Free book to master SSH tunneling concepts (opens in new tab)

(github.com)

240 pointsopsdisk4y ago25 comments

25 comments

Looks interesting, will give it a read as it looks to cover more than the basics.

Years ago I worked in a SOC doing managed services for a major telco provider, and for some reason they thought that we didn't have the need to do any kind of SSH tunneling to manage routers/switches/firewalls. They kept blocking it at various layers, and we kept having to find more and more creative ways to get around it. I think at one point we were hosting our own PAC files local to our machines, building three layers of tunnels (the last of which being a dynamic SOCKS tunnel), and using a portable browser (because we couldn't be trusted with admin!) with FoxyProxy (or similar) to finally reach our destination.

Spooky234y ago

It’s pretty much impossible to validate that you are meeting the terms of your contract re: security policy if you’re doing that. You almost certainly were if you were providing SOC services to a big telco.

I have terminated contracts for cause and in one case got a vendor suspended from a big centralized procurement contract for pulling bullshit like what you described.

icedchai4y ago

Folks do all sorts of naughty things with SSH. Back when we used to work in an office, one guy would tunnel out and proxy all his web connections through an SSH socks proxy so the employer's IT would not monitor his web traffic. Another guy would do reverse tunnels from his work PC to home, so he could connect to work without using the VPN.

crims0n4y ago

The telco was providing the managed services in this case. That is interesting, so it sounds like this was a complete breakdown in the process somewhere. We weren’t doing it for fun or sport, we were doing it because it was the only way to effectively do our job.

2 more replies

bryanrasmussen4y ago

>You almost certainly were if

Don't you mean they almost certainly weren't? It's hard to understand the rest otherwise.

1 more reply

np18104y ago

Thank you for such a thorough book...

This book does discuss autossh [1] which I came to know about recently while setting up my dynamic home ip (w/ CG-NAT) as the exit node in a wireguard network to overcome geo-restrictions on streaming services when traveling... :p

autossh [1] is such a simple and useful utility, wish I had known about it earlier when any connection changes in VPN/WiFi used to break my ssh tunnels to the corporate network during development...

If you're a frequent user of ssh tunnels, do check out autossh... ;)

[1] https://linux.die.net/man/1/autossh

usr11064y ago

I used autossh many years ago. There was nothing wrong with it. But with systemd user service managers available everywhere I just put a normal ssh command into a service file with RestartAlways and activate linger for the user.

No need to install an extra package. No idea whether it is maintained or not, but I know systemd is, both upstream and in the distro.

np18104y ago

> I used autossh many years ago. There was nothing wrong with it. But with systemd user service managers available everywhere I just put a normal ssh command into a service file with RestartAlways and activate linger for the user.

Thanks, there will be multiple ways to do same thing, user can choose whichever they find the easiest...

Adding an example of such systemd file - https://gist.github.com/drmalex07/c0f9304deea566842490

> No need to install an extra package. No idea whether it is maintained or not, but I know systemd is, both upstream and in the distro.

Definitely not updated with the same frequency as systemd... https://salsa.debian.org/debian/autossh

tomxor4y ago

Similarly, with "sshuttle" you can pick n mix from different subnets with ease, or even forward your entire internet over SSH without a proxy for "poor mans VPN"

... although for the later purpose it's no where near as CPU efficient as wiregaurd, but with non root access to any SSH server it can get you around barriers in a pinch with only TCP 443 available, and effectively "VPN" multiple potentially conflicting subnets at the same time - I've not seen any other tool that can do the latter so effortlessly.

anderspitman4y ago

I used local forwarding for years before learning about remote forwarding, which is useful for creating your own self-hosted ngrok-like service. A good number of the solutions on this list are based on SSH remote forwarding:

https://github.com/anderspitman/awesome-tunneling

chx4y ago

May I take this occasion to ask for help with merging my autossh commands? https://serverfault.com/q/1088997/64874

stonecharioteer4y ago

Without even opening the link I was about to say that the only book on the topic you should read is the Cyber Plumber's Handbook. I'm smiling that it's the same link. Haha.

egberts14y ago

Can’t even open it on macOS, iPhone with either Firefox nor Safari.

mlnhd4y ago

Is this just the man page for ssh? I’m not sure what’s going on here. If you understand the tool you know the ways it can be used.

j / k navigate · click thread line to collapse

25 comments

crims0n4y ago

Looks interesting, will give it a read as it looks to cover more than the basics.

Spooky234y ago

I have terminated contracts for cause and in one case got a vendor suspended from a big centralized procurement contract for pulling bullshit like what you described.

icedchai4y ago

crims0n4y ago

2 more replies

bryanrasmussen4y ago

>You almost certainly were if

Don't you mean they almost certainly weren't? It's hard to understand the rest otherwise.

1 more reply

np18104y ago

Thank you for such a thorough book...

autossh [1] is such a simple and useful utility, wish I had known about it earlier when any connection changes in VPN/WiFi used to break my ssh tunnels to the corporate network during development...

If you're a frequent user of ssh tunnels, do check out autossh... ;)

[1] https://linux.die.net/man/1/autossh

usr11064y ago

No need to install an extra package. No idea whether it is maintained or not, but I know systemd is, both upstream and in the distro.

np18104y ago

Thanks, there will be multiple ways to do same thing, user can choose whichever they find the easiest...

Adding an example of such systemd file - https://gist.github.com/drmalex07/c0f9304deea566842490

> No need to install an extra package. No idea whether it is maintained or not, but I know systemd is, both upstream and in the distro.

Definitely not updated with the same frequency as systemd... https://salsa.debian.org/debian/autossh

tomxor4y ago

Similarly, with "sshuttle" you can pick n mix from different subnets with ease, or even forward your entire internet over SSH without a proxy for "poor mans VPN"

anderspitman4y ago

https://github.com/anderspitman/awesome-tunneling

chx4y ago

May I take this occasion to ask for help with merging my autossh commands? https://serverfault.com/q/1088997/64874

stonecharioteer4y ago

Without even opening the link I was about to say that the only book on the topic you should read is the Cyber Plumber's Handbook. I'm smiling that it's the same link. Haha.

egberts14y ago

Can’t even open it on macOS, iPhone with either Firefox nor Safari.

mlnhd4y ago

Is this just the man page for ssh? I’m not sure what’s going on here. If you understand the tool you know the ways it can be used.

j / k navigate · click thread line to collapse