This post appeared originally in our sysadvent series and has been moved here following the discontinuation of the sysadvent microsite

It is late night. You have just arrived at your Grandparents, when the SMS beeper goes off. There is a problem with a SAN controller, and the on-call person know you fixed it the last time. Now, if you only had documented it.

You know you have to fix this yourself, but you have no VPN access. You don’t even have an Internet connection, except your 3G mobile phone, and you really need access to that admin web GUI. There is an emergency SSH port available, but no other port is open. X-forwarding over 3G? Not an option. SSH port-forwarding and fix /etc/hosts. Doable perhaps? VNC over SSH? Awkward. Enter the SSH socks proxy!

Emergency web access

Simply run:

ssh -D 1080 login.example.com

Now, you have a local port 1080 that creates a SOCKS proxy to the server side. Firefox has support for that proxy.

Settings -> Advanced -> Network -> Configure how Firefox connects to the Internet -> Manual settings, Socks: localhost, Port: 1080

If you need to resolve addresses from the server side, add that to the configuration. In the URL field, type about:config , then search for key network.proxy.socks_remote_dns

Set it to true. That is all. You are now surfing as if Firefox was running locally on the login server. Remember to reset your settings after you have finished your session, or Firefox will not work properly when you close your SOCKS proxy SSH shell.

Not just surfing

But wait, there’s more. With a local SOCKS proxy, you may also use other programs, and they don’t even have to support SOCKS themselves. Install tsocks, and set localhost as the socks proxy host:

sudo yum install tsocks || sudo apt-get install tsocks
echo "server = 127.0.0.1" | sudo tee /etc/tsocks.conf

tsocks is a little gem of a program. It hooks into other programs, and redirects network traffic to the local SOCKS proxy. Now, while the SSH SOCKS proxy is still running (the ssh -D1080 command), just use tsocks to run your favourite program through the proxy:

# Log into a server on a closed network behind the firewall
tsocks ssh server.behind.firewall.example.com

# Run a local psql shell against a remote server through the SOCKS proxy
tsocks psql -U pg_admin_user -W -h database.behind.firewall.example.com -W template1

or to run a whole session of commands through the socks proxy, start with “. tsocks on” (note the leading dot), and stop it with “. tsocks off”

. tsocks on
 command
 command
 command
. tsocks off

To run Firefox through the SOCKS proxy, but without changing its configuration:

 tsocks firefox http://ripe.net   # Stop firefox first

To check tsocks status, run

tsocks show

If the LD_PRELOAD variable is empty, tsocks is disabled for this shell.

Note that all Internet traffic is not routed via tsocks. For example, ICMP is not.

Ingvar Hagelund

Team Lead, Application Management for Media at Redpill Linpro

Ingvar has been a system administrator at Redpill Linpro for more than 20 years. He is also a long time contributor to the Fedora and EPEL projects.

The irony of insecure security software

It can probably be understood from my previous blog post that if it was up to me, I’d avoid products like CrowdStrike - but every now and then I still have to install something like that. It’s not the idea of “security software” per se that I’m against, it’s the actual implementation of many of those products. This post lists up some properties that should be fulfilled for me to happy to install such a product.

Free and ... [continue reading]

Thoughts on the CrowdStrike Outage

Published on July 23, 2024

Alarms made right

Published on June 27, 2024