wok-next annotate sshttp/description.txt @ rev 21727

created recipe for vbindiff
author Hans-G?nter Theisgen
date Sat Nov 21 14:32:44 2020 +0100 (2020-11-21)
parents
children
rev   line source
al@20472 1 sshttp - hiding SSH servers behind HTTP
al@20472 2 =======================================
al@20472 3
al@20472 4 ![sshttp](https://github.com/stealth/sshttp/blob/master/sshttp.jpg)
al@20472 5
al@20472 6 [![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9MVF8BRMX2CWA)
al@20472 7
al@20472 8 # 0. Intro
al@20472 9
al@20472 10 In case your FW policy forbids __SSH__ access to the DMZ or internal
al@20472 11 network from outside, but you still want to use ssh on machines
al@20472 12 which only have one open port, e.g. __HTTP__, you can use `sshttpd`.
al@20472 13
al@20472 14 _sshttpd_ can multiplex the following protocol pairs:
al@20472 15
al@20472 16 * SSH/HTTP
al@20472 17 * SSH/HTTPS
al@20472 18 * SSH/SMTP (without SMTP multiline banners)
al@20472 19 * HTTPS SNI multiplexing
al@20472 20 * SSH/HTTPS with SNI multiplexing
al@20472 21
al@20472 22 # 1. Build
al@20472 23
al@20472 24 Be sure you run recent Linux kernel and install `nf-conntrack` as well
al@20472 25 as `libcap` and `libcap-devel` if you want to use the capability feature.
al@20472 26
al@20472 27 ```
al@20472 28 $ make
al@20472 29 ```
al@20472 30
al@20472 31 There is a new `splice` branch inside the git. `git checkout splice`
al@20472 32 before `make`, if you want to test this new branch. It implements
al@20472 33 zero-copy in terms of the __splice(2)__ system call which has a performance
al@20472 34 benefit since it avoids copying the network data between user and kernel
al@20472 35 land back and forth (__read()/write()__), which could also just be spliced kernel-internally
al@20472 36 at the "extra cost" of two additional pipe descriptors per connection.
al@20472 37
al@20472 38 # 2. Setup for single host
al@20472 39
al@20472 40 This paragraph describes the setup where all services run on the same host
al@20472 41 as _sshttpd_ itself. The muxing happens to the same IP/IP6 address that
al@20472 42 the outside connects arrive to, so basically just the ports are changing per
al@20472 43 detected service.
al@20472 44
al@20472 45 _sshttpd_ is an easy to use OSI-Layer5 switching daemon. It runs
al@20472 46 transparently on __HTTP(S)__ port (`-L` switch, default 80) and decides
al@20472 47 on incoming connections whether this is __SSH__ or __HTTP(S)__ traffic.
al@20472 48 If its __HTTP(S)__ traffic, it switches the traffic to the `HTTP_PORT`
al@20472 49 (`-H`, default 8080) and if its __SSH__ traffic to `SSH_PORT` (`-S`, default
al@20472 50 22) respectively.
al@20472 51
al@20472 52 You need to edit `nf-setup` script to match your network device and `$PORTS` (`22` and `8080`
al@20472 53 are just fine for the SSH/HTTP case) and run it to install the proxy rules.
al@20472 54 Your _sshd_ has to run on `$SSH_PORT` and your webserver on `$HTTP_PORT`.
al@20472 55 Thats basically it. Go ahead and run _sshttpd_ (as root) and it will layer5-switch
al@20472 56 your traffic destinated to TCP port 80:
al@20472 57
al@20472 58 ```
al@20472 59 # ./nf-setup
al@20472 60 Using network device eth0
al@20472 61 Setting up port 22 ...
al@20472 62 Setting up port 8080 ...
al@20472 63 # ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/empty
al@20472 64 sshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot.
al@20472 65 #
al@20472 66 ```
al@20472 67
al@20472 68 If you want to mux __SMTP__ with _sshttpd_, just give `25` as `-L` parameter, `2525`
al@20472 69 as `-H` parameter, and setup your smtp daemon to listen on 2525. Then
al@20472 70 edit the `nf-setup` script to match these ports. In the `Makefile`, change the
al@20472 71 `SMTP_DOMAIN` and `SSH_BANNER` to your needs (`SSH_BANNER` must match exactly
al@20472 72 yours of the running _sshd_).
al@20472 73 SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server.
al@20472 74
al@20472 75 When muxing IPv6 connections, the setup is basically the same; just use the `nf6-setup`
al@20472 76 script and invoke _sshttpd_ with `-6`.
al@20472 77
al@20472 78 # 3. Transparent proxy setup
al@20472 79
al@20472 80 You can run _sshttpd_ also on your gateway machine and transparently proxy/mux
al@20472 81 all of your __HTTP(S)/SSH__ traffic to your internal LAN. To do so, run _sshttpd_ with
al@20472 82 `-T` and use `nf-tproxy` rather than `nf-setup` as a template for your FW setup.
al@20472 83 Carefully read `nf-tproxy` so you dont lock yourself out of the network and all
al@20472 84 the network devices and IP addresses match your setup.
al@20472 85
al@20472 86 # 4. SNI Mux
al@20472 87
al@20472 88 With _sshttpd_ you can also mux based on the HTTPS SNI. Just set up your
al@20472 89 `nf-setup` to contain the SNI ports (there are already samples) and invoke
al@20472 90 _sshttpd_ with `-N name:port` e.g. `sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350`
al@20472 91 to hide a sshd on 22 and a [drops setup](https://github.com/stealth/drops) on port 7350 behind port 443, and at the same time serving
al@20472 92 your webserver from port 4433 to be visible to outside on port 443.
al@20472 93 This works because _drops_ sets the SNI of `drops.v2` in outgoing connects.
al@20472 94 Multiple `-N` switches are allowed so you could mux a lot of services
al@20472 95 via SNI. The ports/services must run all on the same machine where the original request
al@20472 96 was destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via `-S 0`.
al@20472 97
al@20472 98 # 5. Misc
al@20472 99
al@20472 100 You dont need to patch any of your ssh/web/smtp client or server software. It
al@20472 101 works as is. _sshttpd_ runs only on Linux and needs `IP_TRANSPARENT` support.
al@20472 102 It would work without, but by using `IP_TRANSPARENT` it is possible to even
al@20472 103 have unmodified syslogs, e.g. the original source IP/port of incoming connections
al@20472 104 is passed as-is to the SSH/HTTP/SMTP servers.
al@20472 105
al@20472 106 Make sure the `nf_conntrack` and `nf_conntrack_ipv4` or `nf_conntrack_ipv6` modules are loaded.
al@20472 107 _sshttpd_ is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing
al@20472 108 measurement.
al@20472 109 _sshttpd_ has small footprint and was optimized for speed so it also runs
al@20472 110 on heavily loaded web servers.
al@20472 111
al@20472 112 Since version 0.24, _sshttpd_ also supports multiple CPU cores. Unless
al@20472 113 `-n 1` is used as switch, _sshttpd_ binds one thread per CPU core,
al@20472 114 to better exploit the hardware if running on heavily used web servers.
al@20472 115 It still runs this fixed number of threads no matter how many 1000s connection
al@20472 116 it handles at the same time.
al@20472 117 _sshttpd_ runs as `nobody` user inside a `chroot()` (configurable via `-U` and `-R` switch)
al@20472 118 if compiled with `USE_CAPS`. It can also distinguish between __SSH__ and __SSL__
al@20472 119 sessions, you just have to use an `LOCAL_PORT (-L)` of 443 or 4433 and change
al@20472 120 the `HTTP_PORT` in the `nf-setup` script to match your webservers __HTTPS__ port.
al@20472 121 You cannot mix HTTP/SSH and HTTPS/SSH in one _sshttpd_ instance but you can
al@20472 122 run two sshttpd's to reach that goal: one on `LOCAL_PORT 80` and one on
al@20472 123 `LOCAL_PORT 443`.
al@20472 124
al@20472 125 # 6. Alternative docu
al@20472 126
al@20472 127 As per 2017 it seems you have to provide alternative facts for everything,
al@20472 128 so here are some good writeups from other people for better understanding or in case my
al@20472 129 description was too brief:
al@20472 130
al@20472 131 * [by stalkr](http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html)
al@20472 132 * [by Will Rouesnel](http://blog.wrouesnel.com/articles/Setting%20up%20sshttp/)
al@20472 133 * [by Yves](http://yalis.fr/cms/index.php/post/2014/02/22/Multiplex-SSH-and-HTTPS-on-a-single-port)