Category Archives: Network

SSH tunnels on steroids

I have been using SSH tunnels for year, setting up a dynamic tunnel and configuring socks proxy in the browser has been my “way-to-go” tool for getting access to services at my home network, and to bypass geo blocking for varouis services in my home country.

This week i stumbled across sshuttle a tool that feels like traditional SSH tunnels on steriods. I have tried several solutions during the years, including tailscale and cloudflare, but i always ended up in going back to plain SSH because of simplicity and ease of use.

sshuttle is almost as easy as plain ssh, and it does not require anything (other than SSH and python) on the server side. The connection is initiated with pure SSH, and the serverside configuration is automatically done by the client copying the python script to the host, and setting everything up.

The application takes some parameters, and it can be seen with “sshuttle -h”
At first it seems a bit overwhelming, but have no fear, examples are available on github.

You need to let sshuttle know what subnets to route, you can use 0.0.0.0/0 for everytning, or limit it to do something similar to a “split tunnel VPN”. Just use the CIDR syntax to set the right network. I have created an alias in my ~/.profile file, and can now connect using “connect-home”

My alias looks like this:
alias connect-home='sshuttle -r username@home --dns 192.168.5.0/24 --to-ns=192.168.5.254 –-no-latency-control -D'

-r tells sshuttle about the remote host, you can use entries from your ssh config file.
–dns tells to use DNS on the remote end of the tunnel
192.168.5.0./24 specifies the network to route
–to-dns tells what IP to use for remote DNS lookups (default is the SSH server)
–no-latency-control speeds up the bandwidth but sacrifices latency
-D is for daemon mode = run in background

You can add or exclude DNS servers, subnets and specific hosts, and a lot more, check it out at https://github.com/sshuttle/sshuttle

BR Kasper

Gnome NetworkManager and vpnc – use nm-connection-editor

Leave a Reply

Gnome NetworkManager is awsome, supporting almost all kinds of VPN solutions, and all you need to do is install a plugin. My main issue is, that my customers often have a pre-build package (for Windows) containing a VPN client including configuration, so they actually dont know how it’s configured.

I usaually figure it out, and then its a breeze to click the network icon, select VPN and activate the connection, this is how it should be on all OS’es.

Unfortunatly there are some minor issues, one of them beeing that if you install the network-manager-vpnc module, you will have the option to create a VPNC based connection, and if you type everything right the first time, it will work. But….

You will not be able to edit the connection, it’s simply not listed when you select VPN settings (Ubuntu 22.04). using nmcli will list the connection, and you will be able to modify it, but I found another soluition, that is much easier.

nm-connection-editor

It will open a small GUI, letting you create, modify or delete all connections.

I have created a bug report here:
https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/1951313
It has been confirmed, bot not fixed. Hopefylle it will be fixed in later releases.

Another issue, that I discovered today, is that you are not allowed to add the connection when creating it 🙁 See some discussion here:
https://askubuntu.com/questions/1403896/cant-add-cisco-compatible-vpn-vpnc-on-network-manager-ubuntu-22-04
This issue is also not present in nm-connecttion-editor.

The connections will be working perfectly from the build in NetworkManager application in gnome.

systemd.mount replacing autofs

Leave a Reply

I have been a very satisfied user of autofs for several years. Using a laptop in multiple location without reboot, could often cause annoying timeouts with hard mounted NFS shares.

So I found autofs, which did a great job, especially the ghost option is nice, making you able to browse the filesystem when it’s not mounted, and only seeing a small delay when the autofs mounts it for you at your wish.

I have now discovered that systemd has a mount option: https://www.freedesktop.org/software/systemd/man/systemd.mount.html
It can be used as systemd units, but also directly from /etc/fstab where I prefer to have my mount options.

To replicate the autofs functionality, add something like this to your mount options:

noauto,x-systemd.automount,x-systemd.idle-timeout=60,x-systemd.mount-timeout=30,_netdev

The above options will mount when you try to access the share, and it will unmount after 1 minute of idling, and the _netdev tells the system not to mount it before the network is ready.
More or less the same functionality as autofs, but no need to install additional software.

Postgresql not listening on docker interface after reboot

Leave a Reply

/etc/postgresql/12/main/postgresql.conf is where you define the interfaces for postgresql to listen on. It’s done with the line “listen_interfaces =”
So, to get postgresql to listen on a docker interface, you have to add the IP address to the configuration:

listen_addresses = 'localhost,172.18.0.1'

This will make postgresql listen after connections from my docker container. Unfortunately when i rebooted the machine, postgresql was only listening on the localhost. That was strange.

After doing some fiddling around, I discovered that I might had a timing issue, and I even found a couple of articles covering the issue. The postgresql service needs to wait for the docker service to be started, or it cannot listen on the docker interface, that seems logical. I tried following some of the workarounds described, but I couldn’t get it to work. I then took a look on how the default systemd is build, and it seems that /etc/systemd/system/default.target.wants/ consist of symbolic links to /lib/systemd/system/whatever, so i did the same:

sudo ln -s /lib/systemd/system/postgresql@.service /etc/systemd/system/default.target.wants/

I then added this line to the unit block:

After=docker.service

This seems to have done the trick. After a reboot, postgresql is listening on my docker interface. You can always verify with:

sudo ss -nltp | grep postgres

Ping not permitted in WSL

Leave a Reply

Using Windows subsystem for Linux (WSL) is so nice, when you are forced to work from an inferior OS, sometimes also referred to as “a gaming console”
Especially combined with the Windows Terminal, which I wrote about here: https://www.nordal-lund.dk/?p=592 I’m sure that most Linux/Unix administrators will feel right at home.

Despite all the goodness, there are some minor annoyances preventing me from experiencing a big burst of happiness. One of them are the inability to use ping on a std. WSL Debian as a non-root user. That’s right, you need to do “sudo ping nice.little.address” or you will be denied 🙁

The root cause is the ping utility missing the SUID bit, which it has on the real distro. Luckily there’s an easy fix, add the SUID bit to the ping utility:

sudo chmod u+s /bin/ping

Thats it, now you can ping without sudo again 🙂

Happy pinging
/Kasper

Looking for clear text authentication with tcpdump

Leave a Reply

Login services not using encryption, is unfortunately still often seen in the wild. I started out in the IT business around 2000, and even back then, clear text authentication was bad, but still we see it today.

Examples of services using clear text authentication is: HTTP, FTP and telnet. Don’t ever authenticate using any of these protocols, unless you know exactly what you are doing.

Sometimes you may want to verify, if the password is actually sent in clear text, and one of the tools to use is tcpdump. Tcpdump is the default network analyse tool on most Linux distributions, and it’s very easy to get started with. Maybe you just want to know if your network changes is routing traffic to your server, you can use tcpdump to verify.

When sniffing for clear text passwords, we need to give the parameters -s 0 and -A and then we can give the destination port the service is listening on with dst port. So the full command would look like this:

tcpdump -s 0 -A dst port xxx

You can also specify the interface to listen on, by using the -i option. If your interface is enp0s31f6, then it would look like.

tcpdump -i enp0s31f6 -s 0 -A dst port xxx

Another option is the “and” and the “not” keyword. Imagine you are logged in with SSH, and looking for ssh traffic, but you don’t want to see your own traffic. The you can use and not host ${your own IP address}, like this

tcpdump -i enp0s31f6 dst port 22 and not host xx.xx.xx.xx

In the last example i have removed the -s 0 and the -A option, since i don’t need it just to see if traffic is getting to my server.

SFTP files to vSphere vcenter Appliance 6.5 or vSphere PSC

Leave a Reply

When logging in with SSH the default shell on these platforms is some vmware specific menu based system. In order to get a real shell you need to type shell. But this is not possible when using sftp, therefore you need to tell your tool to use a real shell.

In WinSCP this is done by configuring the advanced connection parameters for the sftp protocol connection. Press the advanced button and head for the sftp paragraph. In here you need to specify the sftp-server as your shell in the SFTP server text box.
The sftp-server path may change depending on specific version, find the path on your system by running: “find / -name sftp-server”.

On my system the sftp-server was in /usr/libexec/sftp-server. Therefore i had to specify “shell /usr/libexec/sftp-server” as the SFTP-server.

Check for open outgoing ports

Leave a Reply

Want to know which ports are allowed (or open) to use in your organization?
You can check all ports with http://portquiz.net/
In bash somthing like this would help you get going:

for i in `seq 1024 65535`; do if nc -z portquiz.net $i; then echo “Port $i Success”; :; fi done

You will now get a fine list of outgoing ports that are open. Remember that just because some port is open, it doesn’t necessarily mean that it is allowed to use it!

Test network connection with powershell

Leave a Reply

Sometimes you need to test the network connection for a range of IP addresses. Normally I would use ping from a commandline, but it could be a hugh task to test more than 20-30 addresses.
Utilizing a bit of powershell and the test-connection command will help us overcome the task in an easy way:

[code language=”powershell”]1..100 | %{write-host -nonewline "Testing 10.0.0.$_ : "; Test-Connection 10.0.0.$_ -quiet -Count 1}[/code]

The above one-liner will test the connection to all hosts in a range from 10.0.0.1 to 10.0.0.100 and giva a False or True status.
Remember that % is a short way of using the foreach loop, so you could use “foreach” instead of %.

How-to: Get your public IP from a terminal

Leave a Reply

How do you get your public IP from the terminal:

curl ifconfig.me

curl is a prerequisite, besides that, it’s super nice and easy 🙂

Maybe you’re on Windows and have powershell:

(Invoke-WebRequest -Uri ifconfig.me).content