wok-next annotate sshttp/description.txt @ rev 21050
gparted: implement SliTaz graphical "su" in a right way
Note, it isn't in *.desktop file anymore (as for gparted-0.32.0), it is inside /usr/bin/gparted script!
Note, it isn't in *.desktop file anymore (as for gparted-0.32.0), it is inside /usr/bin/gparted script!
author | Aleksej Bobylev <al.bobylev@gmail.com> |
---|---|
date | Wed Nov 28 12:35:25 2018 +0200 (2018-11-28) |
parents | |
children |
rev | line source |
---|---|
al@20472 | 1 sshttp - hiding SSH servers behind HTTP |
al@20472 | 2 ======================================= |
al@20472 | 3 |
al@20472 | 4 ![sshttp](https://github.com/stealth/sshttp/blob/master/sshttp.jpg) |
al@20472 | 5 |
al@20472 | 6 [![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9MVF8BRMX2CWA) |
al@20472 | 7 |
al@20472 | 8 # 0. Intro |
al@20472 | 9 |
al@20472 | 10 In case your FW policy forbids __SSH__ access to the DMZ or internal |
al@20472 | 11 network from outside, but you still want to use ssh on machines |
al@20472 | 12 which only have one open port, e.g. __HTTP__, you can use `sshttpd`. |
al@20472 | 13 |
al@20472 | 14 _sshttpd_ can multiplex the following protocol pairs: |
al@20472 | 15 |
al@20472 | 16 * SSH/HTTP |
al@20472 | 17 * SSH/HTTPS |
al@20472 | 18 * SSH/SMTP (without SMTP multiline banners) |
al@20472 | 19 * HTTPS SNI multiplexing |
al@20472 | 20 * SSH/HTTPS with SNI multiplexing |
al@20472 | 21 |
al@20472 | 22 # 1. Build |
al@20472 | 23 |
al@20472 | 24 Be sure you run recent Linux kernel and install `nf-conntrack` as well |
al@20472 | 25 as `libcap` and `libcap-devel` if you want to use the capability feature. |
al@20472 | 26 |
al@20472 | 27 ``` |
al@20472 | 28 $ make |
al@20472 | 29 ``` |
al@20472 | 30 |
al@20472 | 31 There is a new `splice` branch inside the git. `git checkout splice` |
al@20472 | 32 before `make`, if you want to test this new branch. It implements |
al@20472 | 33 zero-copy in terms of the __splice(2)__ system call which has a performance |
al@20472 | 34 benefit since it avoids copying the network data between user and kernel |
al@20472 | 35 land back and forth (__read()/write()__), which could also just be spliced kernel-internally |
al@20472 | 36 at the "extra cost" of two additional pipe descriptors per connection. |
al@20472 | 37 |
al@20472 | 38 # 2. Setup for single host |
al@20472 | 39 |
al@20472 | 40 This paragraph describes the setup where all services run on the same host |
al@20472 | 41 as _sshttpd_ itself. The muxing happens to the same IP/IP6 address that |
al@20472 | 42 the outside connects arrive to, so basically just the ports are changing per |
al@20472 | 43 detected service. |
al@20472 | 44 |
al@20472 | 45 _sshttpd_ is an easy to use OSI-Layer5 switching daemon. It runs |
al@20472 | 46 transparently on __HTTP(S)__ port (`-L` switch, default 80) and decides |
al@20472 | 47 on incoming connections whether this is __SSH__ or __HTTP(S)__ traffic. |
al@20472 | 48 If its __HTTP(S)__ traffic, it switches the traffic to the `HTTP_PORT` |
al@20472 | 49 (`-H`, default 8080) and if its __SSH__ traffic to `SSH_PORT` (`-S`, default |
al@20472 | 50 22) respectively. |
al@20472 | 51 |
al@20472 | 52 You need to edit `nf-setup` script to match your network device and `$PORTS` (`22` and `8080` |
al@20472 | 53 are just fine for the SSH/HTTP case) and run it to install the proxy rules. |
al@20472 | 54 Your _sshd_ has to run on `$SSH_PORT` and your webserver on `$HTTP_PORT`. |
al@20472 | 55 Thats basically it. Go ahead and run _sshttpd_ (as root) and it will layer5-switch |
al@20472 | 56 your traffic destinated to TCP port 80: |
al@20472 | 57 |
al@20472 | 58 ``` |
al@20472 | 59 # ./nf-setup |
al@20472 | 60 Using network device eth0 |
al@20472 | 61 Setting up port 22 ... |
al@20472 | 62 Setting up port 8080 ... |
al@20472 | 63 # ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/empty |
al@20472 | 64 sshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot. |
al@20472 | 65 # |
al@20472 | 66 ``` |
al@20472 | 67 |
al@20472 | 68 If you want to mux __SMTP__ with _sshttpd_, just give `25` as `-L` parameter, `2525` |
al@20472 | 69 as `-H` parameter, and setup your smtp daemon to listen on 2525. Then |
al@20472 | 70 edit the `nf-setup` script to match these ports. In the `Makefile`, change the |
al@20472 | 71 `SMTP_DOMAIN` and `SSH_BANNER` to your needs (`SSH_BANNER` must match exactly |
al@20472 | 72 yours of the running _sshd_). |
al@20472 | 73 SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server. |
al@20472 | 74 |
al@20472 | 75 When muxing IPv6 connections, the setup is basically the same; just use the `nf6-setup` |
al@20472 | 76 script and invoke _sshttpd_ with `-6`. |
al@20472 | 77 |
al@20472 | 78 # 3. Transparent proxy setup |
al@20472 | 79 |
al@20472 | 80 You can run _sshttpd_ also on your gateway machine and transparently proxy/mux |
al@20472 | 81 all of your __HTTP(S)/SSH__ traffic to your internal LAN. To do so, run _sshttpd_ with |
al@20472 | 82 `-T` and use `nf-tproxy` rather than `nf-setup` as a template for your FW setup. |
al@20472 | 83 Carefully read `nf-tproxy` so you dont lock yourself out of the network and all |
al@20472 | 84 the network devices and IP addresses match your setup. |
al@20472 | 85 |
al@20472 | 86 # 4. SNI Mux |
al@20472 | 87 |
al@20472 | 88 With _sshttpd_ you can also mux based on the HTTPS SNI. Just set up your |
al@20472 | 89 `nf-setup` to contain the SNI ports (there are already samples) and invoke |
al@20472 | 90 _sshttpd_ with `-N name:port` e.g. `sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350` |
al@20472 | 91 to hide a sshd on 22 and a [drops setup](https://github.com/stealth/drops) on port 7350 behind port 443, and at the same time serving |
al@20472 | 92 your webserver from port 4433 to be visible to outside on port 443. |
al@20472 | 93 This works because _drops_ sets the SNI of `drops.v2` in outgoing connects. |
al@20472 | 94 Multiple `-N` switches are allowed so you could mux a lot of services |
al@20472 | 95 via SNI. The ports/services must run all on the same machine where the original request |
al@20472 | 96 was destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via `-S 0`. |
al@20472 | 97 |
al@20472 | 98 # 5. Misc |
al@20472 | 99 |
al@20472 | 100 You dont need to patch any of your ssh/web/smtp client or server software. It |
al@20472 | 101 works as is. _sshttpd_ runs only on Linux and needs `IP_TRANSPARENT` support. |
al@20472 | 102 It would work without, but by using `IP_TRANSPARENT` it is possible to even |
al@20472 | 103 have unmodified syslogs, e.g. the original source IP/port of incoming connections |
al@20472 | 104 is passed as-is to the SSH/HTTP/SMTP servers. |
al@20472 | 105 |
al@20472 | 106 Make sure the `nf_conntrack` and `nf_conntrack_ipv4` or `nf_conntrack_ipv6` modules are loaded. |
al@20472 | 107 _sshttpd_ is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing |
al@20472 | 108 measurement. |
al@20472 | 109 _sshttpd_ has small footprint and was optimized for speed so it also runs |
al@20472 | 110 on heavily loaded web servers. |
al@20472 | 111 |
al@20472 | 112 Since version 0.24, _sshttpd_ also supports multiple CPU cores. Unless |
al@20472 | 113 `-n 1` is used as switch, _sshttpd_ binds one thread per CPU core, |
al@20472 | 114 to better exploit the hardware if running on heavily used web servers. |
al@20472 | 115 It still runs this fixed number of threads no matter how many 1000s connection |
al@20472 | 116 it handles at the same time. |
al@20472 | 117 _sshttpd_ runs as `nobody` user inside a `chroot()` (configurable via `-U` and `-R` switch) |
al@20472 | 118 if compiled with `USE_CAPS`. It can also distinguish between __SSH__ and __SSL__ |
al@20472 | 119 sessions, you just have to use an `LOCAL_PORT (-L)` of 443 or 4433 and change |
al@20472 | 120 the `HTTP_PORT` in the `nf-setup` script to match your webservers __HTTPS__ port. |
al@20472 | 121 You cannot mix HTTP/SSH and HTTPS/SSH in one _sshttpd_ instance but you can |
al@20472 | 122 run two sshttpd's to reach that goal: one on `LOCAL_PORT 80` and one on |
al@20472 | 123 `LOCAL_PORT 443`. |
al@20472 | 124 |
al@20472 | 125 # 6. Alternative docu |
al@20472 | 126 |
al@20472 | 127 As per 2017 it seems you have to provide alternative facts for everything, |
al@20472 | 128 so here are some good writeups from other people for better understanding or in case my |
al@20472 | 129 description was too brief: |
al@20472 | 130 |
al@20472 | 131 * [by stalkr](http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html) |
al@20472 | 132 * [by Will Rouesnel](http://blog.wrouesnel.com/articles/Setting%20up%20sshttp/) |
al@20472 | 133 * [by Yves](http://yalis.fr/cms/index.php/post/2014/02/22/Multiplex-SSH-and-HTTPS-on-a-single-port) |