==Training Lesson== INVESTIGATION NARRATIVE: SSH Kill la Killed 🧵 My job is to solve the Weird Problems as the Final escalation tier. I do this with generalist knowledge and practical experience. New InfoSec/IT entrants often ask what this looks like in practice. Follow below. - ThreadSky

swiftonsecurity.com • 42 days ago

==Training Lesson==
INVESTIGATION NARRATIVE: SSH Kill la Killed 🧵

My job is to solve the Weird Problems as the Final escalation tier. I do this with generalist knowledge and practical experience.

New InfoSec/IT entrants often ask what this looks like in practice. Follow below.

Comments

deadwinger.bsky.social•42 days ago

📌

shirleman.bsky.social•42 days ago

Please use alt text 🙏

hilliern19.bsky.social•41 days ago

📌

swiftonsecurity.com•42 days ago

NOTE: You can mute this thread if not interested it will be long.

I have a seedbox in Europe to coalesse torrent downloads from other servers at 10gbe uplink to many other similar colocated servers hosting the content. I then collect finished over SSH file copy at my leisure.

swiftonsecurity.com•42 days ago

In some scenarios you can increase overall transfer speeds by running multiple sessions simultaneously, like a multi-lane highway. This can help saturate your connection, which I was not getting.

I go into WinSCP and turn this on, 6 sounds good.

swiftonsecurity.com•42 days ago

Okay WinSCP starts opening more (we're going to call them multithreaded) connections to transfer 6 files at once. In some protocols, you can have multiple connections for the same file.

It starts opening them... and then the last one is stuck at connecting. And the others die?

swiftonsecurity.com•42 days ago

In this non-enterprise scenario there are basically 6 broad layers this problem could be. Application, Security, OS, Network device, or Server. Many paths. It can be paralyzing, this is where experience comes in.

Servers have anti-abuse mechanisms you can trip. This one doesn't.

swiftonsecurity.com•42 days ago

To emulate often limited information and collection abilities early in an incident, we're going to launch Wireshark to inspect the network before doing other basic troubleshooting. Start somewhere you can!

"But SSH is encrypted."

Troubleshooting is often connecting metadata.

swiftonsecurity.com•42 days ago

"I don't know what I'm looking for, but I'll know it when I see it."

I have never troubleshooted WinSCP or SSH before, Wireshark for years but don't use often, and my networking is really fundamentals and "weird stuff I've run into."

Importantly, I know what Normal looks like.

mwrightnuknowit.bsky.social•42 days ago

Mmm yes had the whole concerned IT dept down in the comp
Lab when we were trying out Wireshark for a computer lab at college didn’t get far they had us shut it down

holir.bsky.social•42 days ago

Definitely had that happen.

borgly.bsky.social•42 days ago

I used to use HPN-SSH for this kind of thing, vanilla SSH is indeed annoying that way.

chunkylumplump.bsky.social•42 days ago

You're not using Linux???

borgly.bsky.social•42 days ago

I believe Tay uses a VMS derivative (more a clean sheet refactor?) that predates Linux.

chunkylumplump.bsky.social•42 days ago

CP/M on a Sperry Reel

cpm5280.bsky.social•42 days ago

lol. :)

the-angry-dev.bsky.social•41 days ago

While I get what you might be going for here, I think you are doing a bit of a disservice by jumping straight to Wireshark and making this seem more intimidating than most issues really are. 6 connections doesn't work? How about 5? No? 4. Okay that works. What blocks multiple connections? Ok go.

the-angry-dev.bsky.social•41 days ago

There's no reason to over complicate your troubleshooting until you need to. If there were no firewall rules or other obvious things blocking it then you open Wireshark to see where it's dying.

altcybersecurity.bsky.social•40 days ago

While I agree from a "get shit fixed fastest" perspective, from a "learn tools" perspective this is more educational

the-angry-dev.bsky.social•40 days ago

Yeah I maybe didn't state it initially as clearly, but I was meaning more to just clarify that this problem doesn't necessarily require Wireshark but can be used as an example to walk through how Wireshark can be used to troubleshoot an issue. Not that it was a bad walkthrough or anything

stefan2008.bsky.social•42 days ago

📌 sshd

bobherc.bsky.social•41 days ago

📌

raenpayne.bsky.social•42 days ago

📌

badbanjo.bsky.social•41 days ago

I also read logs for a living.

altcybersecurity.bsky.social•40 days ago

AU family of controls family

murasorazone.bsky.social•41 days ago

so it's not always DNS? Reminds me of the times I had to temporary allow FTP in firewall because it wouldn't let me receive output otherwise

bandregg.bsky.social•42 days ago

Aeons ago at Red Hat it was this kind of work on the server end that led us to realize on release day that the FTP server “at capacity” message listing mirrors was too long and the final straw in pegging our outbound bandwidth. Changed to 1-line, “see website foo for mirrors” got us working again.

atarifan2600.bsky.social•42 days ago

That’s absolutely the kind of weird stuff that makes for a laugh.

(After it makes the rounds that it’s the network’s fault and maybe the network team should just make these pages work somehow)

jbcden.bsky.social•42 days ago

Great thread, thanks for sharing!

grissallia.bsky.social•42 days ago

"My job is to solve the Weird Problems as the Final escalation tier. I do this with generalist knowledge and practical experience."

Mute this thread? This is extremely my area of interest.

grissallia.bsky.social•42 days ago

Until a couple of years ago, I felt deeply insecure about the fact that I’d been working for 30 years, and had no formal qualifications. I started out in electronics repair in my dad’s repair shop in the mid 1980’s, did a whole bunch of different things, and ended up as a senior support technician.

capt-irrelevant.bsky.social•42 days ago

Recently turned 39, been in IT since 2008, and highest qual is a tertiary cert 4 that I did back then. Still don't yet even have formally done the ITIL 4 essentials exam. I do general Infra/MS scoped helpdesk & M365 admin.

grissallia.bsky.social•42 days ago

What I realised a couple of years ago was that the thing I thought was my biggest weakness, is probably my greatest strength. The beginning with learning how to break systems down into blocks and identify where the issue is likely starting? Service manual block diagrams.

The autistic desire to…

grissallia.bsky.social•42 days ago

…understand how a system fits together? I can visualise where in the path things are breaking down.

The various jobs I’ve done? A breadth of experience with a whole bunch of different systems that I’ve broken down to understand how they fit together.

Now I find myself identifying edge cases.

grissallia.bsky.social•42 days ago

I don’t know who you are, and I don’t know what you want. If it’s money, I don’t have it. What I do have is a set of skills I’ve developed over a long career, skills that drive devs crazy.

If you give me a broken system, I will find an edge case, and I will file a Jira for the devs.

packetlevel2.bsky.social•41 days ago

There's nothing like knowing from the circuit board up - why folks fired from HP I trained kill in forensics - they can /read/ hex and know at the register level what's happening. You can follow the electrons in your mind's eye - knowledge so rare.

packetlevel2.bsky.social•41 days ago

Yes - My original training was on the service manual for IBM 5150, exactly that; is there power at the outlet, is the power cable plugged in at both ends, is the on/off switch in the on position - basically what I teach now - start at one end, work toward the other - up the OSI model from layer 1

packetlevel2.bsky.social•42 days ago

@threadreaderapp unroll

davidsainez.com•42 days ago

I made an app that works on bluesky: https://skywriter.blue/pages/swiftonsecurity.com/post/3lfifzanxes2g

plutonictoast.bsky.social•41 days ago

📌

jkuroda.bsky.social•42 days ago

For once - it wasn’t DNS or BGP.

sirtwi.st•42 days ago

No, but it was the third choice - the firewall. 😊

petrichorange.bsky.social•42 days ago

📌

bonniezilla.bsky.social•42 days ago

I used to be the final Comcast boss at corporate when it came to fixing the unfixable customer issues. I loved the challenge and learning new shit *every day*!

Comments

Posting Rules

Reply