gmurdocca

Circumventing Deep Packet Inspection with Socat and rot13

I have a Linux virtual machine inside a customer's private network. For security, this VM is reachable only via VPN + Citrix + Windows + a Windows SSH client (eg PuTTY). I am tasked to ensure this Citrix design is secure, and users can not access their Linux VM's or other resources on the internal private network in any way outside of using Citrix.

The VM can access the internet. This task should be easy. The VM's internet gateway allows it to connect anywhere on the internet to TCP ports 80, 443, and 8090 only. Connecting to an internet bastion box on one of these ports works and I can send and receive clear text data using netcat. I plan to use good old SSH, listening on tcp/8090 on the bastion, with a reverse port forward configured to expose sshd on the VM to the public, to show their Citrix gateway can be circumvented.

Rejected by Deep Packet Inspection

I hit an immediate snag. The moment I try to establish an SSH or SSL connection over o

wlonkly

I wrote this down after I responded to a page today (a holiday) because it would've been a decent pairing opportunity for a couple of new people on my team. Second best is that people can read what I did afterwards and ask me any questions. And then I realized that there's nothing PagerDuty-specific or confidential in here, so I may as well share it wider. It's hardly an epic incident, but it's a good example of "doing the work", I think. I borrowed the "write down what you learned" approach from Julia "b0rk" Evans. It's a fantastic practice.

The PagerDuty incident: "Disk will be full in 12 hours. device:/dev/nvme0n1p1, host:stg-nomadusw2-client-..."

(Note for non-PD readers: We run Nomad where others might run Kubernetes.)

Here's the process I went through.

• Noticed that the usual docker system prune -a -f didn't resolve it
• Tried docker system prune -a -f and it cleared up 0B

triangletodd

On the host

Ensure these modules are loaded

cat /proc/sys/net/bridge/bridge-nf-call-iptables

Disable swap

sysctl vm.swappiness=0
swapoff -a

Xenthys

#!/bin/bash

id=$(grep "$1" /etc/pve/.rrd | cut -d'/' -f 2 | cut -d':' -f 1)
[[ "$id" == '' ]] && echo "The specified LXC does not exist." && exit 1

node=$(grep "^\"$id\":" /etc/pve/.vmlist | cut -d'"' -f 6)
[[ $(hostname) != "$node" ]] && pre="ssh -t $node "

echo "Entering LXC $id on node $node..."
${pre}pct enter $id

chriselsner

Nix on macOS Catalina

I'm writing this gist for my own records but it might help someone else too.

Installing Nix

Support for Catalina has improved a lot since the update was first rolled out.

Note: See the NixOS manual for discussion of the --darwin-use-unencrypted-nix-store-volume option.

brettcannon

      - name: Get VS Code versions
        run: curl --output vscode-stable-versions.json https://update.code.visualstudio.com/api/releases/stable
      - uses: actions/cache@v1
        with:
          path: .vscode-test/
          key: ${{ runner.os }}-vscode-test-${{ hashFiles('vscode-stable-versions.json') }}
          restore-keys: |
            ${{ runner.os }}-vscode-test-

ryo-ARAKI

# ~/.config/starship.toml

[battery]
full_symbol = "🔋"
charging_symbol = "🔌"
discharging_symbol = "⚡"

[[battery.display]]
threshold = 30
style = "bold red"

kamek-pf

# Colors (Gruvbox Material Dark Medium)
colors:
  primary:
    background: '0x282828'
    foreground: '0xdfbf8e'

  normal:
    black:   '0x665c54'
    red:     '0xea6962'
    green:   '0xa9b665'

AlainODea

resource "aws_ami_copy" "amazon-linux-2-encrypted" {
  name              = "${data.aws_ami.amazon-linux-2.name}-encrypted"
  description       = "${data.aws_ami.amazon-linux-2.description} (encrypted)"
  source_ami_id     = "${data.aws_ami.amazon-linux-2.id}"
  source_ami_region = "${var.region}"
  encrypted         = true

  tags {
    ImageType      = "encrypted-amzn2-linux"
  }

pquentin

#!/usr/bin/env python3

import asyncio
import time

import aiohttp

START = time.monotonic()