Berkeley CSUA MOTD:Entry 52962
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2017/12/15 [General] UID:1000 Activity:popular
12/15   

2009/5/7-14 [Computer/Networking, Computer/SW/Unix] UID:52962 Activity:nil
5/7     What's a good reverse port forwarding for a PC(inside firewall) ->
        Unix, so that I can VNC into the Unix that gets forwarded to
        PC's VNC server?
        \_ http://micrux.net/?p=26
           Syntax, to be executed from the PC behind firewall:
           % ssh -R 5900:127.0.0.1:5901 <destination_server>
           You can also use Putty, by going to Connections->SSH->Tunnels,
           and enter:
                Source port:5900
                Destination:127.0.0.1:5901
                Remote (not Local)
                and finally click on Add
           So the connectivity looks like this:
                PC --ssh--> FIREWALL --ssh--> destination_server
           And the resulting "virtual" connectivity:
                PC:5900 <--- destination_server:5901
           With the "-R" argument the destination_server binds to
           port 5901 which will connect back to PC's port 5900. Hence, it's
           a "reverse" tunnel. Note that this can potentially open up
           a lot of problems for companies and is generally frowned
           upon by network administrators. Please use with care.
           \_ Thanks, this is super useful info in general.
        \_ I do this with inetd and netcat.  Just put a line like this in
           /etc/inetd.conf, and reload inetd:
               5900 stream tcp nowait nobody /bin/nc nc YOUR-PC 5900
           You can also do it with ssh port forwarding (e.g. using PuTTY),
           but then you have to remember to keep your ssh connection open
           all the time.
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2017/12/15 [General] UID:1000 Activity:popular
12/15   

You may also be interested in these entries...
2009/11/4-17 [Computer/Networking, Computer/SW/Security, Computer/SW/P2P] UID:53495 Activity:nil
11/4    Holy cow, I got a warning from my ISP that they were notified
        by BSA/baytsp.com that I was copying music/video/software.
        Do they do port scan or something? That's a first for me.
        \_ They hang out on P2P networks and track IP addresses.  -tom
           \_ I believe they are paid by content providers to perform this
              monitoring service, so you should only run this risk with content
	...
2008/11/7-13 [Computer/Networking] UID:51876 Activity:low
11/7    Need help on http proxy. After I VPN to work, I'd like to tunnel
        all the traffic to my machine. How do I setup my machine (Linux)
        as a proxy server so that my home computers can route through it?
        I'm asking because the site we're testing on requires that we
        come from the same IP. If I use VPN, the server will reject me
        based on the fact that it's a different IP than my work Linux.
	...
2008/8/5-10 [Computer/Networking] UID:50788 Activity:nil
8/5     It looks like my company has started blocking HTTPS tunneling.
        I used to do this by tunneling SSH through the HTTP/HTTPS proxy
        server, but this seems to have stopped working. Does anyone know
        how the implementation of tunneling detection works, and whether
        there are widely available implementations? We run a bunch of MS
        stuff, so I imagine we're running an MS proxy server or something.
	...
2007/6/28-7/2 [Computer/Networking] UID:47104 Activity:nil
6/28    what?
        We are deeply, deeply sorry to say that due to licensing constraints,
        we can no longer allow access to Pandora for most listeners located
        outside of the U.S. We will continue to work diligently to realize
        the vision of a truly global Pandora, but for the time being we are
        required to restrict its use. We are very sad to have to do this, but
	...
2007/6/28-7/2 [Computer/SW/SpamAssassin] UID:47111 Activity:nil
6/28    Q: What are folks using these days for anti-spam measures?  I'm
        looking for something that integrates with my MTA (postfix) or my
        delivery agent (sieve).  Currently I'm using a crufty version of
        spamassassin wired into postfix via amavisd-new.  It's decent, but I
        don't want to be bothered with manually upgrading spamassassin or
        updating rulesets on a regular basis.  Anyone have any experience
	...
2006/2/18-23 [Computer/Networking] UID:41923 Activity:low
2/18    My DSL modem's ip address is 192.168.0.1, my internal network
        behind my router is 10.0.0.x. Is there a way I can configure
        the router so I can access the DSL modem from my 10.0.0.x
        network directly without re-wiring? Static routes? I tried it
        but no much luck. I also tried changing my internal network to
        192.168.0.x, but still does not work. Thanks.
	...
2006/1/28-31 [Computer/Networking] UID:41585 Activity:low
1/28    Just switched to Comcast from SBC and generally happy with it.  But
        can someone please explain to me why they are constantly pumping
        ARP traffic through the network?  It seems harmless, but I'm curious
        as I didn't see it with DSL.  It's a little disconcerting to see
        constant traffic on your router, even if ARPs are harmless from
        a bandwidth perspective, and it makes the WAN send/receive light
	...
2006/1/22-24 [Computer/Networking] UID:41477 Activity:nil
1/21    I am trying to setup a small network for my girlfriend's
        mom's company.  They just bought an accounting package
        which requires windows 2003 server.  And they want internet
        access from each computer.  How should the network be setuped?
        Would it be dumb to use static IP for each computer and a
        computer as internet gateway?
	...
2005/8/29-30 [Computer/Networking] UID:39329 Activity:moderate 54%like:37400
8/29    What's the difference between a hub, a switch and a router?  Thx.
        \_ AFAIK, probably be corrected by someone:
           hub: Allows communication on a LAN with bandwith shared amongs all
                the nodes on the hub and maxing out at the max line speed.
           switch: Allows communication on a LAN with bandwith greater than
                the max line speed (point to point)
	...
2005/6/2-3 [Computer/Networking] UID:37941 Activity:moderate
6/2     I've been to many places and almost every place I go to have
        802.11b/g. However, almost all of them have protected access,
        which I presume they use because they don't want people stealing
        their bandwidth. So here is one idea I think will really
        revolutionize 802.11X... an option in the router that allows you to
        specify the percentage of unprotected bandwidth you are willing to
	...
2005/5/23-25 [Computer/Networking] UID:37799 Activity:nil
5/23    Has anyone played with carp/pfsync on OpenBSD? I have a simple
        two firewall setup, one fw running 3.6, the other running 3.7.
        Right now the 3.6 system is the "master" and everything seems
        to work properly except that I can't ping the virtual ip from
        the master system. Any ideas?
        \_ I've seen this with a lot of virtual IP/failover/load balancers.
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/8/30-11/7 [Computer/SW/Unix, Computer/SW/Apps] UID:54470 Activity:nil
8/30    Is wall just dead? The wallall command dies for me, muttering
        something about /var/wall/ttys not existing.
        \_ its seen a great drop in usage, though it seems mostly functional.
            -ERic
        \_ Couldn't open wall log!: Bad file descriptor
           Could not open wall subscription directory /var/wall/ttys: No such file or directory
	...
2012/9/20-11/7 [Finance/Investment, Computer/SW/Unix] UID:54482 Activity:nil
9/20    How do I change my shell? chsh says "Cannot change ID to root."
        \_ /usr/bin/chsh does not have the SUID permission set. Without
           being set, it does not successfully change a user's shell.
           Typical newbie sys admin (on soda)
           \_ Actually, it does: -rwsr-xr-x 1 root root 37552 Feb 15  2011 /usr/bin/chsh
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/3/29-6/4 [Computer/HW/Memory, Computer/HW/CPU, Computer/HW/Drives] UID:54351 Activity:nil
3/29    A friend wants a PC (no mac). She doesn't want Dell. Is there a
        good place that can custom build for you (SSD, large RAM, cheap video
        card--no game)?
        \_ As a side note: back in my Cal days more than two decades ago when
           having a 387SX made me the only person with floating-point hardware,
           most machines were custom built.
	...
2012/4/27-6/4 [Computer/SW/Languages/Misc, Computer/SW/Unix] UID:54372 Activity:nil
4/27    I wrote a little shell script to collect iostat data:
        #!/bin/bash
        DATE=`date +%m%d`
        DATADIR=/var/tmp/user
        OUTPUTFILE=$DATADIR/$DATE.out
        while true
	...
Cache (2372 bytes)
micrux.net/?p=26
NAT firewall which needed to be accessible for Remote Desktop. Actually, it was behind 2 NAT devices, but that's sort of irrelevant. After spending a lot of time trying to get the correct ports forwarded, I found out that my ISP was blocking incoming traffic anyways. But this was also problematic, because not only was this computer behind a NAT, but the computer that needed to access it was ALSO behind a NAT. Not to mention, the client computer would be coming from an unpredictable IP address. So my attack plan was to have a third machine sitting on the internet which could act as an intermediary between the client and the remote desktop server. I already had a third machine available, but this was where using SSH tunnels became tricky. So the idea is, you create an SSH tunnel from your computer's port X to a remote server's port Y Any traffic that you send on port X locally will then transparently be sent across the encrypted tunnel to the remote server on port Y Responses will then follow the same path backwards across the tunnel. SMTP This is also very helpful if you need to transport data across a firewall or from behind a NAT device. In order for my setup to work, the remote desktop server would need to be constantly connected to the server in the middle. This way, the client can connect to the middleman at any time and get access to the remote desktop server. A reverse SSH tunnel is exactly like a regular SSH tunnel, except that any traffic that is received on the remote machine gets transparently forwarded to you! com port 4000 (which is our middleman server) to our local port 3389 (which is the remote desktop port). Now when we point our remote desktop client to localhost:4000, the traffic will go across the normal SSH tunnel to the middleman, and then be re-translated across the reverse tunnel to the remote desktop server. The core idea here is that once the traffic on the normal tunnel reaches the middleman, it gets picked up by the reverse tunnel to complete the remainder of its trip. The only last problem was that I needed to keep the reverse tunnel open at all times so that the client could connect whenever it needed to. Permalink Good article, I think to do a remote shell in Putty, go to the same area you would setup local port forwarding and at the bottom of that window check the box for "remote" instead of "local."