[HN Gopher] Tor is a great sysadmin tool (2020)
___________________________________________________________________
Tor is a great sysadmin tool (2020)
Author : azalemeth
Score : 268 points
Date : 2021-08-31 17:07 UTC (5 hours ago)
(HTM) web link (www.jamieweb.net)
(TXT) w3m dump (www.jamieweb.net)
| swiley wrote:
| I loved TOR when I was a broke student without enough money to
| have one or two always on machines with public IPs I could
| reverse proxy to.
| rinron wrote:
| One very important thing not mentioned is that the tor exit node
| could be capturing your traffic or do a MITM attack. Its a great
| idea for testing but only after you have encryption working, and
| of course pay special attention to your ssh fingerprints.
| fswwi wrote:
| Cloudflare is mitm, btw.
| boring_twenties wrote:
| Hidden services are not accessed through exit nodes. Relay
| nodes cannot capture your traffic or perform MITM attacks.
| segfaultbuserr wrote:
| If the endpoint is in your control and you'd like to experiment
| with Tor, you can configure your server as an Onion Service, so
| you are protected by Tor's own end-to-end encryption (whose
| traffic cannot be captured by MITM since the hostnames
| themselves are the public keys). For non-anonymous uses, you
| should active the "Single Service Onion" mode, so the 6-hop
| (extra 3-hop for server anonymity) is skipped, allowing
| standard 3-hop latency and performance. It also saves bandwidth
| for exit nodes - all non-exit relays can forward Onion traffic.
| slacka wrote:
| Tor is also useful is to verify country specific customization on
| your website are working. I regularly used Tor on reports of
| issues with default language or currency. It's just a quick
| toggle of a setting in "torrc" to limit your exit node to a
| specific country code.
| lambdaba wrote:
| ngrok.com allows some of these, at full (or at least, much better
| speed, haven't benchmarked), and is mostly free (paid plan
| required for custom subdomains). Sharing this for those still
| unaware of it, it's a great service.
| anaganisk wrote:
| Or better yet, use cloudflare tunnels and setup an actual
| permanent tunnel with custom subdomain support. If you want it
| to be a temporary one, it supports that too. For FREE.
| Shank wrote:
| Is that part of Cloudflare Teams? No offense to Cloudflare,
| but their pricing is really unclear. I have an account and I
| use them for a lot, but they have 3 different "plans" and
| then they have various ad-hoc products. Tunnel just says
| "view in dashboard." [0] If I click on that link while logged
| in, I'm taken to my dashboard with no indication of how to
| use Tunnel or anything. The plans page [1] indicates that
| it's part of argo smart routing. If I click on "activate
| argo" it actually does the exact same thing as the teams
| "view in dashboard" button -- it redirects me to the
| dashboard and has no indication of being activated or
| anything. Really frustrating.
|
| [0]: https://www.cloudflare.com/products/tunnel/
|
| [1]: https://www.cloudflare.com/plans/
| PaywallBuster wrote:
| It's confusing for me too
|
| product page says it requires paid Argo (smart routing)
| subscription https://www.cloudflare.com/en-
| gb/products/tunnel/
|
| the blog page says its free
| https://blog.cloudflare.com/tunnel-for-everyone/
|
| and actually you can install and run it quite easily
| brew uninstall cloudflare/cloudflare/cloudflared
| cloudflared login cloudflared tunnel
|
| this will launch a tunnel with a random subdomain listening
| to http://localhost:8080
| pigeonhole123 wrote:
| It became free recently, so they've probably just
| forgotten to update their documentation which seems to be
| a pattern with CF.
| RIMR wrote:
| I used to have Nessus installed on a NUC that I would just drop
| into a customer's network closet for a weekend, and monitor
| remotely.
|
| I hosted the Nessus UI as a Tor Hidden Service, and it worked
| great. We just cycled the key every quarter for added security,
| and so that ex-employees wouldn't know where to find it.
| unsignedint wrote:
| Back when I was managing system in a small company, I had a
| couple of systems on hidden service with auth cookies. When port
| forward failed or otherwise had problem accessing, it provided
| decent plan B for getting things back online.
| skadamat wrote:
| Smells a bit like Wireguard use case!
| RIMR wrote:
| Wireguard is a great technology, and if latency and file
| transfers are important you should use it, but a Tor hidden
| service is way easier to set up, and way more reliable.
| azalemeth wrote:
| In many ways I think this blog post really makes quite compelling
| arguments and honestly opened my eyes a bit.
|
| One (perhaps mad) idea for more secure access to a machine deep
| behind many levels of NAT where you, the sysadmin, have lawful
| access but are fed up with having to have a 12 KB ~/.ssh/config
| file in order to access it because of your university's
| overbearing IT department^W^W^W^W network topology, would be to
| "just" run an onionsite with onion services authentication [1],
| preventing it being publicly accessed without the pre-shared key.
| If your onion service just redirects to ssh (presumably with
| certificate-only auth) I can't help but think that this is
| _almost_ an example of security by obscurity done right.
|
| [1] https://support.torproject.org/en-US/onionservices/client-
| au...
| KingMachiavelli wrote:
| For that use case why not just use Wireguard?
| [deleted]
| alisonkisk wrote:
| Wireguard is not the same as ZeroTier.
| nine_k wrote:
| If your hard-to-reach server can connect to the internet (via a
| bunch of NATs and whatnot), you can just make it access your
| box of choice by e.g. Wireguard, or plain SSH with port-
| forwaring, or attach it as a node to your ZeroTier private
| network.
|
| You only need a bunch of jump hosts if your target server has
| no Internet connectivity, and should not, in which case all
| these levels of bastions do make sense.
| azalemeth wrote:
| That requires having another publicly accessible box, or
| trusting ZeroTier though, doesn't it? The onion approach does
| not.
| lacrosse_tannin wrote:
| you _could_ use your other device (the one you're
| connecting from) as the controller. whomst amongst us
| doesn't have a 3rd machine or VPS?
| a1369209993 wrote:
| Your other device doesn't have a public IP address
| either.
| novok wrote:
| ZeroTier, Tailscale and such are OSS and have been
| independently security & crypto audited. I don't know if
| tailscale has been audited, but since they are a more
| popular tool I bet they probably are too. They're actually
| really good tools and would probably be more reliable than
| tor tbh, I would recommend looking into them.
| Nullabillity wrote:
| > ZeroTier, Tailscale and such are OSS and have been
| independently security & crypto audited.
|
| Both rely on their centralized coordinator servers which
| can mess with your routes (and thus your traffic) however
| they please.
|
| ZeroTier has a published (but not OSS) coordinator, but
| their documentation pushes you towards their SaaS.
| Tailscale's coordinator is SaaS-only, unless something
| has changed very recently.
| lacrosse_tannin wrote:
| zerotier adhoc networks are controllerless, though ipv6
| only.
|
| The client can be set to not allow routes/addresses from
| a controller.
|
| The client and controller are licensed BSL.
| nine_k wrote:
| Does this require addresses of nodes to be globally
| routable? (With such addresses you can as well connect
| directly.)
| nine_k wrote:
| This is fair.
|
| Their client node software is audited though, and the
| contents of your packets are not accessible to the
| router. This is why the amount of the possible meddling
| is limited to a DoS, AFAICT.
|
| Who audits the Tor nodes that do onion routing is
| anyone's guess; I suppose ZeroTier is no worse than them.
| krtyiktj wrote:
| at our lab the tor traffic would be noticed by the cyber
| security group's ids and all traffic from your host would start
| dropping at the border so fast your head would spin. you'd get
| an unpleasant phone call or visit to your office and be warned
| never to try side stepping the bastion ssh hosts that log all
| the things ever again.
| derefr wrote:
| Obviously, you should plan around this by gathering all the
| MAC addresses of every machine in the office, and then have
| your machine spoof through them in rotation. /s
| sillysaurusx wrote:
| It makes me sad every time I think about it, but Aaron
| Swartz did this during his saga. Well, sort of: he
| incremented the MAC address by 1.
|
| Point being, it's not foolproof. If some clever undergrad
| is thinking about dodging the suits, win by fooling them,
| not by fighting them.
|
| If you do insist on fighting, though, start at
| https://www.whonix.org/wiki/Mental_Model and then read the
| entire Whonix wiki
| https://www.whonix.org/wiki/Documentation. It's what I used
| when I was serious about dodging the cartels, and that
| knowledge will protect you as much as anything will.
|
| (You'll hopefully conclude that the protection is too
| brittle to risk your life, as I did.)
| nqzero wrote:
| building a new computer. want to be able to trust it 100%
| for at least a moment. i can't figure out how to "buy" a
| trusted copy of any linux and don't have any machines i
| have 100% trust in (who does), so can't burn it. current
| plan is to buy a chromebook solely for the purpose of
| downloading and burning ubuntu. alternatively, buy
| MSWindows, install on the new machine, burn, and then
| replace
|
| but this mental exercise has convinced me that security
| is almost impossible in this day and age
| sillysaurusx wrote:
| One thing that helps a lot in this situation is to plan
| based on threat model. There's no such thing as 100%
| trust, but you can have a computer which is safe for e.g.
| <thing>. It's pretty crucial to pick one or two specific
| <thing>s and focus only on those.
|
| If you just want to browse the darknet and see what the
| markets are like, for example, Tor on your current
| computers is fine.
|
| If you're wanting to make a purchase and you're worried
| that your existing computers will narc on you, your plan
| of buy laptop + use ubuntu is A+.
|
| If you want a computer to store information on, Edward
| Snowden style, you'll need to take increasingly serious
| steps. Use tails as a baseline. (Note: I've been out of
| the game since 2016, so take this with salt.)
|
| If you're literally dodging the NSA, you need to put on a
| full face mask in winter, plan a route to a store you've
| recon'd, buy clothes with cash from goodwill, carry them
| in a trash bag as you walk out of your neighborhood,
| sneak in between two houses in the dead of night and put
| the outfit on + mask, walk to a taxi, have it take you
| near (but not to) the electronics store, buy yourself a
| burner phone + a few USB wifi dongles + anything else you
| want completely unlinkable to you (you're on cameras),
| pay for all of it while getting some strange and worried
| looks that you're going to rob something, then do the
| entire process in reverse until you're back at your house
| with your untraceable electronics.
|
| I did all that, and even then I was likely making some
| small mistake that would've blown everything.
|
| Yet the city wide surveillance drones (god eye) will
| still have a nice little record of you that they can ID
| you with. And you sneaking around in the middle of the
| night putting on masks will probably get you in serious
| trouble. It never really occurs to you when you're doing
| this sort of thing to stop and consider whether you're
| just doing crazy things. (It's tempting to believe the
| answer is "no," especially the more you want to believe
| it.)
|
| Suffice to say, threat modeling is key, and it's worth
| thinking carefully about what exactly you want to
| accomplish.
| derefr wrote:
| > If you're literally dodging the NSA, you need to...
|
| Or just make friends with an developing-world advance-fee
| scammer, and then pay them to have one of their cash
| mules buy and send you (that is, an empty house somewhere
| in your city) a laptop.
| alkz wrote:
| most distributions provide signatures/checksums to verify
| the download eg. https://ubuntu.com/tutorials/how-to-
| verify-ubuntu#1-overview
| rattlesnakedave wrote:
| > you'd get an unpleasant phone call or visit to your office
| and be warned
|
| sometimes I wonder why IT departments and security in general
| get a bad wrap, then I see things like this.
| relax88 wrote:
| When someone just does whatever they feel like and violates
| policy, what do you think should happen?
|
| Should someone send them a sternly worded email for them to
| ignore?
|
| Or maybe they should be allowed to do whatever they want
| regardless of what risk it poses to the organization?
| relax88 wrote:
| I can confirm as someone who works in netsec that this
| exactly how it would have gone at my previous employer.
|
| There is a tone of "I know what's best and will do what I
| want" in this thread.
|
| If you think that the way to get the IT department to
| implement something for you is to sidestep around policy
| instead of working with them, you will just piss them off.
| marcodiego wrote:
| Is tor traffic that easy to detect?
| blendergeek wrote:
| Yes. It goes to a known tor node.
| rnhmjoj wrote:
| Not necessarily true. Tor bridges exist precisely for
| this reason: https://tb-manual.torproject.org/bridges/
| Forbo wrote:
| Relay and exit node IPs aren't private, so admins will
| often collect them and just block them en masse. This
| causes problems, because a lot of that same IP space will
| often be shared with things like pool.ntp.org nodes.
| azalemeth wrote:
| The meek pluggable transport together with Azure's domain
| fronting service explicitly makes it look like it's
| connecting to an Azure instance over https. [1]
|
| [1]
| https://gitlab.torproject.org/legacy/trac/-/wikis/doc/meek
| kodablah wrote:
| Yup, and it's easy to make server and client side tooling use
| Tor to make this mostly transparent. Latency/bandwidth isn't
| _that_ bad when communicating with an onion service. And it can
| be even faster if server anonymity isn't a goal (server set
| HiddenServiceSingleHopMode and HiddenServiceNonAnonymousMode
| and create ephemerial onion service with NonAnonymous).
|
| I use Tor plenty to self-host services from my house that are
| reachable anywhere (and often have a web interface I can access
| via Orbot). No hole-punching necessary.
| njsubedi wrote:
| Could you share more about your setup?
| kodablah wrote:
| Sure. I wrote https://github.com/cretz/bine (though I
| admittedly don't work on it much these days). I just have a
| few-line daemon that starts an HTTP (or gRPC or whatever)
| server on ephemeral onion service. Then I use that onion ID
| to access it (via TorBrowser or Orbot or a client built
| with the same library).
| croutonwagon wrote:
| Agree. Thats pretty interesting.
|
| I use an SSH session and SOCKS5 proxy on a VPS provider for
| almost all of those other circumstances. Including checking
| external access etc.
|
| But the last one is a solid use case.
| fluential wrote:
| You will like this one as well "SSL/SSH Multiplexer"
| http://www.rutschle.net/tech/sslh/
| ISL wrote:
| Think from the beginning what will be the end: "I thought your
| security policy was too overbearing, so I used tor."
|
| IT departments make their choices for reasons. The key is to
| help them understand your use-case, and they'll probably help
| you through the problem in a way that might limit collateral
| damage.
|
| Source: have seen firewall bypasses (with a pre-shared key) get
| leveraged as a way to hack an entire university lab/department.
| azalemeth wrote:
| I tried doing that, and largely succeeded, but the specific
| area of the university in question will _not_ have a bastion
| SSH host _anywhere_ on _their_ network. They will not allow
| SSH access in _at all_. They _will_ however allow SSH access
| to other parts of the university, with different people in
| charge, which explicitly _do_ allow an SSH bastion host to
| exist (and provide several for that purpose). So, the net
| result is that they 've effectively out-sourced the control
| and responsibility of their environment to someone else.
|
| Normally this is fine, but my job involves programming and
| controlling large, expensive, and strangely fragile lab
| equipment. There's a resilience problem, and it's got to the
| point where others have suggested putting a GSM modem on a
| pci-e card inside some of the boxes in question, as the
| relevant IT department decides on a whim to block ports with
| no warning or justification. Some manufacturers of the
| devices in question do this as standard if you have a support
| contract. Trying to complain results in responses like "you
| have been used to doing things one way and this change now
| prevents you from working as before."
|
| I completely accept that this is a political problem and best
| solved as one, but ultimately SSH is an industry standard for
| a reason -- it's secure, and it's flexible. The machines in
| question are valuable, prone to breaking in the middle of the
| night, and we are an international bunch who cannot always
| connect from a well-defined ipv4 address, or from the
| university's VPN. (The latter is blocked by the IT department
| automatically, as it has too large a pool of potential
| users). The thing I find most frustrating is that this sort
| of political decision creates days worth of work
| instantaneously, for little benefit. All of the actually
| confidential or sensitive information is held in a completely
| separate network at any rate...
| unethical_ban wrote:
| To quote Dr. Manhattan, "Without condemning, or condoning,
| I understand".
|
| I am in network security. I have stopped shadow IT, and
| been a part of it.
|
| Your situation seems so ungodly stupid and anathema to the
| point of IT, that the remaining courses of action _should_
| be the following.
|
| Thoroughly document via email your attempts at explaining
| requirements to Netsec, to document in writing their
| objections, to do your best with what they provide you...
| and WHEN things catastrophically break, point the finger at
| them and thoroughly document how if you had the proper,
| industry-standard tooling, you could have prevented the
| loss of research/time/money.
| zaphar wrote:
| THIS. Don't paper over the issues with shadow IT. Make
| them painfully obvious to the point where IT has to do
| something or answer to it. Otherwise it will not change.
|
| I've given teams the option to turn off their pagers when
| this sort of thing happens with the justification that
| they can't fix it anyway. And then documented the crap
| out of why they can't fix it so when someone asks I can
| point to existing policy. It's very effective if done
| right.
| nephanth wrote:
| Especially when, since it's Tor, potential attackers cannot
| be traced
| ryneandal wrote:
| > IT departments make their choices for reasons.
|
| In a perfect world, yes. But I've worked with/at places where
| ineptitude is rampant, and any attempts of understanding
| their reasoning is seen as insubordination.
| novok wrote:
| IT departments make choices that benefit their own needs and
| for their own convience, often forgetting that the entire
| point of their department is to make the rest of the
| organization more effective. Sadly, it often goes the other
| way.
|
| Shadow IT is a signal that the IT organization is doing
| things wrong. People use shadow IT because the IT department
| is not doing it's job properly, serving it's customer base
| based on the needs they show via their actions.
|
| For example, if you see someone like azalemeth do the things
| he does, it shows that the IT department needs to become
| responsive enough and cooperative enough to not push him to
| do such things in the first place. You notice he's tried to
| do thing the IT department standard way first, and spent
| considerable effort before he started his shadow IT method.
| relax88 wrote:
| "Policy made my job slightly harder so because I know
| better than the netsec team who clearly has or should have
| unlimited time and resources to help me I will do what I
| want anyways, and put the organization at risk."
|
| Also known as "how to make the netsec team hate you 101"
|
| I agree with you about why shadow IT exists, but most IT
| departments are spread so thin that expecting them to be
| super responsive to anything but the most critical business
| projects is often totally unreasonable.
|
| Then they have to waste even more time hunting down idiots
| setting up Tor nodes on their internal networks.
| still_grokking wrote:
| If the IT department can't do its job because of resource
| constraints likely the whole organization is a failure.
|
| If you find something like that, run...
|
| If you can't run, do whatever makes your live better. The
| org is doomed anyway.
| azalemeth wrote:
| A recent example from me -- one VPN suddenly refused to
| connect one day for no discernible reason when they made
| a configuration change to their cisco vpn "concentrator"
| without publishing it fully. Cisco AnyConnect GUI clients
| were fine and some magic happened behind the scenes to
| push the configuration change and, in typical Cisco
| style, avoid saying what exactly it was.
|
| I had some esoteric monitoring machine that couldn't run
| anyconnect (for reasons I forget but almost certainly
| relating to it not having a linux arm64 client at that
| time) and naturally couldn't connect randomly one day
| with openconnect (which previously had worked perfectly).
| I asked what the configuration change was to prevent me
| having to reverse-engineer it. The response was "if you
| want to use unsupported clients we cannot offer any
| assistance [...] we are currently operating two heads
| down and we simply do not have the resources [...]."
|
| I totally understand it from the other side. IT
| departments have everything from state-sponsored
| ransomware attacks to important people loudly going "why
| doesn't the printer work any more". It's a different set
| of skills to being a C-junkie, a programming wizard, or,
| in my case, a young academic with one big grant and three
| PhD students trying to both do work, publish work, and
| get money to do more work where "work" is poorly defined
| and highly flexible. Over time I've noticed universities
| get far more corporate and many academics _absolutely
| hate this_ , of which I am one. The "we control the
| network, bug off" may be technically true but at times it
| _does_ feel a bit like an imposition of some sort of
| academic freedom, to be honest. At the very least, it 's
| a nice little "dog egg" to find added to the pile of
| administrative crap to do for that day.
| Aloha wrote:
| I'm working in an organization where we have one laptop
| from work, and another laptop to do work on. Because the
| one sized fits all IT policy doesn't work for our org,
| but it's forced on us because of the IP security needs of
| another parallel org.
|
| We went from an organization moving towards BYOD, to, now
| the exact opposite.
| pope_meat wrote:
| A simulated conversation with IT:
|
| "Hey, IT department...I was wondering..."
|
| "No."
| eitland wrote:
| Lucky me.
|
| Our IT department goes out the of their way to help us stay
| sane and productive
|
| - they're making sure most of us can continue to use our
| favourite Linux distro (I think most Debian/Ubuntu, Fedora
| and Arch is supported)
|
| - make sure VPN etc works on Linux even if it is not
| officially supported
|
| - taking time to sit down and debug hard problems (weird
| issues with WSL2 on one particular Windows laptop) instead
| of just blaming us engineers
| api wrote:
| Not sure why you'd use this instead of something like ZeroTier or
| a bounce box, but I can think of one reason: you want to hide the
| location of something in your infrastructure to make side channel
| attacks on the cloud provider or physical location a lot harder.
| alisonkisk wrote:
| Part of the point is to generate non-criminal usage of Tor to
| legitimize it.
| [deleted]
| lifeisstillgood wrote:
| Being a small cog, but using clever tricks to get your job done
| is not solving the problem.
|
| An organisation that prevents itself from acting rationally is an
| organisation that should die Schumpter-style. Please don't
| prevent it.
| croutonwagon wrote:
| I use similar "clever tricks", albeit with SSH and socks to do
| the same type of testing.
|
| DNS can be funky, its useful to test resolution externally and
| internally.
|
| Traffic can be funky when routed, its useful to t-shoot sites
| through a proxy here and there as there have been times it
| works internally and is broken externally (often security
| appliances are inline that may need debugging).
|
| Working in IT infra/ops means its our jobs to use some of these
| tools to troubleshoot these methods.
| throwaway09223 wrote:
| I'm not seeing where this relates to organizational
| dysfunction. Using an external point to test a system is a
| standard practice.
|
| I'm also a little confused because preventing someone from
| using their abilities to problem solve would be a _cause_ of
| dysfunction -- a seemingly avoidable one.
| sumtechguy wrote:
| Also circumventing this sort of thing in many orgs is a first
| class ticket to finding a new job. Friend of mine did that,
| they walked him to the curb with his cardboard box that day.
| His sin? Turned off virus scanning because it was taking 4
| hours to do a 20 min build.
| novok wrote:
| The organization did him a favor. Many other, far more well
| paying companies response to doing that is working with the
| developer to figure out a system to make them both happy, or
| just silently ignoring it until they figure out a better
| solution. Or just talking to the person and asking them to
| stop, vs firing.
| azalemeth wrote:
| To be honest, if I were in that situation I'd be thinking
| something along the lines of "well, that was a dodged
| bullet".
| asddubs wrote:
| I like using tor when testing DNS resolution related stuff, to
| circumvent some part of my system having a cached entry already.
| trey-jones wrote:
| Several years ago I used a Tor Hidden Service in a professional
| capacity to expose an application from a Wireless network with
| properties that we wouldn't know ahead of time.
|
| Worked like a charm, and no regrets. My favorite part was telling
| my employer "We're using TOR for this" _eyebrows_.
| menduza23 wrote:
| Tor is a great tool for freedom. People tend to bash it and say
| people use it for child porn. But the reality with freedom and
| free choice is that you can also use that freedom to do bad. We
| are seeing censorship in the west on the same scale as china
| right now. I won't be surprised if Tor gets taken out of action
| in the west soon.
| tempfs wrote:
| Using Tor for anything in a corporate network will rightfully get
| you into serious shit with IT security.
|
| I see a lot of people also advocating ngrok, wireguard, etc. You
| all may not realize that actual threat actors use all of these
| same techniques and making yourself look like them could very
| well lead to your termination as this kind of circumvention of
| security controls is absolutely a threat to the org and a
| violation of security policy.
|
| TLDR; If you need remote access, use the proper
| channels....pretty please. For everyone's sake.
| sockpuppet_12 wrote:
| This is the correct answer, and also the hardest answer because
| it's going to require you to have to swallow your pride.
|
| Security will already be monitoring your traffic as a basic
| first step, which they will pipe straight into a SIEM or SOAR
| system. Doing this stuff will likely get you flagged for an
| audit.
| eximius wrote:
| So the big message is proxies are useful? I mean, sure. I'm not
| sure why Tor makes a better choice than anything else?
| jstrieb wrote:
| I can confirm that Tor is very useful for exposing services when
| you cannot port forward!
|
| Specifically, I've used Tor for connecting to GitHub Actions
| virtual machines over SSH. This is great for debugging Actions
| without running them over and over again. I also used this for a
| project that sets up an ephemeral, collaborative environment in
| one of the GitHub Actions VMs.
|
| https://github.com/jstrieb/ctf-collab
| segfaultbuserr wrote:
| The article didn't mention another nice trick: Tor is also a
| great tool for accessing IPv4 sites in a IPv6-only network and
| vice versa.
| suyash wrote:
| For some reason IT dept hates as I get notification when I try to
| use it. I think coz it jumps over so many IP addresses.
| dijit wrote:
| I actually use tailscale for exactly this reason.
|
| NAT is the devil.
|
| The latency of tor might be a bit too much though.
| INTPenis wrote:
| I recently had to do some basic sysadmin stuff over tor and I
| disagree with OP.
|
| Two things that failed mieserably, fetching a file that was just
| shy of 5M, and a reverse SSH tunnel.
|
| The SSH tunnel was unusable, it would only last for minutes at
| the most. I wish I could use mosh but that requires UDP.
|
| The file transfer was actually done with curl and the file was
| often incomplete.
|
| This was all done within Europe where we have the highest
| concentration of tor nodes.
|
| So no, I don't think tor is appropriate for sysadmin tasks.
| aarchi wrote:
| > This was all done within Europe where we have the highest
| concentration of tor nodes.
|
| So Tor nodes take locality into account? Although, that would
| improve speeds, it seems like an information leak.
| INTPenis wrote:
| Not sure, just an educated guess but peering is best in that
| region so there is a large selection of nodes with very good
| peering. No need to use a node outside of europe.
| 5faulker wrote:
| Interesting use of a security tool
| posterboy wrote:
| why did I read sadism instead of sysadmin?
| jedberg wrote:
| Heh, most of these use cases I solved by having a personal
| jumphost in a cabinet in a datacenter. But this is very clever! I
| like the idea of using Tor because you'll get much better tests.
___________________________________________________________________
(page generated 2021-08-31 23:00 UTC)