[HN Gopher] Tor is a great sysadmin tool (2020) ___________________________________________________________________ Tor is a great sysadmin tool (2020) Author : azalemeth Score : 268 points Date : 2021-08-31 17:07 UTC (5 hours ago) (HTM) web link (www.jamieweb.net) (TXT) w3m dump (www.jamieweb.net) | swiley wrote: | I loved TOR when I was a broke student without enough money to | have one or two always on machines with public IPs I could | reverse proxy to. | rinron wrote: | One very important thing not mentioned is that the tor exit node | could be capturing your traffic or do a MITM attack. Its a great | idea for testing but only after you have encryption working, and | of course pay special attention to your ssh fingerprints. | fswwi wrote: | Cloudflare is mitm, btw. | boring_twenties wrote: | Hidden services are not accessed through exit nodes. Relay | nodes cannot capture your traffic or perform MITM attacks. | segfaultbuserr wrote: | If the endpoint is in your control and you'd like to experiment | with Tor, you can configure your server as an Onion Service, so | you are protected by Tor's own end-to-end encryption (whose | traffic cannot be captured by MITM since the hostnames | themselves are the public keys). For non-anonymous uses, you | should active the "Single Service Onion" mode, so the 6-hop | (extra 3-hop for server anonymity) is skipped, allowing | standard 3-hop latency and performance. It also saves bandwidth | for exit nodes - all non-exit relays can forward Onion traffic. | slacka wrote: | Tor is also useful is to verify country specific customization on | your website are working. I regularly used Tor on reports of | issues with default language or currency. It's just a quick | toggle of a setting in "torrc" to limit your exit node to a | specific country code. | lambdaba wrote: | ngrok.com allows some of these, at full (or at least, much better | speed, haven't benchmarked), and is mostly free (paid plan | required for custom subdomains). Sharing this for those still | unaware of it, it's a great service. | anaganisk wrote: | Or better yet, use cloudflare tunnels and setup an actual | permanent tunnel with custom subdomain support. If you want it | to be a temporary one, it supports that too. For FREE. | Shank wrote: | Is that part of Cloudflare Teams? No offense to Cloudflare, | but their pricing is really unclear. I have an account and I | use them for a lot, but they have 3 different "plans" and | then they have various ad-hoc products. Tunnel just says | "view in dashboard." [0] If I click on that link while logged | in, I'm taken to my dashboard with no indication of how to | use Tunnel or anything. The plans page [1] indicates that | it's part of argo smart routing. If I click on "activate | argo" it actually does the exact same thing as the teams | "view in dashboard" button -- it redirects me to the | dashboard and has no indication of being activated or | anything. Really frustrating. | | [0]: https://www.cloudflare.com/products/tunnel/ | | [1]: https://www.cloudflare.com/plans/ | PaywallBuster wrote: | It's confusing for me too | | product page says it requires paid Argo (smart routing) | subscription https://www.cloudflare.com/en- | gb/products/tunnel/ | | the blog page says its free | https://blog.cloudflare.com/tunnel-for-everyone/ | | and actually you can install and run it quite easily | brew uninstall cloudflare/cloudflare/cloudflared | cloudflared login cloudflared tunnel | | this will launch a tunnel with a random subdomain listening | to http://localhost:8080 | pigeonhole123 wrote: | It became free recently, so they've probably just | forgotten to update their documentation which seems to be | a pattern with CF. | RIMR wrote: | I used to have Nessus installed on a NUC that I would just drop | into a customer's network closet for a weekend, and monitor | remotely. | | I hosted the Nessus UI as a Tor Hidden Service, and it worked | great. We just cycled the key every quarter for added security, | and so that ex-employees wouldn't know where to find it. | unsignedint wrote: | Back when I was managing system in a small company, I had a | couple of systems on hidden service with auth cookies. When port | forward failed or otherwise had problem accessing, it provided | decent plan B for getting things back online. | skadamat wrote: | Smells a bit like Wireguard use case! | RIMR wrote: | Wireguard is a great technology, and if latency and file | transfers are important you should use it, but a Tor hidden | service is way easier to set up, and way more reliable. | azalemeth wrote: | In many ways I think this blog post really makes quite compelling | arguments and honestly opened my eyes a bit. | | One (perhaps mad) idea for more secure access to a machine deep | behind many levels of NAT where you, the sysadmin, have lawful | access but are fed up with having to have a 12 KB ~/.ssh/config | file in order to access it because of your university's | overbearing IT department^W^W^W^W network topology, would be to | "just" run an onionsite with onion services authentication [1], | preventing it being publicly accessed without the pre-shared key. | If your onion service just redirects to ssh (presumably with | certificate-only auth) I can't help but think that this is | _almost_ an example of security by obscurity done right. | | [1] https://support.torproject.org/en-US/onionservices/client- | au... | KingMachiavelli wrote: | For that use case why not just use Wireguard? | [deleted] | alisonkisk wrote: | Wireguard is not the same as ZeroTier. | nine_k wrote: | If your hard-to-reach server can connect to the internet (via a | bunch of NATs and whatnot), you can just make it access your | box of choice by e.g. Wireguard, or plain SSH with port- | forwaring, or attach it as a node to your ZeroTier private | network. | | You only need a bunch of jump hosts if your target server has | no Internet connectivity, and should not, in which case all | these levels of bastions do make sense. | azalemeth wrote: | That requires having another publicly accessible box, or | trusting ZeroTier though, doesn't it? The onion approach does | not. | lacrosse_tannin wrote: | you _could_ use your other device (the one you're | connecting from) as the controller. whomst amongst us | doesn't have a 3rd machine or VPS? | a1369209993 wrote: | Your other device doesn't have a public IP address | either. | novok wrote: | ZeroTier, Tailscale and such are OSS and have been | independently security & crypto audited. I don't know if | tailscale has been audited, but since they are a more | popular tool I bet they probably are too. They're actually | really good tools and would probably be more reliable than | tor tbh, I would recommend looking into them. | Nullabillity wrote: | > ZeroTier, Tailscale and such are OSS and have been | independently security & crypto audited. | | Both rely on their centralized coordinator servers which | can mess with your routes (and thus your traffic) however | they please. | | ZeroTier has a published (but not OSS) coordinator, but | their documentation pushes you towards their SaaS. | Tailscale's coordinator is SaaS-only, unless something | has changed very recently. | lacrosse_tannin wrote: | zerotier adhoc networks are controllerless, though ipv6 | only. | | The client can be set to not allow routes/addresses from | a controller. | | The client and controller are licensed BSL. | nine_k wrote: | Does this require addresses of nodes to be globally | routable? (With such addresses you can as well connect | directly.) | nine_k wrote: | This is fair. | | Their client node software is audited though, and the | contents of your packets are not accessible to the | router. This is why the amount of the possible meddling | is limited to a DoS, AFAICT. | | Who audits the Tor nodes that do onion routing is | anyone's guess; I suppose ZeroTier is no worse than them. | krtyiktj wrote: | at our lab the tor traffic would be noticed by the cyber | security group's ids and all traffic from your host would start | dropping at the border so fast your head would spin. you'd get | an unpleasant phone call or visit to your office and be warned | never to try side stepping the bastion ssh hosts that log all | the things ever again. | derefr wrote: | Obviously, you should plan around this by gathering all the | MAC addresses of every machine in the office, and then have | your machine spoof through them in rotation. /s | sillysaurusx wrote: | It makes me sad every time I think about it, but Aaron | Swartz did this during his saga. Well, sort of: he | incremented the MAC address by 1. | | Point being, it's not foolproof. If some clever undergrad | is thinking about dodging the suits, win by fooling them, | not by fighting them. | | If you do insist on fighting, though, start at | https://www.whonix.org/wiki/Mental_Model and then read the | entire Whonix wiki | https://www.whonix.org/wiki/Documentation. It's what I used | when I was serious about dodging the cartels, and that | knowledge will protect you as much as anything will. | | (You'll hopefully conclude that the protection is too | brittle to risk your life, as I did.) | nqzero wrote: | building a new computer. want to be able to trust it 100% | for at least a moment. i can't figure out how to "buy" a | trusted copy of any linux and don't have any machines i | have 100% trust in (who does), so can't burn it. current | plan is to buy a chromebook solely for the purpose of | downloading and burning ubuntu. alternatively, buy | MSWindows, install on the new machine, burn, and then | replace | | but this mental exercise has convinced me that security | is almost impossible in this day and age | sillysaurusx wrote: | One thing that helps a lot in this situation is to plan | based on threat model. There's no such thing as 100% | trust, but you can have a computer which is safe for e.g. | <thing>. It's pretty crucial to pick one or two specific | <thing>s and focus only on those. | | If you just want to browse the darknet and see what the | markets are like, for example, Tor on your current | computers is fine. | | If you're wanting to make a purchase and you're worried | that your existing computers will narc on you, your plan | of buy laptop + use ubuntu is A+. | | If you want a computer to store information on, Edward | Snowden style, you'll need to take increasingly serious | steps. Use tails as a baseline. (Note: I've been out of | the game since 2016, so take this with salt.) | | If you're literally dodging the NSA, you need to put on a | full face mask in winter, plan a route to a store you've | recon'd, buy clothes with cash from goodwill, carry them | in a trash bag as you walk out of your neighborhood, | sneak in between two houses in the dead of night and put | the outfit on + mask, walk to a taxi, have it take you | near (but not to) the electronics store, buy yourself a | burner phone + a few USB wifi dongles + anything else you | want completely unlinkable to you (you're on cameras), | pay for all of it while getting some strange and worried | looks that you're going to rob something, then do the | entire process in reverse until you're back at your house | with your untraceable electronics. | | I did all that, and even then I was likely making some | small mistake that would've blown everything. | | Yet the city wide surveillance drones (god eye) will | still have a nice little record of you that they can ID | you with. And you sneaking around in the middle of the | night putting on masks will probably get you in serious | trouble. It never really occurs to you when you're doing | this sort of thing to stop and consider whether you're | just doing crazy things. (It's tempting to believe the | answer is "no," especially the more you want to believe | it.) | | Suffice to say, threat modeling is key, and it's worth | thinking carefully about what exactly you want to | accomplish. | derefr wrote: | > If you're literally dodging the NSA, you need to... | | Or just make friends with an developing-world advance-fee | scammer, and then pay them to have one of their cash | mules buy and send you (that is, an empty house somewhere | in your city) a laptop. | alkz wrote: | most distributions provide signatures/checksums to verify | the download eg. https://ubuntu.com/tutorials/how-to- | verify-ubuntu#1-overview | rattlesnakedave wrote: | > you'd get an unpleasant phone call or visit to your office | and be warned | | sometimes I wonder why IT departments and security in general | get a bad wrap, then I see things like this. | relax88 wrote: | When someone just does whatever they feel like and violates | policy, what do you think should happen? | | Should someone send them a sternly worded email for them to | ignore? | | Or maybe they should be allowed to do whatever they want | regardless of what risk it poses to the organization? | relax88 wrote: | I can confirm as someone who works in netsec that this | exactly how it would have gone at my previous employer. | | There is a tone of "I know what's best and will do what I | want" in this thread. | | If you think that the way to get the IT department to | implement something for you is to sidestep around policy | instead of working with them, you will just piss them off. | marcodiego wrote: | Is tor traffic that easy to detect? | blendergeek wrote: | Yes. It goes to a known tor node. | rnhmjoj wrote: | Not necessarily true. Tor bridges exist precisely for | this reason: https://tb-manual.torproject.org/bridges/ | Forbo wrote: | Relay and exit node IPs aren't private, so admins will | often collect them and just block them en masse. This | causes problems, because a lot of that same IP space will | often be shared with things like pool.ntp.org nodes. | azalemeth wrote: | The meek pluggable transport together with Azure's domain | fronting service explicitly makes it look like it's | connecting to an Azure instance over https. [1] | | [1] | https://gitlab.torproject.org/legacy/trac/-/wikis/doc/meek | kodablah wrote: | Yup, and it's easy to make server and client side tooling use | Tor to make this mostly transparent. Latency/bandwidth isn't | _that_ bad when communicating with an onion service. And it can | be even faster if server anonymity isn't a goal (server set | HiddenServiceSingleHopMode and HiddenServiceNonAnonymousMode | and create ephemerial onion service with NonAnonymous). | | I use Tor plenty to self-host services from my house that are | reachable anywhere (and often have a web interface I can access | via Orbot). No hole-punching necessary. | njsubedi wrote: | Could you share more about your setup? | kodablah wrote: | Sure. I wrote https://github.com/cretz/bine (though I | admittedly don't work on it much these days). I just have a | few-line daemon that starts an HTTP (or gRPC or whatever) | server on ephemeral onion service. Then I use that onion ID | to access it (via TorBrowser or Orbot or a client built | with the same library). | croutonwagon wrote: | Agree. Thats pretty interesting. | | I use an SSH session and SOCKS5 proxy on a VPS provider for | almost all of those other circumstances. Including checking | external access etc. | | But the last one is a solid use case. | fluential wrote: | You will like this one as well "SSL/SSH Multiplexer" | http://www.rutschle.net/tech/sslh/ | ISL wrote: | Think from the beginning what will be the end: "I thought your | security policy was too overbearing, so I used tor." | | IT departments make their choices for reasons. The key is to | help them understand your use-case, and they'll probably help | you through the problem in a way that might limit collateral | damage. | | Source: have seen firewall bypasses (with a pre-shared key) get | leveraged as a way to hack an entire university lab/department. | azalemeth wrote: | I tried doing that, and largely succeeded, but the specific | area of the university in question will _not_ have a bastion | SSH host _anywhere_ on _their_ network. They will not allow | SSH access in _at all_. They _will_ however allow SSH access | to other parts of the university, with different people in | charge, which explicitly _do_ allow an SSH bastion host to | exist (and provide several for that purpose). So, the net | result is that they 've effectively out-sourced the control | and responsibility of their environment to someone else. | | Normally this is fine, but my job involves programming and | controlling large, expensive, and strangely fragile lab | equipment. There's a resilience problem, and it's got to the | point where others have suggested putting a GSM modem on a | pci-e card inside some of the boxes in question, as the | relevant IT department decides on a whim to block ports with | no warning or justification. Some manufacturers of the | devices in question do this as standard if you have a support | contract. Trying to complain results in responses like "you | have been used to doing things one way and this change now | prevents you from working as before." | | I completely accept that this is a political problem and best | solved as one, but ultimately SSH is an industry standard for | a reason -- it's secure, and it's flexible. The machines in | question are valuable, prone to breaking in the middle of the | night, and we are an international bunch who cannot always | connect from a well-defined ipv4 address, or from the | university's VPN. (The latter is blocked by the IT department | automatically, as it has too large a pool of potential | users). The thing I find most frustrating is that this sort | of political decision creates days worth of work | instantaneously, for little benefit. All of the actually | confidential or sensitive information is held in a completely | separate network at any rate... | unethical_ban wrote: | To quote Dr. Manhattan, "Without condemning, or condoning, | I understand". | | I am in network security. I have stopped shadow IT, and | been a part of it. | | Your situation seems so ungodly stupid and anathema to the | point of IT, that the remaining courses of action _should_ | be the following. | | Thoroughly document via email your attempts at explaining | requirements to Netsec, to document in writing their | objections, to do your best with what they provide you... | and WHEN things catastrophically break, point the finger at | them and thoroughly document how if you had the proper, | industry-standard tooling, you could have prevented the | loss of research/time/money. | zaphar wrote: | THIS. Don't paper over the issues with shadow IT. Make | them painfully obvious to the point where IT has to do | something or answer to it. Otherwise it will not change. | | I've given teams the option to turn off their pagers when | this sort of thing happens with the justification that | they can't fix it anyway. And then documented the crap | out of why they can't fix it so when someone asks I can | point to existing policy. It's very effective if done | right. | nephanth wrote: | Especially when, since it's Tor, potential attackers cannot | be traced | ryneandal wrote: | > IT departments make their choices for reasons. | | In a perfect world, yes. But I've worked with/at places where | ineptitude is rampant, and any attempts of understanding | their reasoning is seen as insubordination. | novok wrote: | IT departments make choices that benefit their own needs and | for their own convience, often forgetting that the entire | point of their department is to make the rest of the | organization more effective. Sadly, it often goes the other | way. | | Shadow IT is a signal that the IT organization is doing | things wrong. People use shadow IT because the IT department | is not doing it's job properly, serving it's customer base | based on the needs they show via their actions. | | For example, if you see someone like azalemeth do the things | he does, it shows that the IT department needs to become | responsive enough and cooperative enough to not push him to | do such things in the first place. You notice he's tried to | do thing the IT department standard way first, and spent | considerable effort before he started his shadow IT method. | relax88 wrote: | "Policy made my job slightly harder so because I know | better than the netsec team who clearly has or should have | unlimited time and resources to help me I will do what I | want anyways, and put the organization at risk." | | Also known as "how to make the netsec team hate you 101" | | I agree with you about why shadow IT exists, but most IT | departments are spread so thin that expecting them to be | super responsive to anything but the most critical business | projects is often totally unreasonable. | | Then they have to waste even more time hunting down idiots | setting up Tor nodes on their internal networks. | still_grokking wrote: | If the IT department can't do its job because of resource | constraints likely the whole organization is a failure. | | If you find something like that, run... | | If you can't run, do whatever makes your live better. The | org is doomed anyway. | azalemeth wrote: | A recent example from me -- one VPN suddenly refused to | connect one day for no discernible reason when they made | a configuration change to their cisco vpn "concentrator" | without publishing it fully. Cisco AnyConnect GUI clients | were fine and some magic happened behind the scenes to | push the configuration change and, in typical Cisco | style, avoid saying what exactly it was. | | I had some esoteric monitoring machine that couldn't run | anyconnect (for reasons I forget but almost certainly | relating to it not having a linux arm64 client at that | time) and naturally couldn't connect randomly one day | with openconnect (which previously had worked perfectly). | I asked what the configuration change was to prevent me | having to reverse-engineer it. The response was "if you | want to use unsupported clients we cannot offer any | assistance [...] we are currently operating two heads | down and we simply do not have the resources [...]." | | I totally understand it from the other side. IT | departments have everything from state-sponsored | ransomware attacks to important people loudly going "why | doesn't the printer work any more". It's a different set | of skills to being a C-junkie, a programming wizard, or, | in my case, a young academic with one big grant and three | PhD students trying to both do work, publish work, and | get money to do more work where "work" is poorly defined | and highly flexible. Over time I've noticed universities | get far more corporate and many academics _absolutely | hate this_ , of which I am one. The "we control the | network, bug off" may be technically true but at times it | _does_ feel a bit like an imposition of some sort of | academic freedom, to be honest. At the very least, it 's | a nice little "dog egg" to find added to the pile of | administrative crap to do for that day. | Aloha wrote: | I'm working in an organization where we have one laptop | from work, and another laptop to do work on. Because the | one sized fits all IT policy doesn't work for our org, | but it's forced on us because of the IP security needs of | another parallel org. | | We went from an organization moving towards BYOD, to, now | the exact opposite. | pope_meat wrote: | A simulated conversation with IT: | | "Hey, IT department...I was wondering..." | | "No." | eitland wrote: | Lucky me. | | Our IT department goes out the of their way to help us stay | sane and productive | | - they're making sure most of us can continue to use our | favourite Linux distro (I think most Debian/Ubuntu, Fedora | and Arch is supported) | | - make sure VPN etc works on Linux even if it is not | officially supported | | - taking time to sit down and debug hard problems (weird | issues with WSL2 on one particular Windows laptop) instead | of just blaming us engineers | api wrote: | Not sure why you'd use this instead of something like ZeroTier or | a bounce box, but I can think of one reason: you want to hide the | location of something in your infrastructure to make side channel | attacks on the cloud provider or physical location a lot harder. | alisonkisk wrote: | Part of the point is to generate non-criminal usage of Tor to | legitimize it. | [deleted] | lifeisstillgood wrote: | Being a small cog, but using clever tricks to get your job done | is not solving the problem. | | An organisation that prevents itself from acting rationally is an | organisation that should die Schumpter-style. Please don't | prevent it. | croutonwagon wrote: | I use similar "clever tricks", albeit with SSH and socks to do | the same type of testing. | | DNS can be funky, its useful to test resolution externally and | internally. | | Traffic can be funky when routed, its useful to t-shoot sites | through a proxy here and there as there have been times it | works internally and is broken externally (often security | appliances are inline that may need debugging). | | Working in IT infra/ops means its our jobs to use some of these | tools to troubleshoot these methods. | throwaway09223 wrote: | I'm not seeing where this relates to organizational | dysfunction. Using an external point to test a system is a | standard practice. | | I'm also a little confused because preventing someone from | using their abilities to problem solve would be a _cause_ of | dysfunction -- a seemingly avoidable one. | sumtechguy wrote: | Also circumventing this sort of thing in many orgs is a first | class ticket to finding a new job. Friend of mine did that, | they walked him to the curb with his cardboard box that day. | His sin? Turned off virus scanning because it was taking 4 | hours to do a 20 min build. | novok wrote: | The organization did him a favor. Many other, far more well | paying companies response to doing that is working with the | developer to figure out a system to make them both happy, or | just silently ignoring it until they figure out a better | solution. Or just talking to the person and asking them to | stop, vs firing. | azalemeth wrote: | To be honest, if I were in that situation I'd be thinking | something along the lines of "well, that was a dodged | bullet". | asddubs wrote: | I like using tor when testing DNS resolution related stuff, to | circumvent some part of my system having a cached entry already. | trey-jones wrote: | Several years ago I used a Tor Hidden Service in a professional | capacity to expose an application from a Wireless network with | properties that we wouldn't know ahead of time. | | Worked like a charm, and no regrets. My favorite part was telling | my employer "We're using TOR for this" _eyebrows_. | menduza23 wrote: | Tor is a great tool for freedom. People tend to bash it and say | people use it for child porn. But the reality with freedom and | free choice is that you can also use that freedom to do bad. We | are seeing censorship in the west on the same scale as china | right now. I won't be surprised if Tor gets taken out of action | in the west soon. | tempfs wrote: | Using Tor for anything in a corporate network will rightfully get | you into serious shit with IT security. | | I see a lot of people also advocating ngrok, wireguard, etc. You | all may not realize that actual threat actors use all of these | same techniques and making yourself look like them could very | well lead to your termination as this kind of circumvention of | security controls is absolutely a threat to the org and a | violation of security policy. | | TLDR; If you need remote access, use the proper | channels....pretty please. For everyone's sake. | sockpuppet_12 wrote: | This is the correct answer, and also the hardest answer because | it's going to require you to have to swallow your pride. | | Security will already be monitoring your traffic as a basic | first step, which they will pipe straight into a SIEM or SOAR | system. Doing this stuff will likely get you flagged for an | audit. | eximius wrote: | So the big message is proxies are useful? I mean, sure. I'm not | sure why Tor makes a better choice than anything else? | jstrieb wrote: | I can confirm that Tor is very useful for exposing services when | you cannot port forward! | | Specifically, I've used Tor for connecting to GitHub Actions | virtual machines over SSH. This is great for debugging Actions | without running them over and over again. I also used this for a | project that sets up an ephemeral, collaborative environment in | one of the GitHub Actions VMs. | | https://github.com/jstrieb/ctf-collab | segfaultbuserr wrote: | The article didn't mention another nice trick: Tor is also a | great tool for accessing IPv4 sites in a IPv6-only network and | vice versa. | suyash wrote: | For some reason IT dept hates as I get notification when I try to | use it. I think coz it jumps over so many IP addresses. | dijit wrote: | I actually use tailscale for exactly this reason. | | NAT is the devil. | | The latency of tor might be a bit too much though. | INTPenis wrote: | I recently had to do some basic sysadmin stuff over tor and I | disagree with OP. | | Two things that failed mieserably, fetching a file that was just | shy of 5M, and a reverse SSH tunnel. | | The SSH tunnel was unusable, it would only last for minutes at | the most. I wish I could use mosh but that requires UDP. | | The file transfer was actually done with curl and the file was | often incomplete. | | This was all done within Europe where we have the highest | concentration of tor nodes. | | So no, I don't think tor is appropriate for sysadmin tasks. | aarchi wrote: | > This was all done within Europe where we have the highest | concentration of tor nodes. | | So Tor nodes take locality into account? Although, that would | improve speeds, it seems like an information leak. | INTPenis wrote: | Not sure, just an educated guess but peering is best in that | region so there is a large selection of nodes with very good | peering. No need to use a node outside of europe. | 5faulker wrote: | Interesting use of a security tool | posterboy wrote: | why did I read sadism instead of sysadmin? | jedberg wrote: | Heh, most of these use cases I solved by having a personal | jumphost in a cabinet in a datacenter. But this is very clever! I | like the idea of using Tor because you'll get much better tests. ___________________________________________________________________ (page generated 2021-08-31 23:00 UTC)