Re: [london-hack-space] babbage on 443

86 views
Skip to first unread message

t...@christwithfries.net

unread,
Sep 21, 2012, 6:10:08 AM9/21/12
to london-h...@googlegroups.com
I don't personally see an issue with SSH also listening on 443 - but
I'm not entirely sure about the need for OpenVPN, etc

On 2012-09-21 11:02, tryexcept wrote:
> Hi all,
>
> I'm a new member, I really like this space and found lots of very
> knowledgeable and helpful people, very happy to join this community.
>
> I've got an account on babbage and I was wondering how you feel about
> making it also reachable via port 443 at hack.rs (or other domain).
>
> The reasoning behind this is that in some networks you can only hit
> port 80 and 443 on the way out.
>
> In the past I used sslh (a multiplexer,
> http://www.rutschle.net/tech/sslh.shtml) to offer ssh on port 443 and
> at the same time offer https/openvpn and what not, although we may
> not
> even need this given that 443 is currently unused on babbage (and on
> hack.rs it times out so doesn't look port forwarded to any other box)
>
> Thoughts ?
>
> cheers,
>
> tryexcept

tryexcept

unread,
Sep 21, 2012, 6:20:22 AM9/21/12
to london-h...@googlegroups.com
Yeah the proposal is mostly about ssh on 443.
The rest is just in case we already had 443 in use which doesn't look like (but then again an other member may know better)

Mike

unread,
Sep 21, 2012, 9:27:50 AM9/21/12
to london-h...@googlegroups.com
On Fri, Sep 21, 2012 at 03:02:15AM -0700, tryexcept wrote:
> Hi all,
>
> I'm a new member, I really like this space and found lots of very
> knowledgeable and helpful people, very happy to join this community.
>
> I've got an account on babbage and I was wondering how you feel about
> making it also reachable via port 443 at hack.rs (or other domain).
>
> The reasoning behind this is that in some networks you can only hit port 80
> and 443 on the way out.
>
> In the past I used sslh (a multiplexer,
> http://www.rutschle.net/tech/sslh.shtml) to offer ssh on port 443 and at
> the same time offer https/openvpn and what not, although we may not even
> need this given that 443 is currently unused on babbage (and on hack.rs it
> times out so doesn't look port forwarded to any other box)
>
> Thoughts ?
>

I'm not entirely sure it's a fanastic use for our one and only HTTPS
port. Not least if some enterprising individual finds themself in the
future wanting to run a HTTPS service off Babbage. I'm also not
entirely sure it's HackSpace's place to provide you with a facility to
circumvent your employer's firewall rule set and no doubt in the process
their security policy too. I think you may have meant to this this
message to London CrackSpace?

If you find yourself in need of such a facility a better idea might be
to type "Cheap VPS" into a well known Internet search engine and run
your own endpoint. That would also allow you to run SSH on every port
known to man (53 is often available where 443 is not, for example) and
also run things like Iodine to ensure you have some route out.

Finally, it might also be a good idea to check your payment protection
insureance on your credit card and mortgague before you bring the tunnel
up...

Mike.
signature.asc

Jon Fautley

unread,
Sep 21, 2012, 9:47:47 AM9/21/12
to london-h...@googlegroups.com
On 21 September 2012 14:27, Mike <hack...@norgie.net> wrote:
> I'm not entirely sure it's a fanastic use for our one and only HTTPS
> port. Not least if some enterprising individual finds themself in the
> future wanting to run a HTTPS service off Babbage. I'm also not
> entirely sure it's HackSpace's place to provide you with a facility to
> circumvent your employer's firewall rule set and no doubt in the process
> their security policy too. I think you may have meant to this this
> message to London CrackSpace?

Quite apart from anything else, most infosec people I know are likely
to get the willies if they see outgoing connections to "hack.rs" on
port 443.

Monty

unread,
Sep 21, 2012, 9:55:35 AM9/21/12
to london-h...@googlegroups.com, hack...@norgie.net
On Friday, 21 September 2012 14:28:01 UTC+1, Mike wrote:
 Not least if some enterprising individual finds themself in the
future wanting to run a HTTPS service off Babbage.  

This notion of "it could be useful" is why there's tons of abandoned items. If someone does wish to do something like that they can always start a discussion and have the service repurposed.

 
I'm also not entirely sure it's HackSpace's place to provide you with a facility to
circumvent your employer's firewall rule set

Why not? The hackspace provides plenty of tools that help people negate/void warranties, guarantees and other personal contracts that may relate to services or objects.
 
If you find yourself in need of such a facility a better idea might be
to type "Cheap VPS" into a well known Internet search engine and run
your own endpoint.  That would also allow you to run SSH on every port
known to man (53 is often available where 443 is not, for example) and
also run things like Iodine to ensure you have some route out.

Why should the hackspace own a lasercutter? Just Google search "Cheap laser cutting service". That would allow you to get all kinds of shapes cut on a variety of materials while not having to worry about training, chlorine, or maintenance troubles. Plus, we would no longer have to worry about fumigating our neighbours.

Monty

unread,
Sep 21, 2012, 9:57:35 AM9/21/12
to london-h...@googlegroups.com
If the name troubles you I can register a more fluffy sounding name. How about supersafeandsecureinter.net?

Mark Steward

unread,
Sep 21, 2012, 10:04:33 AM9/21/12
to london-h...@googlegroups.com, hack...@norgie.net
Agreed, as long as it's understood to be an unsupported service, I can't see any reason not to do it.  If it turns out we get loads of traffic because of scanners looking for 443, we can close it again.

TCP:443 now goes to Babbage, so anyone who starts a listener on that port should find it accessible from the outside:



Mark

Lawrence Nahum

unread,
Sep 21, 2012, 10:05:16 AM9/21/12
to london-h...@googlegroups.com
Hi Mike, Hi Jon, nice to meet you.

First I'll try to address Mike's concerns.
I'm not sure if you read my post in its entirety but I did mention
that if 443 was to be used in a different way, sslh offers a solution
to it.
My employer doesn't have any problem with me sshing outside, so I
don't need to use tricks for that. If you read my post I suggested
that in some networks you may not be able to reach anything else other
tha port 80 or 443 (I didn't think about employers, that's just
another example although not necessarily a good one given security
policies, I was thinking more of some 3g connections or some hotel
connections).

Your suggestion about a vps is a good one, I have one and I can use it
as a workaround/hop to access babbage from places where I can only use
80/443 out but surely not everyone can afford it and this workaround
shouldn't automatically exclude my argument. Does it?

I have no intention of using babbage to create a persistant tunnel and
I have yet to see how I could not do it with port 22 anyway.

To answer Jon, I don't think it matters that much.
Security people don't always do a reverse-resolve on the remote ip of
all outgoing connections.
I grant you that they may notice it if one was to create a tunnel but
the occasional use would probably go unnoticed.

Anyway, mine was just a request/suggestion, no need to call this place
'crackspace' just because I've asked if we could make babbage better
reachable.

Thanks

tryexcept

tryexcept

unread,
Sep 21, 2012, 10:46:25 AM9/21/12
to london-h...@googlegroups.com, hack...@norgie.net
Thanks Mark,

I've made the changes to /etc/ssh/sshd_config to serve on both 22 and 443.
Seems to work fine.

cheers,

tryexcept

Jon Fautley

unread,
Sep 21, 2012, 5:31:55 PM9/21/12
to london-h...@googlegroups.com
On 21 September 2012 14:57, Monty <mont...@gmail.com> wrote:
> If the name troubles you I can register a more fluffy sounding name. How
> about supersafeandsecureinter.net?

4/10 - must troll harder.

Aden

unread,
Sep 21, 2012, 8:28:27 PM9/21/12
to london-h...@googlegroups.com
Hackspace bandwidth is limited, do we really want people using it to
bounce through or irc from outside? Get a 50p a month VPS

On Fri, Sep 21, 2012 at 11:02 AM, tryexcept <xmar...@gmail.com> wrote:
> Hi all,
>
> I'm a new member, I really like this space and found lots of very
> knowledgeable and helpful people, very happy to join this community.
>
> I've got an account on babbage and I was wondering how you feel about making
> it also reachable via port 443 at hack.rs (or other domain).
>
> The reasoning behind this is that in some networks you can only hit port 80
> and 443 on the way out.
>
> In the past I used sslh (a multiplexer,
> http://www.rutschle.net/tech/sslh.shtml) to offer ssh on port 443 and at the
> same time offer https/openvpn and what not, although we may not even need
> this given that 443 is currently unused on babbage (and on hack.rs it times
> out so doesn't look port forwarded to any other box)
>
> Thoughts ?
>
> cheers,
>
> tryexcept

Monty

unread,
Sep 22, 2012, 10:57:33 AM9/22/12
to london-h...@googlegroups.com
Not a bad score considering I was being sardonic rather than attempting to troll.
Reply all
Reply to author
Forward
0 new messages