Show HN: Automatic proxy setup for SSH'able boxes that have no network access (opens in new tab)

(github.com)

51 points_jhqp4y ago32 comments

32 comments

20 comments · 7 top-level

SahAssar4y ago· 9 in thread

I don't really get what the definition of "network" is here, clearly the box has network access since it is SSH'able. Could you give an example of a situation when this is used?

_jhqpOP4y ago

"Network access" as in outgoing requests to public web.

e.g. you can't curl google.com

I've used this code in CTF competitions and Blue Team exercises where some machines behind a VPN don't have outgoing network access.

(Sometimes it's just simpler to organize this way, sometimes it's deliberate for security purposes.)

SahAssar4y ago

So restricted HTTP access, but wide open SSH? Do people commonly restrict only HTTP/HTTPS but leave other ports unrestricted?

3 more replies

Fnoord4y ago

You could have a bridge (e.g. with an IDS or a packet filter) with a management interface on a separate VLAN, or which requires management via a physical cable of some sort. But the bridge could also intercept traffic to port 22 and redirect it to itself. Personally, I resort to Wireguard instead being the only reachable port.

mrweasel4y ago

The name, Airgapt - "airgapped" apt, is also a little "weird". When I work on air gapped devices it normally involved bringing DVDs and physically going to a datacenter.

_jhqpOP4y ago

Agreed :) That's why I put it in "quotes"

Can you propose an alternative / more accurate name?

2 more replies

3np4y ago

I think the name is quite apt (:

gizdan4y ago

Not OP, but some air-gapped servers can be connected to from a private "trusted" network, but are otherwise unable to connect to the internet or elsewhere. Perhaps that's what OP means?

I wish companies would hurry up and move away from "trusted" networks and move onto zero trust.

traceroute664y ago

> some air-gapped servers can be connected to from a private "trusted" network

Erm ... mate....

A device is either air-gapped or it isn't. The clue is kinda in the name.

Yes, I know gov/mil networks use data-diodes, but that's a different kettle of very expensive fish which is certified to EAL6/7.

For everyone else, air-gapped means what it says on the tin.

Pseudo air-gapping via firewall rules is not air-gapping, its called writing ACLs.

3 more replies

_jhqpOP4y ago

Exactly. These "trusted" machines still have security vulnerabilities that you would like to patch though :)

rp14y ago· 2 in thread

Isn’t this typically called an ssh bastion?

_jhqpOP4y ago

Looks like :)

https://github.com/ovh/the-bastion

_jhqpOP4y ago

Though after looking into it more, it seems to me like bastions usually aren't used for reverse proxy / SOCKS like this.

Usually bastions are just allowing one SSH server on your VPC/network and every SSH connection going through it.

I still actually haven't found similar projects to mine.

1 more reply

gjulianm4y ago· 1 in thread

Something to add: use proxychains to ensure that the requests of all apps go through the proxy. A lot of applications don't have good proxy support, or have nothing at all. If you configure proxychains with the SOCKS proxy provided by this script, then you can do "proxychains my-command-that-doesnt-use-proxy" and it will automatically patch the libc calls to use the proxy properly.

_jhqpOP4y ago

Good suggestion. Added it to the README as an optional addition.

1cvmask4y ago· 1 in thread

I couldn't find the license for it. Is it open source? If so what license?

_jhqpOP4y ago

I added MIT license now :)

egberts14y ago

Only way to block this is that “airgapt” thingie is hopefully this sshd_config setting:

  # DisableForwarding disables all forwarding features,
  # including X11, ssh-agent(1), TCP and StreamLocal.
  # This option overrides all other forwarding-related
  # options and may simplify restricted configurations.
  #
  # CLI option: -o
  # options.disable_forwarding/do_authenticated()
  DisableForwarding no

egberts14y ago

I love the innocuous application of enabling just the Debian package management behind such draconian firewalls.

Makes me wonder if there are any other applications to be had there.

(I am a JavaScript pentester)

_jhqpOP4y ago

All comments & suggestions / code reviews are welcome!

j / k navigate · click thread line to collapse

32 comments

20 comments · 7 top-level

SahAssar4y ago· 9 in thread

I don't really get what the definition of "network" is here, clearly the box has network access since it is SSH'able. Could you give an example of a situation when this is used?

_jhqpOP4y ago

"Network access" as in outgoing requests to public web.

e.g. you can't curl google.com

I've used this code in CTF competitions and Blue Team exercises where some machines behind a VPN don't have outgoing network access.

(Sometimes it's just simpler to organize this way, sometimes it's deliberate for security purposes.)

SahAssar4y ago

So restricted HTTP access, but wide open SSH? Do people commonly restrict only HTTP/HTTPS but leave other ports unrestricted?

3 more replies

Fnoord4y ago

mrweasel4y ago

The name, Airgapt - "airgapped" apt, is also a little "weird". When I work on air gapped devices it normally involved bringing DVDs and physically going to a datacenter.

_jhqpOP4y ago

Agreed :) That's why I put it in "quotes"

Can you propose an alternative / more accurate name?

2 more replies

3np4y ago

I think the name is quite apt (:

gizdan4y ago

Not OP, but some air-gapped servers can be connected to from a private "trusted" network, but are otherwise unable to connect to the internet or elsewhere. Perhaps that's what OP means?

I wish companies would hurry up and move away from "trusted" networks and move onto zero trust.

traceroute664y ago

> some air-gapped servers can be connected to from a private "trusted" network

Erm ... mate....

A device is either air-gapped or it isn't. The clue is kinda in the name.

Yes, I know gov/mil networks use data-diodes, but that's a different kettle of very expensive fish which is certified to EAL6/7.

For everyone else, air-gapped means what it says on the tin.

Pseudo air-gapping via firewall rules is not air-gapping, its called writing ACLs.

3 more replies

_jhqpOP4y ago

Exactly. These "trusted" machines still have security vulnerabilities that you would like to patch though :)

rp14y ago· 2 in thread

Isn’t this typically called an ssh bastion?

_jhqpOP4y ago

Looks like :)

https://github.com/ovh/the-bastion

_jhqpOP4y ago

Though after looking into it more, it seems to me like bastions usually aren't used for reverse proxy / SOCKS like this.

Usually bastions are just allowing one SSH server on your VPC/network and every SSH connection going through it.

I still actually haven't found similar projects to mine.

1 more reply

gjulianm4y ago· 1 in thread

_jhqpOP4y ago

Good suggestion. Added it to the README as an optional addition.

1cvmask4y ago· 1 in thread

I couldn't find the license for it. Is it open source? If so what license?

_jhqpOP4y ago

I added MIT license now :)

egberts14y ago

Only way to block this is that “airgapt” thingie is hopefully this sshd_config setting:

  # DisableForwarding disables all forwarding features,
  # including X11, ssh-agent(1), TCP and StreamLocal.
  # This option overrides all other forwarding-related
  # options and may simplify restricted configurations.
  #
  # CLI option: -o
  # options.disable_forwarding/do_authenticated()
  DisableForwarding no

egberts14y ago

I love the innocuous application of enabling just the Debian package management behind such draconian firewalls.

Makes me wonder if there are any other applications to be had there.

(I am a JavaScript pentester)

_jhqpOP4y ago

All comments & suggestions / code reviews are welcome!

j / k navigate · click thread line to collapse