[HN Gopher] A customer stuck due to a hurricane who needed SSH ___________________________________________________________________ A customer stuck due to a hurricane who needed SSH Author : HieronymusBosch Score : 62 points Date : 2023-09-21 20:09 UTC (2 hours ago) (HTM) web link (rachelbythebay.com) (TXT) w3m dump (rachelbythebay.com) | jmholla wrote: | Not being too familiar with `iptables` myself, I'd love to see | the magic invocation they used. Anyone have any idea what that | would have looked like? | mrrsm wrote: | I'm guessing something like this would work | | # Redirect port 8080 to local port 22 | | iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8080 -j | REDIRECT --to-port 22 | icehawk wrote: | Something on the order of | | iptables -t nat -I PREROUTING -p tcp --dport NNNN -j REDIRECT | --to-ports 22 | pwdisswordfishc wrote: | Why would a hurricane need SSH? | saagarjha wrote: | Why would a hurricane need electric? | yazzku wrote: | The hurricane needed SSH so that it could troubleshoot the | customer's problem and get them unstuck. | Multiplayer wrote: | I wonder how long until customer support AI will solve these | issues or is this an edge case that will require intervention? | supertrope wrote: | Some support phone numbers automatically offer to waive a late | fee if your account is generally in good standing. | arwineap wrote: | Giving a customer service ai the ability to configure firewall | rules seems problematic | | Maybe eventually they will be less suspectable to social | engineering but I don't have that confidence yet | | Is it still social engineering if you're talking to an AI? | powersnail wrote: | Prompt injection is basically the AI version of social | engineering, isn't it? | flangola7 wrote: | Social engineering has limits and each individual has | unique vulnerabilities. It's not possible to call in and | speak a single sentence compelling any agent who hears it | to immediately burn the office building down. | tedunangst wrote: | Good reason to have backup connection means, like ssh in https. | (Or at the time of the article, since it's possible even https | was blocked, ssh over dns.) | junon wrote: | At Uber someone (reportedly) got TCP or UDP (can't remember | which) over SMS. Always intrigued me. | ars wrote: | I hate public WiFi that blocks arbitrary ports. The internet is | not HTTP!! | pixl97 wrote: | At the same time free public Wifi is just that, a "we do what | we can and try to keep the infra safe at low cost". | | There is a lot of tooling to filter out bad behavior by HTTP. | When it comes to other protocols, not so much. Much easier to | block other ports then end up with your IP range on a block | list. | bombcar wrote: | What I'd like to see, is public Wifi setup with something | akin to "HTTP/HTTPS - wide open" and "all other ports, you | can connect to 1-5 machines an hour" or something. | | Blocks useful access for worms, Trojans, etc but still lets | you get out once. | m463 wrote: | I think ports < 1024 is not so arbitrary. | dijit wrote: | fwiw, in the "Port" directive in sshd_config you can just add | another port number declaration and SSHd _will listen_ on both | ports. Port 22 Port 80 | | Much cleaner than iptables magic; though I have done similar | iptables redirects before it is almost always a bad idea. :) | m463 wrote: | hmmm... if port NNNN got through, maybe it went to something | already listening on NNNN? but an iptables redirect could fix | that. | | just idle speculation. | | I'm pretty sure "Port" worked with older ssh servers, maybe. | openssh was only 4 years old 20 years ago. | | EDIT: hmmm what about needing privileges or an selinux config | change? | hnlmorg wrote: | Unlikely. While selinux is more than 20 years old, it was | merged into the mainline kernel a few years after its initial | release and it would have taken a while longer for that | kernel to trickle down to distros, and then sysadmins | installing. | r00f wrote: | If server has strict iptables policy for incoming packets, you | would still need to go to iptables allow second port. so if you | need to iptables anyway, why just not redirect without editing | sshd config? the less modifications the better chance to not | forget to revert them | sleepybrett wrote: | Possible that this was a feature added after this event? | tedunangst wrote: | Multiple ports have been supported for more than 20 years. | dijit wrote: | possible, but I see recommendations along these lines going | back to 2011 | | https://serverfault.com/questions/284566/configuration- | for-m... | jrockway wrote: | I feel like the blink tag part of the story dates it to | before 2011. (I just tested to see if blink tags still | worked. It did not.) | hnlmorg wrote: | I remember doing some relatively complex stuff with SSH | config 15 or 20 years ago with IP filtering, different users | having different chroots, IP forwarding rules based users | connecting and rules around what SSH clients / protocols were | allowed. Part of that was also defining custom ports too. All | of which were just defined in sshd_config. | | None of this was new stuff back then. It just wasn't well | blogged (in fact it was so poorly written about that my very | first blog post was on exactly this topic. Blog is long gone | now though). However if anyone took the time to read the man | pages, you'd see all the functionality is already backed into | openssh | emj wrote: | Do you believe it to be arcana for new sysadmins, or some | technical reason it is a bad idea? | AnotherGoodName wrote: | socat is better for this. It plumbs any connection to any | connection. | | Listen on port 8080 and route to some local 22? | | socat TCP-LISTEN:8080,fork,reuseaddr TCP:[somelocalip]:22 | | This lets you be very explicit in watching this run and killing | when done. | | Socat also lets you route networks through old serial ports, log | all data going over a connection to a file, and even join | completely different protocols. | | Fun past projects based on socat; a serial port->socat to tcp | out->socat on another computer to listen->a serial port out. | Basically this created a serial port that worked over a satellite | for a customer doing some remote monitoring so they could set an | alarm if something failed (a lot of equipment only has serial | connectivity for status). | what-no-tests wrote: | Commas, so important, are so very, infrequently, and - | unnecessarily - sparingly used. | ndesaulniers wrote: | > Whether they were trying to be KIBO or B1FF, I may never know. | | Can someone explain this reference to me, I didn't get it? | BoxFour wrote: | https://en.m.wikipedia.org/wiki/BIFF_(Usenet) | | https://en.m.wikipedia.org/wiki/James_Parry ___________________________________________________________________ (page generated 2023-09-21 23:00 UTC)