[HN Gopher] Show HN: Automatic proxy setup for SSH'able boxes th...
___________________________________________________________________
Show HN: Automatic proxy setup for SSH'able boxes that have no
network access
Author : WinDoctor
Score : 44 points
Date : 2021-12-03 12:45 UTC (10 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| gjulianm wrote:
| Something to add: use proxychains to ensure that the requests of
| all apps go through the proxy. A lot of applications don't have
| good proxy support, or have nothing at all. If you configure
| proxychains with the SOCKS proxy provided by this script, then
| you can do "proxychains my-command-that-doesnt-use-proxy" and it
| will automatically patch the libc calls to use the proxy
| properly.
| WinDoctor wrote:
| Good suggestion. Added it to the README as an optional
| addition.
| 1cvmask wrote:
| I couldn't find the license for it. Is it open source? If so what
| license?
| WinDoctor wrote:
| I added MIT license now :)
| WinDoctor wrote:
| All comments & suggestions / code reviews are welcome!
| SahAssar wrote:
| I don't really get what the definition of "network" is here,
| clearly the box has network access since it is SSH'able. Could
| you give an example of a situation when this is used?
| WinDoctor wrote:
| "Network access" as in outgoing requests to public web.
|
| e.g. you can't curl google.com
|
| I've used this code in CTF competitions and Blue Team exercises
| where some machines behind a VPN don't have outgoing network
| access.
|
| (Sometimes it's just simpler to organize this way, sometimes
| it's deliberate for security purposes.)
| SahAssar wrote:
| So restricted HTTP access, but wide open SSH? Do people
| commonly restrict only HTTP/HTTPS but leave other ports
| unrestricted?
| jve wrote:
| Yeah, well, not only HTTP*, but actually whitelisting
| whatever outgoing connection you may need.
| https://github.com/stripe/smokescreen
|
| Suppose you configured your webserver to run with limited
| privileges so as if someone hacks it it has limited access.
| Suppose it still has access to DB and stuff. Well,
| filtering outgoing connections makes harder to exfiltrate
| the data OR hop to another hosts. And then you can monitor
| failed outgoing requests to be able to act/investigate when
| that happens.
| SahAssar wrote:
| Couldn't an attacker exfiltrate over ssh or over an
| incoming HTTP connection instead of an outgoing? Or is
| this a defense-in-depth thing, not meant as a "hard
| stop"?
| pnutjam wrote:
| no wide open ssh, it's a machine that can talk to it that
| can also talk out to the wider internet. (A proxy).
| thedougd wrote:
| This would be a common setup. They allow SSH ingress so
| that the server can be managed or provisioned with
| something like Ansible. However, they block all other
| unused ingress ports, as well as any egress that does not
| contribute to the function of the server. Also common would
| be a bastion or VPN to get to the network where SSH is
| accessible. A mistake is to have SSH accessible to the
| entire corporate network, which is all too common.
| gizdan wrote:
| Not OP, but some air-gapped servers can be connected to from a
| private "trusted" network, but are otherwise unable to connect
| to the internet or elsewhere. Perhaps that's what OP means?
|
| I wish companies would hurry up and move away from "trusted"
| networks and move onto zero trust.
| WinDoctor wrote:
| Exactly. These "trusted" machines still have security
| vulnerabilities that you would like to patch though :)
| traceroute66 wrote:
| > some air-gapped servers can be connected to from a private
| "trusted" network
|
| Erm ... mate....
|
| A device is either air-gapped or it isn't. The clue is kinda
| in the name.
|
| Yes, I know gov/mil networks use data-diodes, but that's a
| different kettle of very expensive fish which is certified to
| EAL6/7.
|
| For everyone else, air-gapped means what it says on the tin.
|
| Pseudo air-gapping via firewall rules is not air-gapping, its
| called writing ACLs.
| gizdan wrote:
| Ha. I totally get what you mean, but I wish. I've seen
| plenty of air-gapped servers, and I'm not even that old.
| And everytime I've challenged the set up for it to be truly
| air-gapped, I've been fought for it.
| 123pie123 wrote:
| correct - I think people are getting confused - not sure
| how, since the name is very descriptive
| myself248 wrote:
| Bingo. Air-gapped machines, by definition, have no
| connection to each other. Not so much as an audio cable
| between them. Everything that goes back and forth is
| manually transferred, either by eyes-on-one-screen-hands-
| on-the-other-keyboard, or by sneakernet typically of media
| which may be inspected at yet a third station en route.
|
| This is a proxy or a bastion host, no more, no less.
| Calling it an airgap, even in "scare quotes", is clownishly
| terrible and serves no purpose beyond polluting the
| language.
| mrweasel wrote:
| The name, Airgapt - "airgapped" apt, is also a little "weird".
| When I work on air gapped devices it normally involved bringing
| DVDs and physically going to a datacenter.
| WinDoctor wrote:
| Agreed :) That's why I put it in "quotes"
|
| Can you propose an alternative / more accurate name?
| mrweasel wrote:
| I'd rather not :-)
|
| Naming things is hard. I love the project though, not
| because I need it, but it proves one of my point: "If you
| didn't want me to be able to do X, then you shouldn't have
| allowed SSH access".
| [deleted]
| 3np wrote:
| I think the name is quite apt (:
| Fnoord wrote:
| You could have a bridge (e.g. with an IDS or a packet filter)
| with a management interface on a separate VLAN, or which
| requires management via a physical cable of some sort. But the
| bridge could also intercept traffic to port 22 and redirect it
| to itself. Personally, I resort to Wireguard instead being the
| only reachable port.
| rp1 wrote:
| Isn't this typically called an ssh bastion?
| WinDoctor wrote:
| Looks like :)
|
| https://github.com/ovh/the-bastion
| WinDoctor wrote:
| Though after looking into it more, it seems to me like
| bastions usually aren't used for reverse proxy / SOCKS like
| this.
|
| Usually bastions are just allowing one SSH server on your
| VPC/network and every SSH connection going through it.
|
| I still actually haven't found similar projects to mine.
___________________________________________________________________
(page generated 2021-12-03 23:02 UTC)