[HN Gopher] A customer stuck due to a hurricane who needed SSH
___________________________________________________________________
A customer stuck due to a hurricane who needed SSH
Author : HieronymusBosch
Score : 62 points
Date : 2023-09-21 20:09 UTC (2 hours ago)
(HTM) web link (rachelbythebay.com)
(TXT) w3m dump (rachelbythebay.com)
| jmholla wrote:
| Not being too familiar with `iptables` myself, I'd love to see
| the magic invocation they used. Anyone have any idea what that
| would have looked like?
| mrrsm wrote:
| I'm guessing something like this would work
|
| # Redirect port 8080 to local port 22
|
| iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8080 -j
| REDIRECT --to-port 22
| icehawk wrote:
| Something on the order of
|
| iptables -t nat -I PREROUTING -p tcp --dport NNNN -j REDIRECT
| --to-ports 22
| pwdisswordfishc wrote:
| Why would a hurricane need SSH?
| saagarjha wrote:
| Why would a hurricane need electric?
| yazzku wrote:
| The hurricane needed SSH so that it could troubleshoot the
| customer's problem and get them unstuck.
| Multiplayer wrote:
| I wonder how long until customer support AI will solve these
| issues or is this an edge case that will require intervention?
| supertrope wrote:
| Some support phone numbers automatically offer to waive a late
| fee if your account is generally in good standing.
| arwineap wrote:
| Giving a customer service ai the ability to configure firewall
| rules seems problematic
|
| Maybe eventually they will be less suspectable to social
| engineering but I don't have that confidence yet
|
| Is it still social engineering if you're talking to an AI?
| powersnail wrote:
| Prompt injection is basically the AI version of social
| engineering, isn't it?
| flangola7 wrote:
| Social engineering has limits and each individual has
| unique vulnerabilities. It's not possible to call in and
| speak a single sentence compelling any agent who hears it
| to immediately burn the office building down.
| tedunangst wrote:
| Good reason to have backup connection means, like ssh in https.
| (Or at the time of the article, since it's possible even https
| was blocked, ssh over dns.)
| junon wrote:
| At Uber someone (reportedly) got TCP or UDP (can't remember
| which) over SMS. Always intrigued me.
| ars wrote:
| I hate public WiFi that blocks arbitrary ports. The internet is
| not HTTP!!
| pixl97 wrote:
| At the same time free public Wifi is just that, a "we do what
| we can and try to keep the infra safe at low cost".
|
| There is a lot of tooling to filter out bad behavior by HTTP.
| When it comes to other protocols, not so much. Much easier to
| block other ports then end up with your IP range on a block
| list.
| bombcar wrote:
| What I'd like to see, is public Wifi setup with something
| akin to "HTTP/HTTPS - wide open" and "all other ports, you
| can connect to 1-5 machines an hour" or something.
|
| Blocks useful access for worms, Trojans, etc but still lets
| you get out once.
| m463 wrote:
| I think ports < 1024 is not so arbitrary.
| dijit wrote:
| fwiw, in the "Port" directive in sshd_config you can just add
| another port number declaration and SSHd _will listen_ on both
| ports. Port 22 Port 80
|
| Much cleaner than iptables magic; though I have done similar
| iptables redirects before it is almost always a bad idea. :)
| m463 wrote:
| hmmm... if port NNNN got through, maybe it went to something
| already listening on NNNN? but an iptables redirect could fix
| that.
|
| just idle speculation.
|
| I'm pretty sure "Port" worked with older ssh servers, maybe.
| openssh was only 4 years old 20 years ago.
|
| EDIT: hmmm what about needing privileges or an selinux config
| change?
| hnlmorg wrote:
| Unlikely. While selinux is more than 20 years old, it was
| merged into the mainline kernel a few years after its initial
| release and it would have taken a while longer for that
| kernel to trickle down to distros, and then sysadmins
| installing.
| r00f wrote:
| If server has strict iptables policy for incoming packets, you
| would still need to go to iptables allow second port. so if you
| need to iptables anyway, why just not redirect without editing
| sshd config? the less modifications the better chance to not
| forget to revert them
| sleepybrett wrote:
| Possible that this was a feature added after this event?
| tedunangst wrote:
| Multiple ports have been supported for more than 20 years.
| dijit wrote:
| possible, but I see recommendations along these lines going
| back to 2011
|
| https://serverfault.com/questions/284566/configuration-
| for-m...
| jrockway wrote:
| I feel like the blink tag part of the story dates it to
| before 2011. (I just tested to see if blink tags still
| worked. It did not.)
| hnlmorg wrote:
| I remember doing some relatively complex stuff with SSH
| config 15 or 20 years ago with IP filtering, different users
| having different chroots, IP forwarding rules based users
| connecting and rules around what SSH clients / protocols were
| allowed. Part of that was also defining custom ports too. All
| of which were just defined in sshd_config.
|
| None of this was new stuff back then. It just wasn't well
| blogged (in fact it was so poorly written about that my very
| first blog post was on exactly this topic. Blog is long gone
| now though). However if anyone took the time to read the man
| pages, you'd see all the functionality is already backed into
| openssh
| emj wrote:
| Do you believe it to be arcana for new sysadmins, or some
| technical reason it is a bad idea?
| AnotherGoodName wrote:
| socat is better for this. It plumbs any connection to any
| connection.
|
| Listen on port 8080 and route to some local 22?
|
| socat TCP-LISTEN:8080,fork,reuseaddr TCP:[somelocalip]:22
|
| This lets you be very explicit in watching this run and killing
| when done.
|
| Socat also lets you route networks through old serial ports, log
| all data going over a connection to a file, and even join
| completely different protocols.
|
| Fun past projects based on socat; a serial port->socat to tcp
| out->socat on another computer to listen->a serial port out.
| Basically this created a serial port that worked over a satellite
| for a customer doing some remote monitoring so they could set an
| alarm if something failed (a lot of equipment only has serial
| connectivity for status).
| what-no-tests wrote:
| Commas, so important, are so very, infrequently, and -
| unnecessarily - sparingly used.
| ndesaulniers wrote:
| > Whether they were trying to be KIBO or B1FF, I may never know.
|
| Can someone explain this reference to me, I didn't get it?
| BoxFour wrote:
| https://en.m.wikipedia.org/wiki/BIFF_(Usenet)
|
| https://en.m.wikipedia.org/wiki/James_Parry
___________________________________________________________________
(page generated 2023-09-21 23:00 UTC)