"The customer reports that port 21 is closed on our FTP site. They said that port 443 is open, and wonder if they can use that instead."

"They are entering the wrong server name. Our FTP server is ONLY an FTP server. Port 443 is not open on our FTP server.

Please verify that they are entering `ftp.xxxxxx.com`

Our FTP site supports FTP/SSL if they are concerned about security."

"Customer responds that they would rather use port 443 to send files."

"I'm sure they would. I'd also like to enter our building on the west side when the temperature is below 10º, but there are no doors on the west side, so that's not going to happen, is it?"

To IT: I can no longer clone GitHub repos from the command line.

From IT… Hello DevOps engineer…. You’re no longer allowed to use port 22. It’s not safe. All traffic must be port 443.

Really!?

I managed to take down an entire school network with one VPN.

In short, I ran a personal VPN and eventually the System Administrators at my old school managed to pick it up as unknown traffic. For some reason, they managed to block the port but not the IP so I changed the port to 443 and their automatic system blocked port 443 on their entire network essentially rendering HTTPS useless for a few hours.

I never got approached about it but my school invested in a new IT team.

Network Security at it's best at my school.
So firstly our school has only one wifi AP in the whole building and you can only access Internet from there or their PCs which have just like the AP restricted internet with mc afee Webgateway even though they didn't even restrict shuting down computers remotely with shutdown -i.
The next stupid thing is cmd is disabled but powershell isn't and you can execute cmd commands with batch files.
But back to internet access: the proxy with Mcafee is permanently added in these PCs and you don't havs admin rights to change them.
Although this can be bypassed by basically everone because everyone knows one or two teacher accounts, its still restricted right.
So I thought I could try to get around. My first first few tries failed until I found out that they apparently have a mac adress wthitelist for their lan.
Then I just copied a mac adress of one of their ARM terminals pc and set up a raspberry pi with a mac change at startup.
Finally I got an Ip with normal DHCP and internet but port 80 was blocked in contrast to others like 443. So I set up an tcp openvpn server on port 443 elsewhere on a server to mimic ssl traffic.
Then I set up my raspberry pi to change mac, connect to this vpn at startup and provide a wifi ap with an own ip address range and internet over vpn.
As a little extra feature I also added a script for it to act as Spotify connect speaker.
So basically I now have a raspberry pi which I can plugin into power and Ethernet and an aux cable of the always-on-speakers in every room.
My own portable 10mbit/s unrestricted AP with spotify connect speaker.
Last but not least I learnt very many things about networks, vpns and so on while exploiting my schools security as a 16 year old.

Boss: Hey! I know you just got everything working on that new project. But good news: I have a repo you can clone and we can work together. So just clone that and look at my changes, find something that’s broken, and work away. Oh, I also modified everything to use HTTPS locally. HTTP won’t work anymore. Alright, I’m off on vacation! Ciao!

… and that’s the story of how I spent a day and a half fighting with NPM, Brew, setting up a new CA and self-signed cert, and getting passenger to work with it. The good news is that I can connect locally via 443. The bad news is all assets use http and are thus blocked for being mixed-content. And idk how to fix it. Joy!

Not mentioned: npx removing a required package every time I run it, version mismatches, and the usual NPM problems.

Corporate IT blocks all network traffic, whitelists port 80 and 443 😡

... cos port number is the best predictor of security threats, amirite? 😒

!rant

I've seen some rants about people complaining about websites using the 'www' subdomain, so I'd like to take this opportunity to try to explain my opinion about why sites might use it.

I use to feel the same way about not having the www subdomain. It felt like an outdated standard that serves no purpose. But I have changed my option...

Sometimes certain servers have other services running other than just the website, such as ssh, ftp, sql, etc., running on different ports. What if you want to use a web proxy and caching service similar to cloudflare or a cdn? We'll you can't, because they won't allow traffic to flow through to your other ports.

That's where the www subdomain comes in. Enable your caching and cdn on your www subdomain, and slap a 301 redirect from your primary domain on port 80 or 443 to the www subdomain. This still allows you to access your other services via the domain name while still gaining the benefits of using a cdn.

Now I know you could use an 'ftp' subdomain or the like, but to each their own in that regard.

I want to access a webpage on a non-standard port.
On desktop, I can override port bans for Chromium-based browsers and Firefox.
On Android, I FUCKING CAN'T, FIREFOX' CONFIG VALUE USED ON DESKTOP DOESN'T DO ANYTHING ON ANDROID, ANY OTHER BROWSER ALSO DOESN'T HAVE ANY CONFIG FOR THIS, AAAAAAAAAAAAAAAAAAAAAAAAAA

Site's on port 21 because that's one of my school firewall's few allowed outbound ports, and I couldn't use 80/443 since a webpage is already running there.

Spending hours trying to figure out why the stack just won't work with SSL. Nearly lost my mind as we started feeling dumber than ever. I really started to doubt my skills after it did not even work with the most minimal nginx site config I could imagine.
The next day I discovered that we missed the 443 port mapping in the docker-compose file...it only had port 80 mapped.

Yup, stepping back from a problem and getting some sleep is really worth it sometimes.

It took me an entire hour to figure out why my https gave me a Connection Refused error in my browser. Apparently I had configured port 433 to be published instead of 443, another hour wasted.

Debugs SSL setup on server for hours... Realises incoming on 443 was not enabled!! FML

me: block all in&put connection
firewall: ok
me: open port 22 for local network
firewall: ok
me: enable firewall
firewall: ok
me: restart pi
firewall: allow me connect
me: open port 80 for local network
firewall: ok
me: open port 443
firewall: Oh! i have to block icoming connections on port 22

What do you put on your website these days if you don't have a service to offer or recent projects to show off?
Imho portfolios are just weird (i'm also not in the need of one) and my domain choice (milotic.io) was made kinda drunken, too.

Any ideas?

PCI DSS scan came back saying that WebDAV extensions need to be disabled. Kind of surprised, since I have other servers I’ve configured to standard and I can’t find anything in my notes about it.

In either case, been searching for info on how to fix it for 2 days and turned up nothing useful. Report found it on ports 80 and 443, so a firewall fix seems out here.

Running Plesk 17.5.3 on CentOS 7. Anyone have any pointers on how to get the job done?

tmux new -d -s 'fuck putin'
for i in 80 443; do tmux new-window -t 'fuck putin' -n $i "while :; do nmap mil.ru -p $i & done"; done
while :; do killall -9 nmap; sleep 2; done

Spent a couple hours trying to obtain an SSL certificate to encrypt my site last night... No luck so far. It kept saying it doesn't have access, when I verified that nginx serves to port 443...

i need an adult. I know noone who would understand my worries, so you guys need to be it.

i have a nextcloud running on my raspberry pi. performance is horrible, dont ask, but it works.

i mostly use it to backup the photos of my phone sd card every night when my phone charges. Internally this works good. If i am elseplace it wont for obvious reasons.

In my youthful joy of doom i opened port 443 and forward it to my raspi. I get internet via cable and my ip is pretty much static (it was the same for 10 months). So external access is provided.

Now i thought, its stupid that i cannot sign an ssl certificate cause i dont have a domain. Lets buy domain. But before i do that i did some try runs with duckdns to test the principle.

Some back and forth, it works now. Pretty god, i could even make a cron job on the raspbi to renew (that should work right?). Only problem. randoname.duckdns.org doesnt work internally. Or should not at least.

So i googled a bit and it turns out that my router (a cable fritz!box i bought myself) can be a local network dns. Or cannot. Regardless what i try, it doesnt accept the changed config file.

Now the problem.

It works anyway. randoname.duckdns.org points to my external "static" ip and resolves to that from my internal network..so it works on my phone or laptop. if i traceroute the thing it goes via two hops out and finishes in less than 1ms.

Now to the problem:
I have no fokkin clue why. The expected behaviour would be that it shouldnt work. If i do what i intended todo on pc in the hosts file tracert works correctly, directly pointing to the internal ip.

What i cannot figure out, is it the fritz!box being smart? Is it my ISP being smart?

Reason to rant: i have absolutly NOONE to ask, i know not a single person who would even understand what troubles me. I want to learn, i want to know WHY not just some mindless russian patchwork of "if it works its good enough".

thats depressing.

Just wanted to do some scripted image resizing for school in school because the teacher asked me to help her with that.
So I thought: Let's just write a tiny script. Written the script in almost no time (just iterates over all jpg's and resizes them)

30sec.

Now I tried to run it. Didn't have my laptop so I had to somehow run it on their windows PCs. At least it's windows 10, unlike other schools that still run XP and stuff so I thought it might be doable. Well guess what, nope it wasn't.

First tried to install imagemagick, that didn't work as only teacher accounts have admin and the teacher was already pretty scarred once he saw me doing stuff in powershell so I thought I'd better not ask to do this via a teacher account and mess with stuff as admin.

Next method: Installing msys2. That worked at least (after taking forever to install and having to mess with the av software to get it to run).
And there comes the next problem: pacman doesn't connect via the proxy so I can't download any packages. There is free wifi but only for teachers, and students aren't going to get access until the school finally has a faster connection because they'd (understandably) cause this connection to be constantly overloaded. I just happen to have access to this wifi network, too, because at least the guys from the IT dept know how bad using proxies under linux is. So I connect via wifi and it works. At least I thought: After running the script it yields weird errors about unsupported arguments even though the command is exactly the same I have been using for years (already checked typos twice)

Then got the idea of simply installing imagemagick on termux on android and transferring the files onto my phone.
Too bad we aren't allowed to attach our own USBs to the pcs. Luckily I got a rooted phone so I simply activate adb over network and connect to it.
After downloading the platform-tools I can't run them because of AV software. Luckily there is an option to add an exception per executable so I do that. After doing that it works.... nope it doesn't. The wifi only allows 443/tcp and 80/tcp, even for internal network devices.

So that's it. I'm simply going to upload that stuff to my nextcloud and convert it at home.

Windows, I hate you!!!

Which ons is less risky and which one Is most profitable to succeed ?

0- telling the admin you forgot your password and as he's logging in, sniff his password (you already placed sslstrip)

1- gain access to router using its vulnerabilities and redirect the traffic to a fake page and get the password.

2- exploiting smb port of admin's system and placing a krylogger or stealing his cookies if available

3- brute forcing admin password :/

4- pressing forgot password on admin account and staying close to him and sniff the SMS containing the otp using rtl-sdr (and of course you will be prompted to set a new password)

5- any other way .

Also the website itself is almost secure.
It is using iis 8.5 and windows server 2012
Only open ports are 80 and 443.

So recently I've been feeling like I fooled myself into thinking I'm any good at anything regarding development.

Today I tried to deploy a Console Application that would run nightly. The production systems are much more guarded, as it should be, but I should still be able to schedule a windows task (yeah yeah, windows servers, not the time Linux fanboys and not my choice :P) no problem.

Except I didn't expect that network users can't run jobs, because of a Group Policy about saving passwords on network accounts.

I expected a local administrator account to be available, and it wasn't.

Also a web API isn't available, even though I could telnet to the address on port 443 (HTTPS). A proxy apparently accepts all HTTP/HTTPS traffic and so on.

All this I feel like I should have known....

So am I in my own head, or am I right in thinking maybe I'm not "pro" development yet? Maybe I don't deserve to be "pro".

Thoughts?

So I think I have answered this, but here goes.
I have ddns service I need to update periodically. I chose once every 5 minutes. I am using this command:
/usr/bin/wget -O /dev/null -o /dev/null <webcall url>
I have it running every 5 minutes in a cronjob. I checked and wget is using port 443 to connect to my webcall url which is https. I am assuming this is hiding the details of the url. Is this true? Also, I don't like that the cronjob is sending the whole command to syslog. Is there a way to prevent it from syslogging this? I would rather keep the details of the url hidden as much as possible. I am the only user on the server, but am curious if there is a way.

So questions are:
1. Is wget hiding the details of the url from prying eyes? It is using port 443 for https.
2. Cannot I not log the cronjob command in syslog? I supose I could create a script that hides this.

Okay people couldn't get a response anywhere so I'm going to do this here considering we have a bunch of geniuses here. I need to create a tunnel in nodejs or java to forward connection from client to server. Need to do this because my damn client can only use ports 80/443. Anybody wants to brainstorm?
These people have so much of garbage data yet want to keep everything secure as hell.