Difference between revisions of "sslh"
(Created page with "{{Debian}}{{WIP}} == Install == <syntaxhighlight lang="console"> # apt install sslh </syntaxhighlight>") |
(Configuration) |
||
Line 1: | Line 1: | ||
{{Debian}}{{WIP}} | {{Debian}}{{WIP}} | ||
+ | Sslh is a program that allows you to run several programs on port 443. Mainly it allows your [[SSH|SSH server]] and [[Nginx|web server]] to share the same port. | ||
+ | |||
+ | {{Warning}}Using SSH can be a violation of your corporate internet use policy. Please act responsibly. In particular, '''never ever create a reverse tunnel''' from your company network. Also this tool is not disguising SHH traffic as web but simply changing the port and can be easily detected by your network administrator. | ||
== Install == | == Install == | ||
Line 5: | Line 8: | ||
# apt install sslh | # apt install sslh | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | == Configure == | ||
+ | Sslh has several modes of operation. In this tutorial, we will use transparent mode without forks. | ||
+ | |||
+ | === OpenSSH === | ||
+ | We will start by configuring OpenSSH to listen on a second port. We do that by modifying <code>/etc/ssh/ssd_config</code><syntaxhighlight lang="ini"> | ||
+ | # What ports, IPs and protocols we listen for | ||
+ | Port 2200 | ||
+ | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
+ | ListenAddress 203.0.113.23:2200 # direct access | ||
+ | ListenAddress 203.0.113.23:2201 # access through sslh | ||
+ | </syntaxhighlight>You can now [[SSH|restart your ssh server]]. | ||
+ | |||
+ | === Nginx === | ||
+ | Now we will need to free port 443 so that it can be used by sslh. Edit file <code>/etc/nginx/snippets/listen-https.conf</code> and change the port for IPV4<syntaxhighlight lang="nginx"> | ||
+ | listen [2001:db8:3:47d0::2e:7]:443 ssl spdy; | ||
+ | listen 203.0.113.23:4433 ssl spdy; | ||
+ | </syntaxhighlight>Do not restart Nginx yet. | ||
+ | |||
+ | === Routing === | ||
+ | <syntaxhighlight lang="console"> | ||
+ | # iptables -t mangle -N SSLH | ||
+ | # iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 2201 --jump SSLH | ||
+ | # iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4433 --jump SSLH | ||
+ | # iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 | ||
+ | # iptables -t mangle -A SSLH --jump ACCEPT | ||
+ | # ip rule add fwmark 0x1 lookup 100 | ||
+ | # ip route add local 0.0.0.0/0 dev lo table 100 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Sslh === | ||
+ | Edit file <code>/lib/systemd/system/sslh.service</code> and change <code>/usr/sbin/sslh</code> to <code>/usr/sbin/sslh-select</code>. Here is the file after modification<syntaxhighlight lang="ini"> | ||
+ | [Unit] | ||
+ | Description=SSL/SSH multiplexer | ||
+ | After=network.target | ||
+ | |||
+ | [Service] | ||
+ | EnvironmentFile=/etc/default/sslh | ||
+ | ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS | ||
+ | KillMode=process | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </syntaxhighlight>Next edit file /etc/default/sslh<syntaxhighlight lang="shell"> | ||
+ | # Default options for sslh initscript | ||
+ | # sourced by /etc/init.d/sslh | ||
+ | |||
+ | # Disabled by default, to force yourself | ||
+ | # to read the configuration: | ||
+ | # - /usr/share/doc/sslh/README.Debian (quick start) | ||
+ | # - /usr/share/doc/sslh/README, at "Configuration" section | ||
+ | # - sslh(8) via "man sslh" for more configuration details. | ||
+ | # Once configuration ready, you *must* set RUN to yes here | ||
+ | # and try to start sslh (standalone mode only) | ||
+ | |||
+ | RUN=yes | ||
+ | |||
+ | # binary to use: forked (sslh) or single-thread (sslh-select) version | ||
+ | # systemd users: don't forget to modify /lib/systemd/system/sslh.service | ||
+ | DAEMON=/usr/sbin/sslh-select | ||
+ | |||
+ | DAEMON_OPTS="--user sslh -n --transparent --listen 203.0.113.23:443 --tls 203.0.113.23:4433 --ssh 203.0.113.23:2201 --pidfile /var/run/sslh/sslh.pid" | ||
+ | </syntaxhighlight>Change done from the default are | ||
+ | * <code>RUN=yes</code> Activate the daemon | ||
+ | * <code>DAEMON=/usr/sbin/sslh-select</code> Use the no-fork version | ||
+ | * <code>-n</code> Don't resolve domain name of connecting ip in logs. This allow to not loose time doing a DNS lookup for each new client | ||
+ | * <code>--transparent</code> SSH and webserver will see connection as if it where coming directly from them. In particular, you will get the correct connecting IP address in the logs. | ||
+ | * <code>--listen 203.0.113.23:443</code> IP and port sslh listen to | ||
+ | * <code>--tls 203.0.113.23:4433</code> IP and port of Nginx | ||
+ | * <code>--ssh 203.0.113.23:2201</code> IP and port of OpenSSH | ||
+ | |||
+ | === Start === | ||
+ | You can now restart Nginx and start sslh<syntaxhighlight lang="console"> | ||
+ | # systemctl reload nginx && systemctl start sslh | ||
+ | </syntaxhighlight> | ||
+ | [[Category:Install]] |
Revision as of 01:14, 9 January 2016
Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
Warning: | This page is a work in progress and is not completed. Important informations might be missing or wrong. |
Sslh is a program that allows you to run several programs on port 443. Mainly it allows your SSH server and web server to share the same port.
Warning: Using SSH can be a violation of your corporate internet use policy. Please act responsibly. In particular, never ever create a reverse tunnel from your company network. Also this tool is not disguising SHH traffic as web but simply changing the port and can be easily detected by your network administrator.
Install
# apt install sslh
Configure
Sslh has several modes of operation. In this tutorial, we will use transparent mode without forks.
OpenSSH
We will start by configuring OpenSSH to listen on a second port. We do that by modifying /etc/ssh/ssd_config
# What ports, IPs and protocols we listen for
Port 2200
# Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress 203.0.113.23:2200 # direct access
ListenAddress 203.0.113.23:2201 # access through sslh
You can now restart your ssh server.
Nginx
Now we will need to free port 443 so that it can be used by sslh. Edit file /etc/nginx/snippets/listen-https.conf
and change the port for IPV4
listen [2001:db8:3:47d0::2e:7]:443 ssl spdy;
listen 203.0.113.23:4433 ssl spdy;
Do not restart Nginx yet.
Routing
# iptables -t mangle -N SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 2201 --jump SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4433 --jump SSLH
# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
# iptables -t mangle -A SSLH --jump ACCEPT
# ip rule add fwmark 0x1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100
Sslh
Edit file /lib/systemd/system/sslh.service
and change /usr/sbin/sslh
to /usr/sbin/sslh-select
. Here is the file after modification
[Unit]
Description=SSL/SSH multiplexer
After=network.target
[Service]
EnvironmentFile=/etc/default/sslh
ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS
KillMode=process
[Install]
WantedBy=multi-user.target
Next edit file /etc/default/sslh
# Default options for sslh initscript
# sourced by /etc/init.d/sslh
# Disabled by default, to force yourself
# to read the configuration:
# - /usr/share/doc/sslh/README.Debian (quick start)
# - /usr/share/doc/sslh/README, at "Configuration" section
# - sslh(8) via "man sslh" for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)
RUN=yes
# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh-select
DAEMON_OPTS="--user sslh -n --transparent --listen 203.0.113.23:443 --tls 203.0.113.23:4433 --ssh 203.0.113.23:2201 --pidfile /var/run/sslh/sslh.pid"
Change done from the default are
RUN=yes
Activate the daemonDAEMON=/usr/sbin/sslh-select
Use the no-fork version-n
Don't resolve domain name of connecting ip in logs. This allow to not loose time doing a DNS lookup for each new client--transparent
SSH and webserver will see connection as if it where coming directly from them. In particular, you will get the correct connecting IP address in the logs.--listen 203.0.113.23:443
IP and port sslh listen to--tls 203.0.113.23:4433
IP and port of Nginx--ssh 203.0.113.23:2201
IP and port of OpenSSH
Start
You can now restart Nginx and start sslh
# systemctl reload nginx && systemctl start sslh