How to hide (obfuscate) SSH traffic using obfs4

Overview

In the previous post, I talked about pt-spec-v1 and obfs4 and explained how obfs4proxy can be setup and used outside of Tor. You are advised to read it to get the most out of this post.

In this post I’m going to give you a real example of obfs4proxy being used to obfuscate SSH traffic.

For this, I’ll be using two Ubuntu 18.04 Servers. But with a little to no adjustment, any other decent distro should work.

Assumptions

  • Both server and client are running Ubuntu 18.04 Server
  • Server IP address is 10.0.0.1
  • Client can access the obfs4proxy server port (2222 in our example)

Common configurations

These are configurations that needed on both sides:

Installing obfs4proxy

You can either compile it from source or use your distro’s repository:

sudo sh -c 'apt-get update && apt-get install obfs4proxy'

Setting up the user and pt_state

There should be no reason to run obfs4proxy as root. So we create a dedicated user/group for it:

sudo adduser \
  --system \
  --home "/var/lib/obfs4proxy-ssh/" \
  --shell "/usr/sbin/nologin" \
  --group \
  --gecos "obfs4proxy for ssh" \
  obfs4-ssh

Note that in the process, we also made a home directory with the Continue reading

NAT64Check Version 2 is launched!

With the New Year comes the launch of NAT64Check version 2 from the Internet Society. The first version of NAT64Check was introduced a couple of years ago and has proved very popular and successful, so for the past year we’ve been working on a number of enhancements in response to feedback and requests. And we’re very happy to be able to make the new version available as we welcome in 2019.

NAT64Check is a tool developed by the Internet Society in collaboration with Stichting IPv6 NederlandGo6, SJM Steffann, Internetbureau Max and Simply Understand. This allows you to enter the URL of a particular website, and then run tests over IPv4, IPv6 and NAT64 in order to check whether the website is actually reachable in each case, whether identical web pages are returned, and whether all the resources such as images, stylesheets and scripts load correctly. It also compares responsiveness using the different protocols, therefore  allowing network and system administrators to easily identify anything is ‘broken’, to pinpoint where any non-IPv6 compatible elements need to be fixed.

The original version of NAT64Check though, ran on two separate servers at Go6 and the IPv6 Lab which each had a limited view of the Internet Continue reading

2019 Goals

Writing down what I want to achieve helps me stay focused and keeps me from getting distracted by all the shinny things in the world. 2019 Goals Loose 20kgs Family Read 20 non-technical books JNCIX SP Azure solution architect One post a week Move to rails Loose 20kgs Over the...

On Thinking About Infrastructure as Code

I just finished reading Cindy Sridharan’s excellent post titled “Effective Mental Models for Code and Systems,” and some of the points Sridharan makes immediately jumped out to me—not for “traditional” code development, but for the development of infrastructure as code. Take a few minutes to go read the post—seriously, it’s really good. Done reading it? Good, now we can proceed.

Some of these thoughts I was going to share in a planned presentation at Interop ITX in May 2019, but since I’m unable to speak at the conference this year due to schedule conflicts (my son’s graduation from college and a major anniversary trip for me and Crystal), I figured now was as good a time as any, especially given the timing of Sridharan’s post. Also, a lot of these thoughts stem from a discussion with a colleague at work, which in turn led to this Full Stack Journey podcast on practical infrastructure as code.

Anyway, let me get back to Sridharan’s post. One of the things that jumped out to me right away was Sridharan’s proposed hierarchy of needs for code:

Sridharan's hierarcy of needs for code

As you can see in the image (full credit for which belongs to Sridharan, as far Continue reading

The Linux Migration: December 2018 Progress Report

In December 2016, I kicked off a migration from macOS to Linux as my primary laptop OS. Throughout 2017, I chronicled my progress and challenges along the way; links to all those posts are found here. Although I stopped the migration in August 2017, I restarted it in April 2018 when I left VMware to join Heptio. In this post, I’d like to recap where things stand as of December 2018, after 8 months of full-time use of Linux as my primary laptop OS.

I’ll structure this post roughly as a blend of the formats I used in my April 2017 and July 2017 progress reports.

Hardware

Readers may recall that I was using a Dell Latitude E7370 (see my E7370 hardware review) up until August 2017, when I put the Linux migration on hold indefinitely due to productivity concerns. Upon moving to Heptio, I switched to a Lenovo ThinkPad X1 Carbon (see here for my review of the X1 Carbon—the “TL;DR” is that I love it). In my home office, the X1 Carbon connects to a USB-C expansion hub that provides connectivity to a 34” 21:9 ultrawide curved monitor, external HD webcam, and a USB headset for Zoom Continue reading

Another Step Closer to Our Mission

The Internet now reaches more than half the world.

A recent estimate indicates that nearly 4 billion people – more than half the world’s population – now use the Internet. More people are now online than existed in the world the year I was born. Everyone, it seems, values the Internet. We all still know the Internet is for everyone.

The Internet Society, including all our chapters and members, was part of Internet growth in this period. 2018 was a year of many changes at the Internet Society. We changed the staff and ways of organizing work to make things clearer. We changed our CEO. But at the same time, we brought infrastructure to some of the most remote parts of the world. We pushed for better security for many of the new devices that are connecting to the Internet. And we worked to include the whole range of voices when it comes to who’s making decisions about the Internet’s future.

These are just a few of the things we, the whole Internet Society, did together. We work together because that’s what internetworking is: working together, each of us making a greater whole of our individual parts.

So, as Continue reading

Vendor Lock-in – Is It Really That Bad?!

In today’s IT infrastructure, open source software is a common component. Many organizations and network engineers stay away from certain architectures and products citing vendor lock-in as their only argument but often lack the understanding to why they think vendor lock-in is a problem. Let me explain.

There are lock-ins of different forms. For example if you are buying MPLS VPN service from a SP, you are somewhat locked in to their offering and pricing. I see at least three types of different lock-in:

Vendor lock-in – This is the one that everyone is familiar in. It means that the vendor has a solution that is proprietary, perhaps using proprietary management or routing protocols so that it can’t interact with solutions from other vendors.

Tools lock-in – This may or may not be as much of a lock-in as vendor lock-in, but when an organization has invested enough time, money and manpower into a specific toolset, it’s difficult to move to other tooling.

People lock-in – An often oversighted form of lock-in. Depending on architecture, toolset and so on, your organization may need a certain type of engineers to work on the network. These may be difficult to find which Continue reading

How to hide (obfuscate) any traffic using obfs4

Overview

In this post, I’m going to give you the information necessary to be able to use obfs4 protocol not just for wrapping Tor traffic, but for virtually any other TCP traffic as well.

Doing so for the previous Pluggable Transports of this kind (namely obfs2,obfs3 and ScrambleSuit) was rather simple. obfsproxy program written python, already supports being run in standalone (or so called unmanaged) mode and there are dozens of guides available on how to do so.

However, obfs4proxy which implements obfs4 protocol in Go, is primarily designed to work in conjunction with Tor (managed mode). This is not a protocol limitation but rather an implementation one.

If you ever try running obfs4proxy by itself, you’d get an error like this:

[ERROR]: obfs4proxy – must be run as a managed transport

But Hey! It is not the end of the world. There are still couple of ways to make use of obfs4 outside of Tor:

  • Adding unmanaged mode of operation to obfs4proxy
    This is probably the best way, but I’m not a Go programmer so I’ll leave that to those who are.

  • Using external wrappers
    PTProxy and ptadapter in Python, along with Shapeshifter in Continue reading

IPv6 in China

China has an estimated Internet user population of 741 million, out of a total population of 1.4 billion people. If there was extensive deployment of IPv6 services in China, then the case that IPv6 has already achieved critical mass of deployment would be easy to make. On the other hand, if such a significant user population had no IPv6 service and no visible plans for IPv6 services, then the entire conversation about the times and certainties about the future of IPv6 takes on a different direction. Which means that China matters in the world of IPv6. It matters a lot.

My Ignorance for a Year and Dell IDRAC

Hi,

I have a Dell R810 and it makes a lot of noise. So, I have put it somewhere remote in the home where it’s completely inhabitable for human beings. Now, the problem was always to go there and manually power-up the system.  This has been the scenario for years. So, technically if am away from my home I need to take help from my wife. All this is going well and I was always wondered should it not have a better way to do things.

Was talking to my friend and he had some paid solution for the same thing, he doesn’t even remember and that’s for his cisco gear, now for Cisco gear as long you supply power they will be powered (if the Power button is always on), for servers however just like our Personal CPU’s and Laptops you have to manually press the power button.

Then yesterday all of a sudden I took this somewhat seriously and explored options, then I understood it was sitting right inside the server, Dell has something called Integrated DRAC system which helps you do this thing, all you need to have is a proper Lan connection, the message was Continue reading

Testing notes: simulating link failure by filtering BFD packets

In some testing I am doing, I need to prove that BFD can be used with iBGP to tell the BGP protocol when there is an interruption.  This will enable BGP to be brought down much faster than if regular BGP timers are used.

To make this easier to do, I used a firewall filter on one of the two routers to filter out BFD but accept all other packets:
Single-hop BFD (i.e. across a link) uses UDP 3784, while multi-hop BFD uses 4784.  Since my BFD sessions are configured between loopbacks, it is this latter type I need to filter.

In the example below, CORE1 is a BGP client of CORE2, which is the route-reflector.

The following was configured on the routers to bring up the BFD session (I am only showing one side – you can figure out the mirror of this yourself I think):

[edit protocols bgp group CORE neighbor 10.0.0.6]
      bfd-liveness-detection {
          minimum-receive-interval 300;
          multiplier 3;
          transmit-interval {
              minimum-interval 100;
          }
      }

When the remote side was done, the session came up:


axians@CORE1> show bfd session
Dec 28 17:17:10
                               Detect Transmit
Address       State Interface  Time   Interval  Multiplier
10.0. Continue reading
1 1,315 1,316 1,317 1,318 1,319 3,795