FlexMcMurphy
Posts: 58
Joined: Mon May 19, 2014 3:47 pm

sshttp - https/ssh demultiplexer - How to install on Pi

Mon Apr 16, 2018 10:57 am

Hello,

I have a Pi3 running Raspbian Stretch released on 17th March 2018.

I have an interesting project I'm trying to get working and am hoping to get help please!

I want to ssh to my Pi from outside my LAN on port 443 because port 22 is locked down.. but port 443 is already being used for my webserver.

There are a few solutions on the web that can distinguish between ssh and https traffic coming through your router on the same port (443)

One such tool is sshttp which is pretty cool, it monitors network traffic connection states at the level of the linux kernel and can demultiplex ssh traffic from https traffic coming in on the same port.

Here are several links explaining how to set it up:

sshttp on GitHub -- https://github.com/stealth/sshttp

Multiplex SSH and HTTPS on a single port - http://yalis.fr/cms/index.php/post/2014 ... ingle-port

SSH/HTTP(S) multiplexing with sshttp - https://blog.stalkr.net/2012/02/sshhttp ... shttp.html

Setting up sshttp - http://blog.wrouesnel.com/articles/Sett ... %20sshttp/

I got as far as make'ing it but I am missing modules... so I need to install: nf-conntrack as well as libcap and libcap-devel.

I am trying to install nf-conntrack but I think maybe it's now called: conntrack but I'm not sure if it can be installed on Raspbian.

Can someone show me how to install these modules?

Thank you,

Flex

FlexMcMurphy
Posts: 58
Joined: Mon May 19, 2014 3:47 pm

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Mon Apr 16, 2018 11:50 am

OK I think I figured out the nf_conntrack and nf_conntrack_ipv4 modules are already installed they just needed to be loaded:
Loading nf_conntrack modules.png
Loading nf_conntrack modules.png (19.3 KiB) Viewed 193 times

Now I need to install:
libcap
and
libcap-devel

I'm going to try:

Code: Select all

sudo apt-get install libcap2
Flex

FlexMcMurphy
Posts: 58
Joined: Mon May 19, 2014 3:47 pm

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Wed Apr 18, 2018 12:55 am

Hello,

I have been unable to run sshttp. It is designed to work as a transparent proxy: https://www.kernel.org/doc/Documentatio ... tproxy.txt

... that requires two kernel modules: xt_TPROXY.ko and nf_tproxy_core.ko to interact with iptables to mark and re-route network packets.

xt_TPROXY.ko is in /lib/modules but nf_tproxy_core.ko is not. I updated my Pi 3 to the latest Raspbian kernel and downloaded the source and header files however there is no sign of the source code or header for nf_tproxy_core.

Does anyone know if support for this module has been removed from Raspbian for any reason or is there a way to get the necessary sources and compile/make them for my Raspbian?

Thank you,

Flex

tpyo kingg
Posts: 7
Joined: Mon Apr 09, 2018 5:26 pm

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Sun Apr 22, 2018 10:23 am

An alternative, sslh, is available in the Raspbian repositories. According to one of the blog posts about both, the main difference seems to be the use of the IP_TRANSPARENT flag in sshttp.

Does it have the functionality you are looking for?

FlexMcMurphy
Posts: 58
Joined: Mon May 19, 2014 3:47 pm

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Sun Apr 22, 2018 12:08 pm

Hello!

Actually I've given up on sshttp and moved on to sslh... it supports transparent proxying now as well. If you install sslh with: sudo apt-get sslh it works and it is cool how you can send web and ssh traffic through port 443 at the same time. However to get the transparent proxying working requires a bit more tweaking.

However I can look at my logs and see quite a few random log-in requests to my ssh server from random people so I will need something like fail2ban which won't work without transparent proxy support... I need the logs to show the ip address of the requester and not just "localhost". But of course I'm having lots of trouble figuring that out too!

Seems to me the linux world of computer hacking projects is really great... I don't expect perfect software from a community of enthusiasts but things like documentation and simple to follow explanations are sorely lacking... really frustrating how an audience with less technical ability are total left out.

Flex

Return to “Networking and servers”

Who is online

Users browsing this forum: No registered users and 7 guests