly/2EzoUDo bit.ly/2v6jGJi bit.ly/2tW6eYT bit.ly/2X6vadl bit.ly/2viLpHU linuxprobe.com linuxtechi.com linuxstory.org systutorials.com ghacks.net linuxopsys.com reurl.cc/NpzMWe reurl.cc/WrgYdx reurl.cc/Yv4Yvo reurl.cc/Lmy90K reurl.cc/Rr5aeG

Monday 2 December 2019

HOWTO bypass Internet Censorship

Freerk <freerk@gmx.net> (write in English, German or Spanish), last updated 2010-04-07

A tutorial on how to bypass Internet Censorship using Proxies, Shells, JAP e.t.c. Different ways to beat the filtering in schools, countries or companies (blocked ports e.t.c). This is the original and so newer than the translations because I'm still working on it.

1. Introduction

2. Possible weaknesses

3. Different kinds of censorship

4. Different ways to bypass censorship

5. Howto publish information

6. Appendix

6.1 Links

1. Introduction

1.1 About Internet censorship

In the last 10 years the Internet grew very, very fast. It is a bunch of thousands of little networks put together. Billion computers are connected and it is basically not controlled or even owned by a government or company. There are no laws, everybody can put his webpages online which can be accessed by everybody on the world who is sitting in front of a computer with Internet access. I believe that this can and will change the world as we know it today.
But there are several governments who think that this unlimited access to information is dangerous for their citizens. These are for example Saudi Arabia, Bahrain, Cuba, Jordan, Tunisia, Burma, Singapore, Uzbekistan, Yemen, Kuwait, Vietnam, Syria, Iran, United Arab Emirates and parts of Africa. And even in countries like Australia, Switzerland and in some parts of Germany they censor websites. This ranks from a very easy to circumvent DNS blocking of only 2 Nazi sites in parts of Germany to a government office with 30.000 employees only working in blocking thousands of websites, services and ports in China.
Though the blocking methods are different there are also different ways to bypass them. I will try to show you how to access the website of Amnesty International, BBC, Google and other blocked sites in your country. I made this website in very basic HTML, so that you can even view it with a very old computer. Please share this information, link the site, copy it, mirror it, print it (I didn't "hide" any links, so that no link is lost when you print it) and teach your friends and relatives!
More info: http://en.wikipedia.org/wiki/Censorship_in_cyberspace

1.2 My reasons for writing this

Well, I'm living in Germany, which is not very famous for it's censoring. But the local government from one of the 16 German states (NRW) tries to introduce censorship by blocking 2 US Nazi sites. Sure, I really don't like those guys but in my opinion no government or even a system administrator has the right to choose which information a individual have access to. What websites are next? Who chooses which websites will be blocked? Additionally, my school blocks some websites and so I became interesting in this topic.

1.3 How to get this file

As you are reading this you actually found this file somewhere. The most updated version you can get here:
European mirror: http://www.zensur.freerk.com/ - (Lambdanet - Erfurt, Germany)
American mirror: http://nocensor.citizenlab.org/ - (University of Toronto - Toronto, Canada)
Asian/Pacific mirror: http://blocks.orcon.net.nz/ - (Orcon ISP - Auckland, New Zealand)
SSL mirror: https://secure.sslpowered.com/bpass/ (Netfirms, Toronto, Canada) and https://ssl-account.com/zensur.freerk.com/
Dynamic IP mirror: http://cship.no-ip.org:82/ (Road Runner Cable - Tampa, FL, USA)
eMail autoresponder: index.htm@zensur.freerk.com (just send an empty email, you will instantly get this text as plain HTML in return)

Google Cache: http://www.google.com/search?q=cache:www.zensur.freerk.com/ - (maybe some days old)

1.4 License

Permission is hereby granted, free of charge, to any person obtaining a copy of this document, to deal with this document without restriction, including without limitation the rights to use, copy, modify, translate, merge, publish, distribute, and/or sell copies of the document, and to permit persons to whom the document is furnished to do so, provided that the author (Freerk) and at least two mirror server of the original text (see: 1.3 How to get this file) appear in all copies of the document.
Basicaly this means that you can do anything with this text as long as you mention my name and a way to obtain this original file. First I wanted to publish this paper under the GNU Free Documentation License (http://www.gnu.org/licenses/fdl.html) but I think the licence is to restrictive and complicated (see also: Why You Shouldn't Use the GNU FDL - http://home.twcny.rr.com/nerode/neroden/fdl.html). So I made up my own one based on the X11 licence (http://www.x.org/Downloads_terms.html).

2. Possible weaknesses

You have to choose to bypass the Internet censorship or not. I only show you how to do it, I can't take any responsibility. In several censor countries you will go to jail if they catch you, in a lot of companies you will get fired and some schools will ban you.
Of course the censors not only block Internet traffic, they are also looking at it (in countries/companies with a little Internet population) and try to find out who is bypassing their firewall how. An easy way to find out who (and how) is bypassing the firewall is by just looking for some identicators in the logfiles:

Right after the Internet connection is established the user is connecting to only one server and remains connected to it all the time he's online.
What a user should do right after he gets an "access denied" message from his censor. (open a special website, go to a chatroom, connect to a special server...)

Try to avoid getting caught this way!
Please note that the proxies on my website are not checked/verified. It could be that a censoring government run those proxies just to check who is accessing which blocked information. Maybe some of them are also maintained by hackers that can examine every piece of information that passes their servers (your credit card information, for example). So carefuly choose the server you connect to and even think twice if you use them to transfer private data.
More infos: http://www.peacefire.org/circumventor/list-of-possible-weaknesses.html
http://peek-a-booty.org/pbhtml/downloads/ResponseToLopwistcic.htm

3. Different kinds of censorship

There are many different ways to censor Internet traffic. Sometimes there are 2 or more combined. Please write me at freerk@gmx.net and let me know which blocking methods are used in your country, which ISP you are you using, and the bypass method you used to bypass it: It would be very useful for other users!
More info: http://en.wikipedia.org/wiki/Censorship_in_cyberspace

3.1 Blocked URL's via the DNS-server

This example is used by some German providers. It is a very cheap and easy censoring method and the same is true for bypassing it. First, I will explain what the Domain Name System is: Every computer on the Internet has an unique address, a little bit like a telephone number. These are 4 numbers from 0 to 255 separated with a dot. For example: 62.141.48.209 is the IP address for www.freerk.com. Because remembering such a number is very difficult, the DNS was invented. This service maps a URL to its IP address. If you type www.freerk.com into your browser, the request is sent to the DNS-server that was automatically given to you by your ISP on dialing into the Internet. A lot of addresses are already cached, so the DNS-server sends the IP address for the URL back to you. If the DNS-server has no cached information on the site requested by you, he asks one of the 13 root servers, which know all addresses. If the DNS-server from your provider is censoring, he just refuse to send you the real IP-address. He sends you nothing or a page from a "sorry" website.
More info: http://en.wikipedia.org/wiki/DNS

3.2 Forced proxy server / transparent proxy

You have to specify a proxy server in your 'Internet Explorer' settings in order to get a connection to the Internet. Sometimes, the ISP is using a transparent proxy. With these you can't see easily if there is a proxy or not. Every request you send to or receive from the Internet is checked at this server and redirected to you (well, or not...).

3.3 Keyword filter

This means that all Internet traffic goes through the servers of the censor, who is scanning the content for 'bad words'. This dynamic filtering is true for most filters in schools, libraries and companies. If the site contains bad words it is blocked. The person who is offering the blocked information could prevent the censoring by "hide" the content inside of images. For the user there is almost no difference, but it is difficult for a computer program to "read" the text inside an image. Also SSL encrypted traffic (a URL starting with https://...) can't be scanned easily. You can test which keywords are blocked on your connection on http://www.zensur.freerk.com/kword/ there you can enter the keyword(s) you want to test an click on "send" when you get the message "You entered [your word here]" in return everything is fine, but if you get an error message you know which words are blocked.

3.4 Blocked ports

Ports are like doors for a special service to a server or PC. They rank from 0 to 65535. The standard ports are from 0 to 1024, these are the well known ports. The official list you can get under http://www.iana.org/assignments/port-numbers and a description on http://en.wikipedia.org/wiki/Port_(computing). If a censor blocks a port, every traffic on this port is dropped, so its useless for you. Most censors blocks the ports 80, 1080, 3128 and 8080, because these are the common proxy ports. Because all of the proxies on common ports are useless for you, you have to find proxies that are listening on an uncommon port. These are very difficult to find.
You can easily test which ports are blocked on your connection. Just open the DOS-prompt, type telnet login.icq.com 80 and hit enter. The number is the port you want to test. If you get some weird symbols in return everything is ok, if it says "timeout" or something similar, that port is blocked by your ISP. Here are the most important ports for us:
20+21 - FTP (file transfer)
22 - SSH (secure remote access)
23 - telnet (remote access) and also Wingates (special kind of proxies)
25 - SMTP (send email)
53 - DNS (resolves an URL to an IP)
80 - HTTP (normal web browsing) and also a proxy
110 - POP3 (receive email)
443 - SSL (secure HTTPS connections)
1080 - Socks proxy
3128 - Squid proxy
8000 - Junkbuster proxy
8080 - a proxy

3.6 Censorware on the server (inside of networks)

These are programs that are mostly installed on servers in schools, libraries, companies or countries with a little Internet population.

3.6.1 Bess/N2H2

Bess is a proxy filter that is often used in schools/universities and companies. It can easily bypassed with Webproxies.
More info: http://www.n2h2.com/products/bess_home.php
http://www.peacefire.org/censorware/BESS/

3.6.2 DansGuardian

It's an Open Source Webfilter. Free for non-commercial use and thus it is widely used in universities, schools and libraries. It works as a Proxy with URL and keyword filtering (and also with the PICS-Standard). It's often used on an IPCop machine, however, the author at DansGuardian doesn't like it.
More Info: http://dansguardian.org/

3.6.3 WebSense

More Info: http://www.websense.com/
http://www.peacefire.org/censorware/WebSENSE/

3.6.4 WebWasher

More Info: http://www.webwasher.com/

3.6.5 SmartFilter

More Info: http://www.securecomputing.com/index.cfm?skey=85
http://www.peacefire.org/censorware/SmartFilter/

3.6.6 squidGuard

More Info: http://www.squidguard.org/

3.6.7 new_new

3.7 Whitelist

Most Internet filters works with a blacklist, which means that access to all sites is allowed, except some special sites (well, sometimes there are a lot of exceptions...). A whitelist works the other way around: Access to all sites is blocked, except some special ones. For a normal ISP it is almost impossible to offer - because the Internet is nearly worthless. The whitelist scheme is used by free Internet terminals that are sponsored by a company which allows users the free access to their e-commerce site. This filter scheme is the most difficult to circumvent.
Some time ago, there was a German ISP who had a completely free 0800-dial in number. Once you dialed in, you only could surf to amazon.de and about 10 more e-commerce sites. But you could also connect to the other customers of the ISP. So somebody with a flatrate connected to both his normal ISP and the 0800-free ISP and set up a proxy. So all the users of the free ISP could use that proxy to connect to other sites.
More info: http://en.wikipedia.org/wiki/White_list

3.8 IP blocking on the routers

4. Different ways to bypass censorship

Since you can't directly access a server that is blocked you have to send the request to a non blocked server which redirects the traffic to the real site you want to visit. There are different types of these "gatekeepers".

4.1 Using a different ISP

Well, it's as easy as it sounds: Just change your Internet Service Provider! For example, only in 'Nordrhein-Westfalen' (a state of Germany) is there a censoring firewall, so you can just subscribe to an ISP outside that state. But normally the censorship counts for all the country. One possibility is to try out an ISP outside the country. That costs a lot, but that way you will have a normal Internet access and won't have to worry about getting around filters. This could be a normal dialup provider in an neighbor country or even better, a 2-way Internet access via satellite like http://www.europeonline.com/, http://www.remoteworkcentral.com/, http://registrierung.tiscali.de/produkte/1400_satellit.php, http://www.gilat.de/, http://www.hns.com/, http://www.vsatnet.com/, http://www.starband.com/, http://www.wildblue.com/, http://www.skycasters.com/, http://www.directduo.com/, http://www.orbitsat.com/, http://www.ottawaonline.com/ and so on, just search with a search engine for '2-way Internet via satellite [your country or neighbor country]' or something like that.

4.2 Using a non censoring DNS-server

Normally, you would automatically would use the DNS-server of your ISP to resolve domain names like www.freerk.com to 62.141.48.209. Internally, only these IP-addresses are used to send/receive data on the Internet. If your DNS-server is censoring, you simply can use another DNS-server. Under Windows, just right-click in your system panel on the 'network' icon and select properties of the TCP/IP-protocol. In Linux you have to edit the '/etc/resolv.conf' file. Use the server that is (virtual) your nearest. If you want to setup your own DNS-server use Bind (http://www.isc.org/products/BIND/). The list of the 13 official root servers is located here: ftp://ftp.rs.internic.net/domain/named.root For redundancy, it would be good to ad the alternative root servers located in Europe from ORSN: ftp://ftp.orsn.org/orsn/orsn.hint.
Non censoring DNS-Servers:
dns2.de.net - 194.246.96.49 (Frankfurt, Germany)
ns1.de.eu.orsn.net - 217.146.139.5 (Hildesheim, Germany)
resolver.netteam.de - 193.155.207.61 (Alfter-Impekoven, Germany)
sunic.sunet.se - 192.36.125.2 (Stockholm, Sweden)
master.ns.dns.be - 193.109.126.140 (Leuven, Belgium)
ns1.lu.eu.orsn.net - 195.206.104.98 (Belvaux, Luxembourg)
merapi.switch.ch - 130.59.211.10 (Zurich, Switzerland)
prades.cesca.es - 192.94.163.152 (Barcelona, Spain)
michael.vatican.va - 212.77.0.2 (Vatican City, Italy)
dns.inria.fr - 193.51.208.13 (Nice, France)
ns0.ja.net - 128.86.1.20 (London, UK)
nic.aix.gr - 195.130.89.210 (Athens, Greece)
ns.ati.tn - 193.95.66.10 (Tunis, Tunisia)
ns1.relcom.ru - 193.125.152.3 (Moscow, Russia)
trantor.umd.edu - 128.8.10.14 (College Park, MD, USA)
ns1.berkeley.edu - 128.32.136.9 (Berkeley, CA, USA)
merle.cira.ca - 64.26.149.98 (Ottawa, Canada)
ns2.dns.br - 200.19.119.99 (Sao Paulo, Brasil)
ns2.gisc.cl - 200.10.237.14 (Santiago, Chile)
ns.uvg.edu.gt - 168.234.68.2 (Guatemala, Guatemala)
ns1.retina.ar - 200.10.202.3 (Buenos Aires, Argentina)
ns.unam.mx - 132.248.253.1 (Mexico City, Mexico)
ns.wide.ad.jp - 203.178.136.63 (Osaka, Japan)
ns.twnic.net - 192.83.166.11 (Taipei, Taiwan)
ns3.dns.net.nz - 203.97.8.250 (Wellington, New Zealand)
box2.aunic.net - 203.202.150.20 (Melbourne, Australia)
It's also possible to act as a manual DNS server by yourself. Just use the ping or traceroute service on a non censoring machine to get the IP of your desired server. Then use the IP instead of the URL in your browser. You will always get an IP, but it won't work every time to access the website via the IP, because a lot of webhosters host up to 500 or more websites on one server with one IP. But it will work fine with bigger websites.
http://195.193.168.164/ - Rotterdam, Netherlands (JAVA VISUALROUTE)
https://www.velia.net/tools/traceroute.php - Hanau, Germany (HTTPS encrypted)
http://www.traceroute.org/ - About 1000 public ping/traceroute gateways sorted by country
More info: http://en.wikipedia.org/wiki/DNS
http://en.wikipedia.org/wiki/Root_nameserver

4.3 Using a non censoring proxy server

You can put a proxy server between your Internet connection and the site you want to visit. You send your request for a special website to that proxy server, which request the page from the Internet and deliver it to you. Normally, those servers cache the requested pages, so that on the next request he can deliver the page directly from the cache. That would be faster and cheaper. We use those servers to bypass censorship. For the eyes/computers of our ISP/Government we are only connecting to the proxy, they can't easily see, that we are connecting to a "bad site". But sometimes the standard proxy ports (80, 1080, 3128 and 8080) are blocked. In that case you have to use the proxies that are listening on an uncommon port.

More info: http://en.wikipedia.org/wiki/Proxy_server

4.3.1 Standard proxy

Standard Proxies can be found everywhere on the net. Almost every provider offer a proxy for their customers. Here are a few, it's in the widely spread "hostname:port" format. These proxies are mostly not anonymous!
pdns.nd-shokusan.co.jp:80
proxy.ia2.marketscore.com:80
proxy.or3.marketscore.com:80
ce420f8a.gw209.dsl.airmail.net:80
www-proxy.HB1.srv.t-online.de:80
gas90.gas.cz:3128
kupl1.ittc.ku.edu:3128
mail.jobclub-ps.de:3128
mail.libreriaregional.com:3128
mail.pegasus-sewing.com.hk:3128
pl1.cs.utk.edu:3128
proxy.telcel.net.ve:3128
vn1.cse.wustl.edu:3128

Planetlab CoDeeN Project (http://codeen.cs.princeton.edu/ - Very fast, you can also use them on port 3127. No POST allowed, so you can only view/download webpages and use simple forms that use the GET method (like search engines) but you can not use bigger forms that use POST (like buy stuff at Amazon)).
planlab1.cs.caltech.edu:3128
planetlab2.cse.msu.edu:3128
planetlab2.cs.purdue.edu:3128
planetlab2.cs.nwu.edu:3128
planetlab1.ucsd.edu:3128
planetlab-1.Stanford.EDU:3128
planetlab1.lcs.mit.edu:3128
planetlab1.eecs.umich.edu:3128
planetlab1.csres.utexas.edu:3128
planetlab1.cs.wayne.edu:3128
planetlab1.cs.Virginia.EDU:3128
planetlab1.cs.umass.edu:3128
planetlab1.cs.uiuc.edu:3128
Planetlab1.CS.UCLA.EDU:3128
planetlab1.cs.ubc.ca:3128
planetlab-1.CS.Princeton.EDU:3128
planetlab1.cs.duke.edu:3128
planetlab1.cs.cornell.edu:3128
planetlab1.cs.arizona.edu:3128
planetlab1.comet.columbia.edu:3128
PLANETLAB-1.CMCL.CS.CMU.EDU:3128
planetlab1.cis.upenn.edu:3128
planetlab-02.bu.edu:3128
planetlab01.cs.washington.edu:3128
planet2.cs.rochester.edu:3128
planet1.scs.cs.nyu.edu:3128
planet1.cs.ucsb.edu:3128
planet1.cc.gt.atl.ga.us:3128
lefthand.eecs.harvard.edu:3128

4.3.2 Uncommon port proxy

Due to the fact that several censors block the common proxy ports (80, 1080, 3128 and 8080) to prevent circumvention you have to use proxies that are listening on a uncommon port. For example 8000 for the Junkbuster proxy or 6588 for the AnalogX proxy. You get a weekly updated list of Proxies that are listening on a non standard port here: http://www.web.freerk.com/proxylist.htm

4.3.3 Socks proxy

More info: http://www.ufasoft.com/socks/
http://proxylabs.netwu.com/

4.3.4 Set up an own proxy server

More info: http://www.gcd.org/sengoku/stone/
http://www.junkbusters.com/ijb.html
http://www.boutell.com/rinetd/

4.3.5 Special proxy / tunnel tools

4.3.5.1 JAP

JAP is an free and open source anonymity tool invented by a German university. It sends your traffic encrypted through different mixes, so that absolutely nobody, not even the owner of on of the mixes know who is accessing which site. This is also on of the best tools to circumvent censorship. Just follow the installation instructions on http://anon.inf.tu-dresden.de/index_en.html or http://www.anon-online.org/index_en.html on installing the Java client (available for Windows, Unix, Linux, OS/2, Macintosh and others). Here is a list of the included servers and on which port they are connecting to:
The InfoService - infoservice.inf.tu-dresden.de:6543

Dresden-Dresden - mix.inf.tu-dresden.de:6544
Dresden-ULD - mix.inf.tu-dresden.de:26544
New York-Berlin-Dresden - class25.scs.cs.nyu.edu:6544
Regensburg-HU/IWI - in: 132.199.134.2:3000 --- out: dali.wiwi.hu-berlin.de [141.20.103.68]

Not working at the moment:
Dresden-Luebeck - xx:9544
Luebeck-Berlin-Dresden - fddi-passat.mesh.de:6544

4.3.5.2 Httport

http://www.htthost.com/

4.3.5.3 Localproxy

http://proxytools.sourceforge.net/

4.3.5.4 HttpTunnel

http://www.http-tunnel.com/
http://www.nocrew.org/software/httptunnel.html
http://www.infoanarchy.org/wiki/wiki.pl?Httptunnel

4.3.5.5 Hopster

Hopster is a commercial tool to circumvent firewalls in schools, companies e.t.c. The free version is only limited to a 4kb/s transfer rate (speed of a 56k modem). Just download the <1 2="" 5="" a="" and="" automatically.="" configure="" connection="" costs="" dollar="" everything="" file="" firewall="" install="" it.="" it="" mb="" month.="" or="" p="" setup="" test="" then="" unlimited="" version="" will="" your=""> More info: http://www.hopster.com/

4.3.6 Wingates

More info: http://www.deerfield.com/products/wingate/
http://en.wikipedia.org/wiki/Wingate

4.3.7 Using a Shell

More info: http://en.wikipedia.org/wiki/Unix_shell
http://www.chiark.greenend.org.uk/~sgtatham/putty/
http://directory.google.com/Top/Computers/Internet/Access_Providers/Unix_Shell_Providers/
http://www.panix.com/shell.html
http://www.shellux.net/

4.4 Using a Web-2-phone service

This are services which you dial into with a normal telephone. Then you request the website you want to visit and the operator/computer voice then reads the content to you.
More info: http://w2p.odem.org/ (a german Satire project. It is not working!)
http://www.internetspeech.com/
http://www.ecommercetimes.com/perl/story/3380.html

4.5 Using a webproxy

Webproxies are CGI-scripts that you access with your browser. The CGI script then opens a different URL (Internetaddress). So your firewall thinks you are only connecting to the server with the CGI-script. The addresses under 4.5.4 are not really meant as proxies. They act as translators, html-checkers or as a web archive. You can use them as a kind of proxy anyway. These webproxies are good instruments for "quick 'n dirty" bypassing. You don't have to configure your browser or anything, but it's kind of slow and won't work with all webpages. Only the proxies that are going over a secure connection can be used for phrase filtering, but the others are perfect for URL/IP filtering. Use them in your school, company or library when you have no privileges to install/change something on the machine. These links points to google.de because the site is very small, useful, always on, and does not contain the ".com" extension of DOS-Files that are filtered by some proxies. If you do have webspace with cgi ability you can download the CGIProxy from James Marshall and install it on that webspace (there is a easy installer which does everything for you: http://install.xav.com/?p=cgiproxy). Or you can install it on your PC at home and access it at work. How to do so you can read here: http://www.peacefire.org/circumventor/simple-circumventor-instructions.html. To find new working proxies search for "nph-proxy.cgi", "nph-proxy.pl", "Start Using CGIProxy", "Start browsing through this CGI-based proxy", "WARNING: Entering non-anonymous area" or something like that with Google, Alltheweb, Wisenut or another search engine.

4.5.1 Standard Webproxies (mostly CGIProxies: http://www.jmarshall.com/tools/cgiproxy/)

4.5.2 Webproxies with encrypted URL's

4.5.3 Webproxies on a secure SSL-connection

4.5.4 Standard CECID proxies (http://cecid.sf.net/)

http://www.zensur.freerk.com/nada/index.php (v0.7)
http://dewijk.csam.nl/csp/cecid-php/cecid.php (v1.0.1, with form, images enabled)
http://willswonders.myip.org:8090/php/cecid.php (v1.0.1, with form, images enabled)
http://rsw-db.no-ip.org/cecid2/cecid.php (v1.0.1, with form, images enabled)
http://web.freerk.com/cecid/cecid.php (v1.0.1, with form, images enabled)
http://www.deck3.de/subdomains/migge/cecid.php (v1.0.1, with form, images enabled)
http://www.giblee.info/omghax/index.php (v1.0.1, with form, images enabled)
http://www.freerk.ath.cx/c/index.php (v1.0.1, with form, images enabled)

4.5.5 CECID proxies on a secure SSL-connection

https://arkadiy.myip.org/cecid/cecid.php (v0.7b)
https://ssl-account.com/zensur.freerk.com/nada/index.php (v0.7b, without images)

4.5.5 Translators, warpers, e.t.c that can be used as a proxy

4.6 Get webpages via eMail

Several years ago when the Internet connections where slow and the "www" was just invented, many people just got a to email restricted access to the Internet. That's the origin of the "Agora" and "www4email" software. Some of these email robots are still available and we can use them to bypass Internet censorship. The best thing would be to subscribe to a free email provider which allows SSL-connections (like https://www.fastmail.fm/, https://www.ziplip.com/, https://www.hushmail.com/, https://www.safe-mail.net/, https://www.mail2world.com/, https://www.webmails.com/ e.t.c) and use that account with the email addresses below. I put the field where you have to input the URL in brackets. It still works great for text. But will be some big problems with images or even DHTML, JavaScript, Java, Flash e.t.c. Also other services besides www are possible, for a very good tutorial on this see ftp://rtfm.mit.edu/pub/usenet/news.answers/internet-services/access-via-email. There is also a web based service under http://www.web2mail.com/. I again used www.web.freerk.com/c/ as an example because the URL is allways accessible and the '.com' in the original Google address is often considered as a .com DOS-file by some computers and censorship systems. The www4mail software (http://www.www4mail.org/) is newer than the Agora software.
A eMail with just "help" in the subject line will get you a tutorial on how to use the service properly.
agora@dna.affrc.go.jp
[BODY] send http://www.web.freerk.com/c/
page@grabpage.org
[SUBJECT] url: http://www.web.freerk.com/c/
info: http://www.grabpage.org/
frames@pagegetter.com
[BODY] http://www.web.freerk.com/c/
info: http://www.pagegetter.com/
web@pagegetter.com
[BODY] http://www.web.freerk.com/c/
info: http://www.pagegetter.com/

webgate@vancouver-webpages.com
[BODY] get http://www.web.freerk.com/c/
info: http://vancouver-webpages.com/webgate/
webgate@vancouver-webpages.com
[BODY] mail http://www.web.freerk.com/c/
info: http://vancouver-webpages.com/webgate/
www4mail@wm.ictp.trieste.it
[BODY] http://www.web.freerk.com/c/
info: http://www.ictp.trieste.it/~www4mail/
www4mail@access.bellanet.org
[BODY] http://www.web.freerk.com/c/
info: http://www.bellanet.org/email.html
www4mail@kabissa.org
[BODY] http://www.web.freerk.com/c/
info: http://www.kabissa.org/members/www4mail/
www4mail@ftp.uni-stuttgart.de
[BODY] http://www.web.freerk.com/c/
www4mail@collaborium.org
[BODY] http://www.web.freerk.com/c/
info: http://www.collaborium.org/~www4mail/
binky@junoaccmail.org
[BODY] url http://www.web.freerk.com/c/
info: http://boas.anthro.mnsu.edu/
iliad@prime.jsc.nasa.gov
[SUBJECT] GET URL
[BODY] url:http://www.web.freerk.com/c/
info: http://prime.jsc.nasa.gov/iliad/
Google Search via eMail:
google@capeclear.com
[Subject] search keywords
info: http://www.capeclear.com/google/
More info: http://www.cix.co.uk/~net-services/mrcool/stats.htm
ftp://rtfm.mit.edu/pub/usenet/news.answers/internet-services/access-via-email

4.7 Using steganography

Hide content inside of images.
More Info: http://en.wikipedia.org/wiki/Steganography

4.7.1 Camera/Shy

Camera/Shy is the only steganographic tool that automatically scans for and delivers decrypted content straight from the Web. It is a stand-alone, Internet Explorer-based browser that leaves no trace on the user's system and has enhanced security.
Camera/Shy is an application that enables stealth communications, such software can be useful in countries where Email communications are regularly monitored and censored, such as happens in China.
More info: http://hacktivismo.com/news/modules.php?name=Content&pa=showpage&pid=12/
http://sourceforge.net/projects/camerashy/

4.8 Using a special proxy like p2p program

There are different projects of peer-2-peer programs to bypass censorship. They work like Napster, Kazaa and eDonkey, which means that you have to download a little tool that contains a server and a client part.

4.8.1 Peek a Booty

The goal of the Peekabooty Project is to create a product that can bypass the nationwide censorship of the World Wide Web practiced by many countries.
Peekabooty uses a complicated communications system to allow users to share information while revealing little about their identity. When a node receives a request for a web page it randomly decides whether to pass this on or access the page itself. It also only knows the address of its nearest partner. This makes it difficult to determine who requested what information and is designed to protect users from anyone trying to infiltrate the system from inside.

More info: http://www.peek-a-booty.org/

4.8.2 Freenet

Freenet is the oldest and most widely spread P2P-program to beat censorship, so a lot of people use it and it has actually worked well for several years. There is no access to the Internet possible through the Freenet client. You can only view/download stuff from the 'free net'. You install the client as a local proxy which is listening on port 8888 and can access links like 'http://localhost:8888/SSK@fjfkHAbxdwMyTMFgtZjcP2ge-AYPAgM/sites/fwhh/index.html' It looks like a kind of normal URL. The 'localhost:8888' addresses the proxy server on port 8888 that is running on your local machine. The rest of the URL is something like an encrypted file name. It is not possible to determine who put some information into the network or who is downloading it.
More info: http://freenetproject.org/
http://www.freenet-china.org/
http://en.wikipedia.org/wiki/Freenet

4.8.3 MojoNation

More info: http://www.mojonation.net/

4.8.4 TriangleBoy

Safeweb, a company that received funding from In-Q-Tel, the CIS's centure fund, released software called "Triangle Boy". The software is a peer-to-peer application that volunteers download onto their PC's. A User that has been denied access to any website by a censor can use the Triangle Boy software to circumvent the censorship. Currently the Triangle Boy software only provides access to the Voice of America, because this service is blocked by the Chinese government.

More info: http://www.safeweb.com/tboy_service.html

4.8.5 Six/Four

More info: http://www.hacktivismo.com/

4.8.6 Entropy

More info: http://entropy.stop1984.com/

4.9 Special Services

Other services than the www.

4.9.1 Usenet

The normal port for newsservers 119 is usually blocked, so you have to access the Usenet via a different port. If you sometimes only want to read some very common newsgroups you can easily visit them via free web-based newsservers like http://groups.google.com/, http://news.spaceports.com/, http://wnews.easyusenet.com/wnews-free.cgi and http://www.news2web.com/. A lot of newsserver companies offer their services on a non standard port. Just ask them before signup. If you need access to a newsserver with your newsclient you have to subscribe to one of these newsserver-companies which allow access to their newsservers on an uncommon port:
http://www.giganews.com/ (news.giganews.com on ports 23 and 80)
http://www.teranews.com/ - (news.teranews.com on ports 23, 25 and 7501)
http://www.easynews.com/ - (proxy.news.easynews.com on 22, 23, 53, 80, 110 and 443, or try their web-based service at members.easynews.com port 81)
http://www.newscene.com/ - (proxy.newscene.com on ports 20, 21, 22, 23, 25, 53, 80, 81, 110, 443 and 8080)
https://www.newsdemon.com/ - (news.newsdemon.com on ports 23, 25, 80, 7000, 8000 and 9000. europe.newsdemon.com and useast.newsdemon.com on ports 443 and 8080. SSL connections at us-secure.newsdemon.com and europe-ssl.newsdemon.com on ports 563, 80 and 81)
http://www.supernews.com/ - (news.supernews.com on any port you like)
http://www.octanews.com/ - (news.octanews.com on any port you like)
http://www.readfreenews.com/ - (news.readfreenews.net and allnews.readfreenews.net at port 80 and 120
Note: Unless SSL is used, all traffic is unencrypted, so you can access these newsservers, but the censors can easily monitor all your traffic! It would be more secure to use a SSH port forwarding.

More info: http://en.wikipedia.org/wiki/Usenet

4.9.2 Games

4.9.3 FTP

More info: http://en.wikipedia.org/wiki/FTP
http://inebria.com/phpftp/
http://www.angehrn.com/index.php?cat=28
http://www2ftp.de/
http://webftp.host.sk/

4.9.4 Instant Messenger

Instant Messengers are very popular. You have to register your nickname at one of the companies and download their software. Then when you are on the Internet you can start the software and log onto their servers. You are then marked as "online" and all your friends who know your nickname and have the same Instant Messenger client can see that you are online and easily chat with you. Everyone of the 4 big IM players has its own software client which contain advertisement, spyware and none is compatible with the other IM protocols. I recommend you to download Miranda, which is a open source Instant Messenger which is very small, without ads or spyware and working without installation. It works great with every IM protocol, even at the same time. http://miranda-im.org/
More info: http://en.wikipedia.org/wiki/Instant_messenger
http://www.infoanarchy.org/wiki/wiki.pl?Instant_Messenger
http://nscsysop.hypermart.net/no_chat.html

4.9.4.1 ICQ

Users: 7 million
Login server: login.icq.com or login.oscar.aol.com
Used ports: tcp at any port you choose in the settings (default is 5190)
Used protocol: Oscar
Supports proxy: http, https, socks 4 and socks 5
Online version: http://go.icq.com/ (connects to iht-d01.icq.com at any port you choose, default is 80) or http://www.odigo.org/features/express.html (The Odigo client online, supports all 4 services)
More info: http://en.wikipedia.org/wiki/ICQ
http://www.rejetto.com/icq/

4.9.4.2 MSN Messenger

Users: 23 million
Login server: messenger.hotmail.com
Used ports: tcp at 1863 which you can not change, but if connection failes, MSN tries port 80. (voice/video/webcam is tcp 13324 and 13325, application sharing/whiteboard is tcp 1503 and file transfer tcp 6891)
Used protocol: .NET Messenger Service
Supports proxy: http, socks 4 and socks 5
Online version: none official, but several unofficial. Be careful to give them your password! http://www.odigo.org/features/express.html (The Odigo client online, supports all 4 services), http://messenger.lycos.co.uk/messenger/ (Lycos Messenger, works also with Yahoo) and maybe you can try http://www.mister-i.com/i-mode/messenger.jsp (i-mode, after 3 days it costs $) or http://kickme.to/msnmessenger2go (he's still working on it).
More info: http://en.wikipedia.org/wiki/.NET_Messenger_Service

4.9.4.3 AIM

Users: 60 million
Login server: login.oscar.aol.com, toc.oscar.aol.com and login.icq.com
Used ports: tcp at any port you choose in the settings (default is 5190), for the IM images the software uses port 4443 (?)
Used protocol: Oscar
Supports proxy: http, https, socks 4 and socks 5
Online Version: http://toc.oscar.aol.com/ (The old QuickBuddy, port 80) and http://toc.oscar.aol.com/aimexpress/index.html (the newer AIM Express, port 80) or http://www.odigo.org/features/express.html (The Odigo client online, supports all 4 services)
More info: http://en.wikipedia.org/wiki/AOL_Instant_Messenger

4.9.4.6 Yahoo Messenger

Users: 20 million
Login server: cs.yahoo.com or cs.yahoo.co.jp (maybe different)
Used ports: tcp 5050 and 80 for file transfer, which can be changed in the settings
Used protocol:
Supports proxy: http, socks 4 and socks 5
Online Version: http://messenger.yahoo.com/ (The official Web Messenger) or http://messenger.lycos.co.uk/messenger/ (Lycos Messenger, which also supports MSN) or http://www.odigo.org/features/express.html (The Odigo client online, supports all 4 services)
More info: http://en.wikipedia.org/wiki/Yahoo!_Messenger

4.9.5 Filesharing (Peer-to-Peer) Programs

Gnutella (decentralized) - BearShare, Gnucleus, LimeWire, new Morpheus, Shareaza - More info: http://en.wikipedia.org/wiki/Gnutella
FastTrack (commercial, with Server) - KaZaA, KaZaA Lite, Grokster, old Morpheus, iMesh - More info: http://en.wikipedia.org/wiki/FastTrack
eDonkey (lots of servers, uses mainly port 4662) - eDonkey2000, Overnet, eMule, mlDonkey - More info: http://en.wikipedia.org/wiki/EDonkey
Napster (lots of servers) - OpenNap, Napigator, FileNavigatior, WinMX - More info: http://en.wikipedia.org/wiki/Napster
Other networks - Audiogalaxy, BitTorrent, Hotwire, Direct Connect, Evernet, SoulSeek
More info: http://en.wikipedia.org/wiki/Peer-to-peer

5. How to publish information

It is one think is to access information that is already censored, but another challenge is to publish one's own information that can't easily be censored. Here you can see my ideas on how to avoid censorship:

Publish with a lot of mirrors. Especially dynamic IP's with a dyndns.org redirector are useful. Put your pages on so many different servers that the censor's can't successfully block all servers.
Fax Polling. You can either use a service on the Internet or provide that service on your own computer with a fax modem.
Use one-time-addresses. These are links/URLs that are only valid for 1 visit or 1 hour, they are often used for paid downloads.
Hide the 'dangerous' content. For example, save text as images. The users won't notice it, but its difficult for the censor-spiders to 'read' the content.
Host with a secure server in another country. For example, with http://www.havenco.com/ which is located at Sealand, an independent country on a little island in the north sea near England.
Encrypt the content. Use .htaccess and/or SSL for your website and AES, Twofish or Rijndael for files.
Offer your data in P2P-Programs. Filesharing programs like Kazaa or eDonkey are very difficult to censor (see the problems of the music companies...)
Send content via eMail. Create a autoresponder from which everyone with a hotmail account can receive your content.
Martus. It's an encrypted bulletin service to post and view information. See: http://www.martus.org/

More info: http://www.wired.com/news/technology/0,1282,5778,00.html

6. Appendix

6.1 Links

6.1.1 Other bypass tutorials

http://galileo.spaceports.com/~simeon/censorship-evasion.html
http://www.angelfire.com/my/6waynes/
http://www.ijs.co.nz/proxies.htm
http://sethf.com/anticensorware/
http://www.flurnet.org/archive/papers/ProxyBypass.pdf
http://neworder.box.sk/newsread.php?newsid=8650

6.1.2 Other sites about Internet censorship

http://cyber.law.harvard.edu/filtering/
http://www.opennetinitiative.net/oni/ice/
http://peacefire.org/circumventor/
http://www.free-market.net/directorybytopic/censorship/
http://www.stop1984.info/
http://en.wikipedia.org/wiki/Internet_censorship_in_China
http://www.cmis.csiro.au/projects+sectors/blocking.pdf
http://www.topology.org/net/censor.html
Mailinglist: http://lists.efa.org.au/mailman/listinfo/stop-censorship - (Discussions about censorship in Australia, English)
Mailinglist: http://www.freelists.org/webpage/nocensorship - (How to beat censorship and proxies. Very good!)
http://www.vicnet.net.au/community/issues/censorship/
http://ch.dmoz.org/Society/Issues/Human_Rights_and_Liberties/Free_Speech/The_Censorship_Debate/Internet_Censorship/
http://ch.dmoz.org/Computers/Software/Internet/Servers/Proxy/Filtering/Getting_Around_Filters/
http://ch.dmoz.org/Computers/Software/Internet/Servers/Proxy/Filtering/Censorware/
http://ch.dmoz.org/Computers/Software/Internet/Clients/Filtering/
http://ch.dmoz.org/Reference/Libraries/Library_and_Information_Science/Intellectual_Freedom/Filtering_Software/

6.1.3 Where to get proxies

http://tools.rosinstrument.com/proxy/
http://www.samair.ru/proxy/
http://www.atomintersoft.com/products/alive-proxy/proxy-list/
http://www.steganos.com/software/anonproxylist.sia
http://www.web.freerk.com/proxylist.htm (updated weekly, uncommon port proxies)
Via autoresponder from proxylist.htm@web.freerk.com
http://www.proxyblind.org/phpBB2/ (Very good!)
http://www.samair.ru/f/ (Very good!)

TO-DO-LIST (I could use some help on this...):

Voice-over-IP
VPN
Bildung von Untergrund-(Inter)Netzen in Deutschland (GAMEnet etc.) http://www.personaltelco.net/ WLAN
dIRC (ChaosComputerCongress 1997) und Abwandlungen
http://www.guardianet.net/
http://www.w3.org/PICS/
http://www.peacefire.org/bypass/Proxy/akamai.html
ssh as a redirection server
rinetd as a redirection server
junkbuster
http-gw
VPNs
stone as both a redirector and a proxy
running a Perl proxy
often used non standard ports: 20, 21, 22, 23, 24, 25, 81, 82, 83, 84, 443, 1979, 1128, 2000, 5000, 6000,
6588, , 7070, 7531, 7532, 7533, 8000, 8001, 8002, 8003, 8040, 8081, 8082, 8084, 8090, 8888, 8965, 9080, 9081, 10001, 10080, 22788, 39999
web.de answering machine ++49-(0)1212-552489659
softhome.net: free email with smtp server mail.softhome.net:2500 and mail.softhome.net:25000
http://www.stunnel.org/ - http://www.infoanarchy.org/wiki/wiki.pl?Stunnel
url hiding with ascii, hex, oktal e.t.c codes.
http://www.lexikon-online.info/q/Internetzensur
Webproxies by the IBB (Voice of America and Radio Farda)
For people in Iran (please read http://www.opennetinitiative.net/advisories/001/): http://www.azadsho.com/ - http://www.azadro.com/ - http://www.azadegi.com/ - http://www.jaamjam.com/ - http://www.zendegan.com/ - http://www.sedayema.com/ - http://www.bazeshkon.com/ - http://www.barandaz.com
For people in China: http://www.wanshiruyi.com/
MSN - messenger.hotmail.com:1863 afterwards port 80 (gateway.messenger.hotmail.com, login.gateway.hotmail.com, msgr.hotmail.com?)
www.e-messenger.net - qmsn2.qartis.com
Yahoo! - cs.yahoo.com:505 or cs.yahoo.com:5050 (msg.edit.yahoo.com, http.pager.yahoo.com, messenger.yahoo.com, scs.yahoo.com?) port 80
ftp server that show the user IP in the welcome message (test for anonymity): ftp.rz.uni-wuerzburg.de, ftp.gui.uva.es, sunsite.tus.ac.jp, ftp.matrix.com.br, ftp.cis.ohio-state.edu, ftp.gnupilgrims.org, ftp.stardiv.de
mail: www.neurozen.com/popart - www.friendscircle.net/pop - www.mail-inspector.de -
hotmail: www.hailware.com/code/dev
gmail: http://www.theplaceforitall.com/gmail-lite/ - gmail-lite.sf.net
servers that listen on any port (test it with telnet server.com PORT ): login.icq.com, news.supernews.com, login.oscar.aol.com
final dot after domains like described in: http://en.wikipedia.org/wiki/Root_nameserver
http://www.gray-world.net/
http://webmessenger.msn.com/
http://www.offbyone.com/ob1_download.htm [complete Webbrowser in 1,2MB]
http://www.466453.com
http://www.netcubicle.com/
http://board.planetpeer.de/index.php

from http://zensur.freerk.com/, http://www.zensur.freerk.com/
-----

How to Bypass Most Firewall Restrictions and Access the Internet Privately

Introduction

More and more employers and universities are becoming aware of the amount of time their employees or students are spending using the Internet for personal reasons. Obviously employers want to discourage this behavior and may implement a number of different ways to do so. These can include;

Restricting people from installing programs on their workstation. This usually won't stop someone from accessing websites, but it may keep people from playing games or using instant messaging software.
Using a firewall or proxy server to restrict access to websites or other Internet protocols. All your Internet communication passes through your network's firewall, so it's a great place to monitor and restrict access. How complex or restrictive it is largely depends how tech savvy your IT department is.
Using a network monitoring system to "spy" on Internet access. This is a form of firewall monitoring, where your employer can intercept and read/save anything flowing through their firewall. Your IT department may call this an Intrusion Detection System, which is primarily used to monitor for attempted hacker attacks or viruses.
Installing programs on workstations that monitor Internet access. This is probably the toughest thing to get around because there are so many different vendors that offer this type of software. In addition, there is software that simply records every keystroke you press. In most cases, there's no way around this other than disabling the software.

This guide discusses a way an employee or student can securely access the Internet while at work or school, and also get around some common firewall restrictions that prevent you from using most networked programs. My definition of "securely" means that there should be no mean by which your employer can know which websites you have visited or are currently visiting, and can not view or decipher the content of those sites (without actually standing over your shoulder.)

Keep in mind that the method I discuss here will protected you from NETWORK monitoring, not actual computer or keystroke monitoring. So if your IT department has some security software installed on your PC, you probably shouldn't even be looking at this page.

In addition to protecting you from network monitoring, this method can be used to get around a number of other security protections that may be in place;

Your employer or school allows access to most of the Internet but blocks certain websites that they consider non-work related. Using this method you can access them.
Your employer or school blocks you from chatting at work using AIM or ICQ or similar instant messaging programs. Follow my instructions and you may be able to get around the firewall and chat at work.
You want to access your employer or school's Intranet from home. Setup the shunnel in the reverse order as I describe, with the SSH server on your work computer, and Putty at home. You'll may be able to access Intranet websites from home just like you were sitting at your work computer.

This is version 2 of the Surf At Work guide. This version details how to encrypt your network traffic using an SSH tunnel with Dynamic Forwarding. Version 1 of the guide was similar, but in addition to SSH used an Apache HTTP Proxy server. The addition of Dynamic Forwarding in Putty removed the need for an external proxy server, assuming your applications can use a SOCKS proxy instead of an HTTP proxy. The old version is still available here for reference.

Using this method will actually allow you to do more than just surf the web privately. You can bypass a firewall and encrypt the network traffic of any program that can use SOCKS proxy. This includes most instant messaging software like AIM, Yahoo!, MSN, IRC, mIRC and others.

As MySpace.com is now so popular, many schools now comletely block MySpace to keep kids from socialzing online and to sidestep any controversy. Since MySpace is just a website like any other, this method should let you access MySpace freely around most firewalls.

Overview

The objective is to encrypt your network traffic so it can not be read as it passes through over employer or school's network. To do this, we will;

Run an SSH server on your computer at home.
Use an SSH client on your computer at work to create a secure tunnel between your home and work computers.
Enable Dynamic Forwarding in the SSH client to simulate a SOCKS Proxy.
Configure Internet Explorer to use a SOCKS Proxy for network traffic instead of connecting directly.

After this is all setup, the process for browsing a website will be as follows. Internet Explorer at work connects to the SSH client running on your computer at work. The SSH client connects to the SSH server running on your computer at home. Internet Exlorer will make requests for websites using the SOCKS protocol, which SSH will intercept and handle for you. Thus, the SSH server talks to the website and returns the web page to the SSH client. The SSH client returns the web page to Internet Explorer.

In essence, you are tricking Internet Explorer into thinking you have a proxy server running on your local machine, when in fact the proxy is running on your computer at home. Since all communication over your work network takes place through SSH, it can not be read. The SSH traffic CAN be seen or detected, but it will look like a garbled mess of letters and numbers. Other than being a little slower than usual, you shouldn't notice any difference when surfing the web when using the secure method.

Some people that are familiar with SSH and may be asking, "How can Internet Explorer talk to SSH?". Well, SSH has a great little function called Connection Forwarding. You setup SSH to accept TCP connections on a port and forward them to a port on another computer. SSH takes ALL the network traffic on that port, wraps it in a secure package, and forwards it somewhere else. I refer to this as a "shunnel"; a secure tunnel.

The other trick to this setup is the Dynamic Port Forwarding. Newer versions of SSH can emulate a SOCKS proxy server. A SOCKS Proxy server is a server that acts like a "middleman." It accepts requests from a client, and connects to the target server on your behalf. Take a look at these links on Webopedia for a little more information; SOCKS Proxy

Shunnel Graphic

Audience

This guide is written for a moderately skilled computer user. You MUST know how to install programs on your computer, how to navigate file systems, and how to edit configuration files. A knowledge of "how the Internet works", like TCP, sockets, ports, HTTP, and other network protocols would be extremely helpful.

Prerequisites

To use this method, you need the following;

A decent computer at home that you can leave connected to the Internet all day while you're at work.
A fast Internet connection at home; usually cable or DSL. (Technically, this can work with a dialup modem connection, but it may cause problems and it's really slow.)
Microsoft Windows NT, 2000, or XP installed on your computer at home and any flavor of Windows on your computer at work. You may be able to get this to work with 95, 98, or ME, but I can't say for sure. You definitely can get this to work with Linux or Unix. I don't know about Macintosh.

Alternatively, if you don't meet the prereqs or don't want to leave your computer on all day, you can try HTTP-Tunnel, a commerical alternative that lets you do everything here and more.

When won't this work?

Please notice the title of this page starts "How To Bypass Most Firewall Restrictions... I say most because the method I describe here will not work for everyone, even if you meet the pre-requisites above. If any of the following are true for you, you probably can't use this method successfully;

You can not access any external Internet websites; only internal websites or none at all.
You can access a few specific Internet websites, but no others at all.

If either of the 2 lines above apply to you, your network administrator is working hard because they are using a "pessimistic" blocking strategy. In other words, they have decided to block everything, and probably only allow specific access. The problem with that strategy however, is that it requires much more work and maintenance than using an "optimistic" strategy, in which they allow access to everything and block only certain "things".

The method I describe on this page will not work with a pessimistic blocking strategy because it depends on being able to access your home computer from work. 9 times of 10, if you can't get to www.amazon.com, you won't be able to your home computer either. If for some reason you CAN access your home computer, then great.. proceed If not, you may want to talk to your network administrator. Ask him if they would punch a hole in the firewall so you can SSH to your computer at home. Or come up with some excuse to get access to 1 port on your home computer, then run the SSH server on that port.

Or... maybe you ARE the network administrator and are just curious about how this works. :)

Addresses

Before we start installing and configuring software, you need to find out the following things;

Your home IP Address
Your work/school external IP Address

The easiest way to get your IP Addresses is to go to www.whatismyip.com at home and at work. Write down the numbers.

Software

We're going to be using 2 fairly simple pieces of software; an SSH Server and an SSH Client.

There are a few flavors of SSH Server's out there, but we're going to be using OpenSSH because it's free. The website for OpenSSH is http://www.openssh.com . But wait! OpenSSH doesn't run on Windows unfortunately... But there is a site that converted OpenSSH to run on Windows, which is what we want! http://sshwindows.sourceforge.net/ .

Download OpenSSH for Windows from http://sshwindows.sourceforge.net . The version I wrote this document using was 3.7.1p1-1. The latest version should work for you, plus it will have less security holes.

For the SSH Client I recommend using Putty. Putty is a small single executable SSH client with the ability to setup a tunnel. The newer version also support Dynamic Forwarding, which is essential. It's possible to use OpenSSH as your client as well as your server, but Putty is much easier to setup and use. Download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html .

Install the SSH Server

The OpenSSH installer comes in a zip file. Unzip the file, then run setupssh.exe. Choose to install both the Client and the Server. It will ask you to install into C:\Program Files\OpenSSH. If you choose to install into a different location, that fine, but be aware I will use the above path in this document.

Configure Windows

OpenSSH for Windows uses Windows' user database for login authentication. That mean you must have a User name and Password setup to login to your home computer. If you don't, you have 2 choices. 1, set a password on your Windows account, or 2, create a new local account that you will use to login from SSH. I know a lot of people out there don't use logins or passwords on their home computer, but if you're using NT, 2000, or XP, the functionality is there, even if you don't use it.

There are many different flavors of Windows, with different methods of creating a local user. There's no way I can cover all of them, but here are a few examples;

To create a new account on your home machine (Windows XP):

Start Menu, open Control Panel, then User Accounts.
Click Advanced tab, then the Advanced button.
Highlight Users, then click Actions, then New User.
Enter a User name, and a Password twice. I recommend you use a User name and Password that is different than anything you have ever used at work. Obviously, your employer probably knows your password, so there's no security if you use the same password at home.
Deselect User must change password at next logon.
Check Password never expires.
Click Create.
Close the Windows, close Control Panel.

You should now have a new local Windows user on your home machine. Remember the Login name and password for later.

Configure the SSH Server

We want to configure your SSH server to allow access using User name and Passwords, and to listen on port 443 instead of port 22.

Why port 443 instead of port 22? In most cases your employer will block almost all outgoing network ports except for port 80 and port 443, which are the 2 ports that webservers run on. I used to tell people to run SSH on port 80 because that's the standard webserver port, but now I recommend you run it on 443. Port 443 is used for encrypted websites, which is what your shunnel traffic will look like as it passes through the firewall. If you have trouble on port 443, try it on port 80 instead. If neither work, you're probably out of luck.

Open Windows Explorer, navigate to C:\Program Files\OpenSSH\etc. Open the file sshd_config using Wordpad. (That's sshd_config not ssh_config!)

Change the line

#Port 22

to

Port 443

Save the file.

Now open a command prompt. Change to C:\Program Files\OpenSSH\bin. We are going to create a user and group database from your Windows user database. Type the following;

mkgroup -l > ..\etc\group

Then

mkpasswd -l > ..\etc\passwd

These 2 commands will create group and password files at C:\Program File\OpenSSH\etc

Start/Stoping the SSH Server

On your home computer, open a command prompt. To start your SSH server, type the following:

net start opensshd

To stop your SSH server, type the following:

net stop opensshd

To make it easy, you can create a .bat file that will this command. If you make a shortcut to the .bat file in your Windows Startup program group, then when you turn on your home computer in the morning, the servers will startup automatically, and be ready for you when you get to work.

If you have a wired or wireless router at home (Linksys, D-Link, Netgear, etc)

Some routers call it port forwarding and others call it virtual servers, but the setup is very similar no matter what brand you use. You will need to configure your router to route port 443 to the computer where you're running the SSH server. I not going to go into details, but there is usually a browser based interface directly to the router, which will have a page to setup virtual servers. Configure it to forward port 443 to your SSH server computer, port 443.

Setup Putty at Work/School

Copy putty.exe to somewhere on your hard drive at work. c:\ will do fine, or anywhere else you want. Your desktop is convenient but kind of obvious. If you don't have permissions to write files to your hard drive, just copy putty.exe and shunnel.bat to a floppy disk or burn them onto a CD. Take the disk to work and run Putty from the appropriate drive.

Open Notepad and copy the following into it, change the bold part where necessary;

putty -D 8080 -P 443 -ssh homeIP

homeIP should be the IP address of your home machine that you wrote down in the Addresses section above.

Save the file as shunnel.bat in the same directory that you saved putty.exe.

Note for advanced users: If your computer at work is already configured to use a proxy server, you need to configure Putty a little differently, but this may still work.

Open Putty in graphical mode, input your connection setting, and also copy the proxy settings from Internet Explorer to Putty's proxy configuration screen. Putty should now create a secure tunnel through the proxy at work to your computer at home... pretty neat trick.

Create your tunnel

At work, simply double click shunnel.bat to initiate the shunnel. A Putty window will popup asking for a login name and password. Type the user name and password you created above on the Windows account. If it works, you will be presented with a DOS prompt waiting for a command. This is actually a command prompt to your HOME machine. You can use it if you want, but as long as this command prompt is open, your tunnel is alive. To close the tunnel, type exit or close the window.

For Advanced Users

If you are very familiar with SSH and know what you are doing, you can set this up so you don't have to enter a password each time you create the shunnel. You have to install OpenSSH as your SSH client and then setup key based authentication by creating a public and private key on your work computer. Install the public key on the SSH server on your home computer. Thanks to Robert W. for this suggestion. I may go into more detail on how do set this up in the future.

Configure Internet Explorer

Now we have to configure Internet Explorer at work to use a SOCKS proxy server.

First, at school/work, go to http://www.whatismyip.com . Write down the number. This is your IP address WITHOUT your shunnel enabled.

In Internet Explorer;

Open the Tools menu, then click Internet Options.
Click the Connections tab, then click LAN Settings.
Check "Use a proxy server ...", then click the Advanced button.
If "Use the same proxy for all protocols" is checked, uncheck it.
Delete anything from the "Proxy address to use" and "Port" boxes.
On the Socks line, enter "127.0.0.1" for the address, and "8080" for the Port.
Click OK a couple times, then close Internet Explorer and restart it.

First go to http://www.whatismyip.com again. If everything worked correctly, the page should have changed to show your HOME IP address, NOT your work IP address. If it shows your home IP Address, congratulation, your surfing the web securely and privately from work.

If your intent is to access MySpace, and MySpace was blocked before, try it now.

Configuring other applications to use the private connection

Most applications that access the Internet can be configure to use the shunnel. For it to work, they have to support a SOCKS 4 or SOCKS 5 proxy connection. Instant messaging programs like AIM, ICQ, Yahoo IM, and mIRC all support this.

Setup is different for all application, but the settings will be the same. You want to configure the application to use a SOCKS 4 or SOCKS 5 proxy server, Host should be 127.0.0.1, and Port should be 8080.

Protect yourself from someone looking over your shoulder

Here's a great application that fits in perfectly with the theme of this page. It's called Ghostzilla. The idea is that you want to surf the web, but have it look like you are doing normal work to people walking by your computer. Ghostzilla is a browser that hides itself in your normal work applications, like Excel, or Word, or Visual Studio... anything. With a swish of the mouse, Ghostzilla pops up and you can surf the web. If you see someone coming, simply move the mouse away, and it disappears, leaving no trace. Plus, you can easily configure it to use the shunnel as described here, for total privacy!

A Simpler Solution

Buzzsurf has teamed up with HTTP-Tunnel Corp to encourage users to try the HTTP-Tunnel Client as a simplier alterntive to the procedure described here. Using HTTP-Tunnel , you don't need a computer at home to leave turned on all day. And you don't need to know how to install SSH or Putty. All the network communication is encrypted and sent over standard webserver ports, just like I describe, so it offers just as much protection without the hassle. Try it for free at HTTP-Tunnel.com.

from https://2600index.info/Links/24/4/www.buzzsurf.com/surfatwork/index.html
-----

相关帖子：https://briteming.blogspot.com/2012/03/punching-holes-into-firewalls.html

Total Pageviews