Language:

en_US

switch to room list switch to menu My folders
Go to page: First ... 18 19 20 21 [22] 23
[#] Sat Aug 05 2023 14:49:02 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Then i would go with option 2, or something similar.  Waste the bandwidth or other resources for the sake of stealth. 

Once upon a time due to a lot of restrictions, and similar 'performance' annoyances issues, i ended up doing a p2v so i could run the office computer on better/larger hardware, in effect.  I have a ( office bought ) MSDN license, so changing hardware the first time didnt burn me. ( later when we started staying home a day or 2 a week, pre pandemic,  i redid the office laptop as a host. just shuffled the vm back and forth when i had to come into the office ) May not work for everyone tho.. 

 

 

Sat Aug 05 2023 09:48:19 AM EDT from zelgomer
Do they pay you for after hours? If not id say f-it and find
something else to keep yourself occupied at night. Get a hobby.


Okay, but for the sake of argument only, let's say it was to be used during normal work hours too :)

 



[#] Sat Aug 05 2023 15:22:57 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

So this person devises a back door using ssh tunnelling over stunnel

(required to diguise the traffic as https because the company's

If the internal network is run by people who love security theater, they're going to catch and terminate this person eventually, so it isn't worth it.

Get an A/B switch, plug the company laptop into the big monitor, attach it to a separate VLAN on the home network, and deal with the slow VPN.

There's probably something in their company security policy that specifically prohibits trying to work around the VPN using any sort of trickery. My employer definitely has that policy in place, and they actively scan end user workstations for software that could work around it.

And then they blow the whole thing by permitting users to log in to Microsoft 365 from any computer.

[#] Sat Aug 05 2023 17:38:46 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Between that and us moving to a new ITSM platform, i may never need windows or a shop PC again.

Sat Aug 05 2023 11:22:57 AM EDT from IGnatius T Foobar
And then they blow the whole thing by permitting users to log in to Microsoft 365 from any computer.

 



[#] Sat Aug 05 2023 23:20:04 UTC from zelgomer

[Reply] [ReplyQuoted] [Headers] [Print]

2023-08-05 15:22 from IGnatius T Foobar <ajc@citadel.org>
So this person devises a back door using ssh tunnelling over stunnel


(required to diguise the traffic as https because the company's

If the internal network is run by people who love security theater,
they're going to catch and terminate this person eventually, so it
isn't worth it.


Yeah, 100% agree. That's what I would say to this hypothetical person, too.

But let's say you wanted to catch people doing this. As an IT/security person, how would you notice it short of scanning specifically for ssh -R processes? ssh use is allowed where I work, it has to be. We're all using it pretty much constantly.

[#] Mon Aug 07 2023 14:07:04 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]


I would do all of the following:

1. Block all outbound DNS lookups, except through the corporate DNS server
2. Configure that DNS server to use OpenDNS or some similar service that scans, logs, blocks, etc.
3. Force all outbound HTTP/HTTPS traffic through a proxy
4. Configure all workstations to trust a certificate that is installed on the proxy, permitting it to be a man in the middle for approved traffic

Now, if you're legitimately performing outbound SSH to external addresses, that is somewhat more difficult to supervise. There are firewall logs, of course, but those would have to be periodically scanned and searched for suspicious destinations (the "What customer is this?" question). A connection that is open "all day, every day" might turn up on a SIEM report as something worth investigating.

[#] Mon Aug 07 2023 15:30:09 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Our security team is over 40 people now i think

They love logs. 



[#] Tue Aug 08 2023 15:30:58 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

scuttlebutt P2P. new one for me.

( ran across it on a forum talking about moving a DHT crawler source repository off github and onto a scuttlebutt hosted git.. as the founders are banned or something )



[#] Tue Aug 08 2023 18:16:28 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2023-08-04 23:32 from zelgomer
Let's say, hypothetically, someone was such a workoholic that they

wanted to connect to their office PC from their home PC so that they

can work late nights and weekends. This person really prefers to use

their home PC because it's really good and has a nice big screen and so

on. Also it's super inconvenient to use the company laptop because it's

slow, the VPN requires frequent reauthentication, and security policies

and spyware has gotten so draconian that this person frankly doesn't

trust having the device in their home.

So this person devises a back door using ssh tunnelling over stunnel

(required to diguise the traffic as https because the company's

firewall won't allow ssh to make it out of the office). Which of these

two configurations do you think is the least suspicious or likely to

result in discovery?

1. Configure the office PC to open a stunnel client to a controlled

host, then use ssh over that to forward a remote port to localhost.

2. Configure the laptop to open a stunnel client to a controlled host,

then use ssh to forward that to the office PC. The laptop is Windows.

The laptop is then kept someplace isolated and connected only by

sequestered guest wifi when in use. When not in use, it's shut off and

put in a shed outside.

My thoughts: 1 is simpler and more direct, but it looks like an https
>connection that has constant activity and never dies. 2 is more

wasteful since all data comes into the home network and then out again

through the vpn, but it has the benefit that traffic does go through

the vpn not wrapped in stunnel, so it looks the same as if a person

were just using the laptop normally, except for the active https

connection, but at least that comes and goes with the work hours, so it

looks like a human and not like malware.



I am the workaholic.

I also happen to be the chief sysadmin so I have an VPN link that joins a network segment in my house with office.

I dare say most offices that support people working remotely have some VPN access already set up. Ask your friendly sysadmin for your entry key.

If your firm won't let you get legit remote access you should not bother. RULE #1 of the employee is to never bother with something more than what your coworkers and direct upper-ups do.

That said:

I'd use Wireguard (UDP) to a controlled host using a well known access port (such as the UDP DNS port), since Wireguard is not a chatty protocol and won't generate traffic if you are not using it. THen you can Wireguard or ssh forward to the controlled host. The caveheat is your office sysadmin might be a motherfucker who smells like a horse who has DNS ports under interception or inspection and that would raise alarms.

Stunneling to an https port makes sense for short lived tunnels, since it will look like an https query unless looked at closely. Then again, your sysadmin might be a horse smelling motherfucker who has https traffic under inspection or interception and you are screwed again.

[#] Tue Aug 08 2023 18:21:04 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2023-08-07 10:07 from IGnatius T Foobar

I would do all of the following:

1. Block all outbound DNS lookups, except through the corporate DNS

Don't forget to force every DNS query not addressed to the corporate DNS into the corporate DNS server anyway via MITM. I do this a lot with office IoT devices that use hardcoded DNS servers.

[#] Tue Aug 08 2023 18:55:56 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

ultimately, unless your IT/Security staff are morons or just dont care, that is the eventual outcome.

Tue Aug 08 2023 02:16:28 PM EDT from darknetuser
 you are screwed again.

 



[#] Sat Nov 04 2023 21:56:31 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Punycode URL fake address. Learned something new today.

it looks legit, browsers even tell you the address you think it is, but Unicode underneath it points somewhere else. ( always malicious )

 

 



[#] Wed Nov 22 2023 23:48:58 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Well back to my next cloud being flooded to the point i cant use it. 100s this evening, one bad login attempt right after another. I guess i have to put a 2nd login in front of it on the proxy. Blows me using native apps with it unless i vpn in ( or am on the wire here, but sort of defeats the purpose ), but at least i can access the web client. 

Frustrating.



[#] Thu Nov 23 2023 16:59:53 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2023-11-22 18:48 from Nurb432
Well back to my next cloud being flooded to the point i cant use it.

100s this evening, one bad login attempt right after another. I guess

i have to put a 2nd login in front of it on the proxy. Blows me using

native apps with it unless i vpn in ( or am on the wire here, but
sort of defeats the purpose ), but at least i can access the web
client. 

Frustrating.


I have a firewall for that.

When a network application in any of my LANs detect some bruteforce, a syslog entry is submitted and then the offending address is added to a blacklist*. Then the IP is added to the firewall list of connections to kill.

* I use blacklists instead of blocklists or deny lists because black gatekeepers are just better than puny wokes. That is the reason why the fencer guarding the entrance to the cool night clubs is always a big badass black.

[#] Thu Nov 23 2023 17:10:56 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

nginx is acting like a firewall, since i put logins on it ( but that of course kills native apps.. they cant do the double hop ).  But not yet looked into if i can do block lists on its own.  But the problem is that these IPs hitting me rotate, every 10th or so it changes, so my NC instance still gets hit too many times by the proxy, even if they were to get auto blocked at the proxy. 



[#] Thu Nov 23 2023 17:17:56 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2023-11-23 12:10 from Nurb432
nginx is acting like a firewall, since i put logins on it ( but that

of course kills native apps.. they cant do the double hop ).  But

not yet looked into if i can do block lists on its own.  But the

problem is that these IPs hitting me rotate, every 10th or so it

changes, so my NC instance still gets hit too many times by the
proxy, even if they were to get auto blocked at the proxy. 


Maybe consider switching to a reverse proxy that can work transparently?


I am using a bunch of relayds as TLS accelerators. They serve as TLS endpoints. They take care of TLS certificates and renewals and also add HTTP headers to the connections that hit the app servers so the apps know they are behind a reverse proxy.

Since the apps know they are behind a reverse proxy and are given the IP address of the actual client that is initiating the connection beyond relayd, they can dentify abusers by IP. If that makes any sense to you.

Ah, and since the setup is transparent to the client then there is no breakage with non-web apps.

[#] Thu Nov 23 2023 17:54:42 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

I assume that NGINX native could, but im using an 'easy manage' version, unsure if it will do it, but i will look tonight..   But that said, having the little extra in between, makes me feel a little safer.  Its just frustrating i have extra hoops to  jump thru due to ass-hats.  NGINX is taking care of the name routing for me, not just the SSL.

If i stick with web only, the double hop keeps me safe. and lets me continue to use things.  I am going to look into adding fail2ban or something to it however. Wont solve the problem but woudl help with the load the flood imposes.

 

Of course going 100% vpn fixes it too. But back to the 'extra hoop'.  And i lose the ability to publish to 'friends'. ( like pictures, chat )

 

Thu Nov 23 2023 12:17:56 EST from darknetuser

Maybe consider switching to a reverse proxy that can work transparently?


I am using a bunch of relayds as TLS accelerators. They serve as TLS endpoints. They take care of TLS certificates and renewals and also add HTTP headers to the connections that hit the app servers so the apps know they are behind a reverse proxy.

Since the apps know they are behind a reverse proxy and are given the IP address of the actual client that is initiating the connection beyond relayd, they can dentify abusers by IP. If that makes any sense to you.

Ah, and since the setup is transparent to the client then there is no breakage with non-web apps.

 



[#] Thu Nov 23 2023 23:48:45 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2023-11-23 12:54 from Nurb432
I assume that NGINX native could, but im using an 'easy manage'
version, unsure if it will do it, but i will look tonight..   But

that said, having the little extra in between, makes me feel a little

safer.  Its just frustrating i have extra hoops to  jump thru due

to ass-hats.  NGINX is taking care of the name routing for me, not

just the SSL.

If i stick with web only, the double hop keeps me safe. and lets me

continue to use things.  I am going to look into adding fail2ban or

something to it however. Wont solve the problem but woudl help with

the load the flood imposes.

 

Of course going 100% vpn fixes it too. But back to the 'extra
hoop'.  And i lose the ability to publish to 'friends'. ( like
pictures,
chat )


If you think Internet sucks, wait until you need to deploy some crappy lame ecommerce app your boss tells you to, and then watch bots rape the live chat systems, the email contact forms and the registration forms. It is brutal. A trial run for one of these here with a basic captcha managed to get 200 bots register fake customers in 10 minutes or so.

Fail2ban has modules developed for use without reverse proxies, for the most part. Some applications have modules that support reverse proxies, but honestly, fail2ban is gonna need a lot of work in order to get adapted the proper way.


I have seen people use fail2ban by having the computer that is running fail2ban check the logs (served over NFS or syslog) and then ssh into the firewall to update the blacklists. No need to say this is serviceable but sucks cocks.

[#] Fri Nov 24 2023 00:23:19 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Ok, ill skip F2B then.  I did have it running back when all i did was SSH in.  it was effective then, but i do realize that was a pretty simple use case too. If i end up going 100% vpn, i might look back and see if it has a plugin for that but wont spend much time.  VPN will work, just didnt want to go there and lose a few 'nice' things.

And for what its worth at my place, front end security is someone elses problem :)   And i believe they mandate capcha. We also block non regional IP addresses ( not perfect i know, but gets rid of a lot of the bots ).  But, the system i support, while is available on internet, is for our in-house network accounts only, mandated SSO/MFA so i dont have to f- with the outside world issues other than DoS, and again, not my team's problem. 

Thu Nov 23 2023 18:48:45 EST from darknetuser

If you think Internet sucks, wait until you need to deploy some crappy lame ecommerce app your boss tells you to, and then watch bots rape the live chat systems, the email contact forms and the registration forms. It is brutal. A trial run for one of these here with a basic captcha managed to get 200 bots register fake customers in 10 minutes or so.

Fail2ban has modules developed for use without reverse proxies, for the most part. Some applications have modules that support reverse proxies, but honestly, fail2ban is gonna need a lot of work in order to get adapted the proper way.


I have seen people use fail2ban by having the computer that is running fail2ban check the logs (served over NFS or syslog) and then ssh into the firewall to update the blacklists. No need to say this is serviceable but sucks cocks.

 



[#] Fri Nov 24 2023 00:46:38 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

my place = my work place, not my house. Lost a rather important word there. 



[#] Fri Nov 24 2023 12:56:07 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

TOR Question:  Do the official entry points change every so often? 

 

Reason i ask is i dont get on often, but did this morning just to get updates ( using the bundled Firefox thingie, not a service or anything, and all default settings ) and it refused to connect.  Everything was timing out affording to the log.  Wondering if my ISP was doing something, tried the snowflake bridge, again, timeout.  Tried another bridge set ( obfs ) and it did connect, then updated..

Now it works without bridges.

I would have thought that as long as the project itself was alive, the main entry points would be stable?



Go to page: First ... 18 19 20 21 [22] 23