wok-next view sshttp/description.txt @ rev 21487
updated android-platform-tools (19.0.1 -> 30.0.0)
author | Hans-G?nter Theisgen |
---|---|
date | Thu Jun 18 16:12:44 2020 +0100 (2020-06-18) |
parents | |
children |
line source
1 sshttp - hiding SSH servers behind HTTP
2 =======================================
4 ![sshttp](https://github.com/stealth/sshttp/blob/master/sshttp.jpg)
6 [![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9MVF8BRMX2CWA)
8 # 0. Intro
10 In case your FW policy forbids __SSH__ access to the DMZ or internal
11 network from outside, but you still want to use ssh on machines
12 which only have one open port, e.g. __HTTP__, you can use `sshttpd`.
14 _sshttpd_ can multiplex the following protocol pairs:
16 * SSH/HTTP
17 * SSH/HTTPS
18 * SSH/SMTP (without SMTP multiline banners)
19 * HTTPS SNI multiplexing
20 * SSH/HTTPS with SNI multiplexing
22 # 1. Build
24 Be sure you run recent Linux kernel and install `nf-conntrack` as well
25 as `libcap` and `libcap-devel` if you want to use the capability feature.
27 ```
28 $ make
29 ```
31 There is a new `splice` branch inside the git. `git checkout splice`
32 before `make`, if you want to test this new branch. It implements
33 zero-copy in terms of the __splice(2)__ system call which has a performance
34 benefit since it avoids copying the network data between user and kernel
35 land back and forth (__read()/write()__), which could also just be spliced kernel-internally
36 at the "extra cost" of two additional pipe descriptors per connection.
38 # 2. Setup for single host
40 This paragraph describes the setup where all services run on the same host
41 as _sshttpd_ itself. The muxing happens to the same IP/IP6 address that
42 the outside connects arrive to, so basically just the ports are changing per
43 detected service.
45 _sshttpd_ is an easy to use OSI-Layer5 switching daemon. It runs
46 transparently on __HTTP(S)__ port (`-L` switch, default 80) and decides
47 on incoming connections whether this is __SSH__ or __HTTP(S)__ traffic.
48 If its __HTTP(S)__ traffic, it switches the traffic to the `HTTP_PORT`
49 (`-H`, default 8080) and if its __SSH__ traffic to `SSH_PORT` (`-S`, default
50 22) respectively.
52 You need to edit `nf-setup` script to match your network device and `$PORTS` (`22` and `8080`
53 are just fine for the SSH/HTTP case) and run it to install the proxy rules.
54 Your _sshd_ has to run on `$SSH_PORT` and your webserver on `$HTTP_PORT`.
55 Thats basically it. Go ahead and run _sshttpd_ (as root) and it will layer5-switch
56 your traffic destinated to TCP port 80:
58 ```
59 # ./nf-setup
60 Using network device eth0
61 Setting up port 22 ...
62 Setting up port 8080 ...
63 # ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/empty
64 sshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot.
65 #
66 ```
68 If you want to mux __SMTP__ with _sshttpd_, just give `25` as `-L` parameter, `2525`
69 as `-H` parameter, and setup your smtp daemon to listen on 2525. Then
70 edit the `nf-setup` script to match these ports. In the `Makefile`, change the
71 `SMTP_DOMAIN` and `SSH_BANNER` to your needs (`SSH_BANNER` must match exactly
72 yours of the running _sshd_).
73 SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server.
75 When muxing IPv6 connections, the setup is basically the same; just use the `nf6-setup`
76 script and invoke _sshttpd_ with `-6`.
78 # 3. Transparent proxy setup
80 You can run _sshttpd_ also on your gateway machine and transparently proxy/mux
81 all of your __HTTP(S)/SSH__ traffic to your internal LAN. To do so, run _sshttpd_ with
82 `-T` and use `nf-tproxy` rather than `nf-setup` as a template for your FW setup.
83 Carefully read `nf-tproxy` so you dont lock yourself out of the network and all
84 the network devices and IP addresses match your setup.
86 # 4. SNI Mux
88 With _sshttpd_ you can also mux based on the HTTPS SNI. Just set up your
89 `nf-setup` to contain the SNI ports (there are already samples) and invoke
90 _sshttpd_ with `-N name:port` e.g. `sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350`
91 to hide a sshd on 22 and a [drops setup](https://github.com/stealth/drops) on port 7350 behind port 443, and at the same time serving
92 your webserver from port 4433 to be visible to outside on port 443.
93 This works because _drops_ sets the SNI of `drops.v2` in outgoing connects.
94 Multiple `-N` switches are allowed so you could mux a lot of services
95 via SNI. The ports/services must run all on the same machine where the original request
96 was destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via `-S 0`.
98 # 5. Misc
100 You dont need to patch any of your ssh/web/smtp client or server software. It
101 works as is. _sshttpd_ runs only on Linux and needs `IP_TRANSPARENT` support.
102 It would work without, but by using `IP_TRANSPARENT` it is possible to even
103 have unmodified syslogs, e.g. the original source IP/port of incoming connections
104 is passed as-is to the SSH/HTTP/SMTP servers.
106 Make sure the `nf_conntrack` and `nf_conntrack_ipv4` or `nf_conntrack_ipv6` modules are loaded.
107 _sshttpd_ is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing
108 measurement.
109 _sshttpd_ has small footprint and was optimized for speed so it also runs
110 on heavily loaded web servers.
112 Since version 0.24, _sshttpd_ also supports multiple CPU cores. Unless
113 `-n 1` is used as switch, _sshttpd_ binds one thread per CPU core,
114 to better exploit the hardware if running on heavily used web servers.
115 It still runs this fixed number of threads no matter how many 1000s connection
116 it handles at the same time.
117 _sshttpd_ runs as `nobody` user inside a `chroot()` (configurable via `-U` and `-R` switch)
118 if compiled with `USE_CAPS`. It can also distinguish between __SSH__ and __SSL__
119 sessions, you just have to use an `LOCAL_PORT (-L)` of 443 or 4433 and change
120 the `HTTP_PORT` in the `nf-setup` script to match your webservers __HTTPS__ port.
121 You cannot mix HTTP/SSH and HTTPS/SSH in one _sshttpd_ instance but you can
122 run two sshttpd's to reach that goal: one on `LOCAL_PORT 80` and one on
123 `LOCAL_PORT 443`.
125 # 6. Alternative docu
127 As per 2017 it seems you have to provide alternative facts for everything,
128 so here are some good writeups from other people for better understanding or in case my
129 description was too brief:
131 * [by stalkr](http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html)
132 * [by Will Rouesnel](http://blog.wrouesnel.com/articles/Setting%20up%20sshttp/)
133 * [by Yves](http://yalis.fr/cms/index.php/post/2014/02/22/Multiplex-SSH-and-HTTPS-on-a-single-port)