Jenna Magius @jennamagius@octodon.social
There can and should be such a thing as a free lunch.
@queerhackerwitch knockd exists, and it shells out to iptables, but shelling out to iptables is fragile and miserable and I hate it >.> We can do better.
@queerhackerwitch Sure, I certainly understand that hidden services are more difficult to use than visible services, but I think running visible services should be an option for environments with enfranchised users and high security needs. I think the "visible services are more ergonomic" has translated excessively into "hidden services should not be possible" with respect to how our kernel infrastructure has developed.
@queerhackerwitch The thing is, anyone who should be accessing remote-access services on my network should have a-priori out-of-band knowledge about what services should and should not exist. There's no user that's like "Maybe there is not supposed to be a service here or maybe this is connectivity problems" because they should know FOR A FACT, BEFORE THEY START what services are and are not supposed to exist.
@queerhackerwitch I assure you I understand this, I'm not... new to computing. My argument is that "services should be visible to any unauthenticated anyone who looks for them, from anywhere" is an unreasonable default.
@queerhackerwitch The annoying thing about making a firewall rule is that interacting with the firewall is very different across different platforms. Plus, there's an information disclosure inherent in not sending the unreachable responses when you are an otherwise clearly existant system. The approach I'm going with is using raw sockets to recieve portknocks without causing the kernel to consider additional UDP ports "open", so it _keeps_ sending unreachable responses.
For context, I am a pentester as my day job and it's not unusual for me to achieve catastrophic compromise of two or three different corporate networks in a single week. When it's not MS17-010 it's IBM WebSphere and HP DataProtector.
What I'm trying to do here is run my own networks securely, and I see no reason I should let any random intruder find out what services they can attack by portscanning.
@queerhackerwitch Kinda. I mean, it's not "hidden" from the admins of the box: it shows up in netstat. It's just hidden from people on the far side of the network. I kinda resent the notion that people on the far side of a network "have a right" to know what services you are running by default.
@bob IMO there should be a sysctl flag for it, but I can't find one. You can drop them at firewall time, but there's no way to stop them from being generated in the first place.
@queerhackerwitch That's true, but I'm disappointed to have written a program that can do 99.9% of it's work with user privs, but isn't directly usable when you only have user privs.
@queerhackerwitch Kinda. I mean, it's not "hidden" from the admins of the box: it shows up in netstat. It's just hidden from people on the far side of the network. I kinda resent the notion that people on the far side of a network "have a right" to know what services you are running by default.
@queerhackerwitch So I'm at the point of maybe having a suid knock helper program that runs in a different process.
@queerhackerwitch The reason I want to operate without privileges is not because I can't get them; I'm developing some security-paranoid software, and rule 1 of security paranoia is "try not to have privileges. The more privileges you have, the worse it is when you get pwned."
@queerhackerwitch That's what the StackOverflow advice is, and that's pretty much the best answer. It doesn't really make it possible to run a hidden service without privileges though, 'cause you need privileges to make the firewall rule.
@espen I'll admit to you that I'm running a remote access service after you've proven that you're authorized to access that service. Otherwise, you're an attacker, and you don't need to know shit.
@espen When 17-010 dropped, worms started spamming every SMB service on the internet with EternalBlue. There's no reason somebody who doesn't have authorization to access my system should know if I am or am-not running remote access services: https://www.shodan.io/search?query=ssh
I just want to run a service that can't be tagged on Shodan without having CAP_NET_RAW T_T
Please
StackOverflow posts like "How do I turn this off" with answers like "Stop wanting to turn it off" EAT 100% OF MY ENTIRE ASS
I'm SO mad about computers sending ICMP Unreachable messages about closed UDP ports.
DON'T JUST GIVE AWAY WHAT PORTS YOU ARE USING
di.fm: <has a Chillout and a Vocal Chillout channel>
Also di.fm: <puts tracks with vocals on the regular Chillout channel>
I like how ftruncate() takes a signed integer for length, then fails with EINVAL if the length is negative.
If only someone would invent a datatype that could allow you to describe non-negative integer values efficiently.
