FlexMcMurphy
Posts: 59
Joined: Mon May 19, 2014 3:47 pm

sshttp - https/ssh demultiplexer - How to install on Pi

Mon Apr 16, 2018 10:57 am

Hello,

I have a Pi3 running Raspbian Stretch released on 17th March 2018.

I have an interesting project I'm trying to get working and am hoping to get help please!

I want to ssh to my Pi from outside my LAN on port 443 because port 22 is locked down.. but port 443 is already being used for my webserver.

There are a few solutions on the web that can distinguish between ssh and https traffic coming through your router on the same port (443)

One such tool is sshttp which is pretty cool, it monitors network traffic connection states at the level of the linux kernel and can demultiplex ssh traffic from https traffic coming in on the same port.

Here are several links explaining how to set it up:

sshttp on GitHub -- https://github.com/stealth/sshttp

Multiplex SSH and HTTPS on a single port - http://yalis.fr/cms/index.php/post/2014 ... ingle-port

SSH/HTTP(S) multiplexing with sshttp - https://blog.stalkr.net/2012/02/sshhttp ... shttp.html

Setting up sshttp - http://blog.wrouesnel.com/articles/Sett ... %20sshttp/

I got as far as make'ing it but I am missing modules... so I need to install: nf-conntrack as well as libcap and libcap-devel.

I am trying to install nf-conntrack but I think maybe it's now called: conntrack but I'm not sure if it can be installed on Raspbian.

Can someone show me how to install these modules?

Thank you,

Flex

FlexMcMurphy
Posts: 59
Joined: Mon May 19, 2014 3:47 pm

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Mon Apr 16, 2018 11:50 am

OK I think I figured out the nf_conntrack and nf_conntrack_ipv4 modules are already installed they just needed to be loaded:
Loading nf_conntrack modules.png
Loading nf_conntrack modules.png (19.3 KiB) Viewed 534 times

Now I need to install:
libcap
and
libcap-devel

I'm going to try:

Code: Select all

sudo apt-get install libcap2
Flex

FlexMcMurphy
Posts: 59
Joined: Mon May 19, 2014 3:47 pm

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Wed Apr 18, 2018 12:55 am

Hello,

I have been unable to run sshttp. It is designed to work as a transparent proxy: https://www.kernel.org/doc/Documentatio ... tproxy.txt

... that requires two kernel modules: xt_TPROXY.ko and nf_tproxy_core.ko to interact with iptables to mark and re-route network packets.

xt_TPROXY.ko is in /lib/modules but nf_tproxy_core.ko is not. I updated my Pi 3 to the latest Raspbian kernel and downloaded the source and header files however there is no sign of the source code or header for nf_tproxy_core.

Does anyone know if support for this module has been removed from Raspbian for any reason or is there a way to get the necessary sources and compile/make them for my Raspbian?

Thank you,

Flex

tpyo kingg
Posts: 119
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Sun Apr 22, 2018 10:23 am

An alternative, sslh, is available in the Raspbian repositories. According to one of the blog posts about both, the main difference seems to be the use of the IP_TRANSPARENT flag in sshttp.

Does it have the functionality you are looking for?

FlexMcMurphy
Posts: 59
Joined: Mon May 19, 2014 3:47 pm

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Sun Apr 22, 2018 12:08 pm

Hello!

Actually I've given up on sshttp and moved on to sslh... it supports transparent proxying now as well. If you install sslh with: sudo apt-get sslh it works and it is cool how you can send web and ssh traffic through port 443 at the same time. However to get the transparent proxying working requires a bit more tweaking.

However I can look at my logs and see quite a few random log-in requests to my ssh server from random people so I will need something like fail2ban which won't work without transparent proxy support... I need the logs to show the ip address of the requester and not just "localhost". But of course I'm having lots of trouble figuring that out too!

Seems to me the linux world of computer hacking projects is really great... I don't expect perfect software from a community of enthusiasts but things like documentation and simple to follow explanations are sorely lacking... really frustrating how an audience with less technical ability are total left out.

Flex

fit
Posts: 8
Joined: Sat Feb 21, 2015 6:03 am
Location: Buenos Aires, Argentina

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Fri May 25, 2018 9:30 pm

hi.

i think we are on the same trouble.
I was using OK sshttp on raspbian debian wheezy for years with transparent proxy support. I logged every external ip on my logs.

But i just migrated from wheezy to jessie (was using rpi2 and now i want to use rpi3) and i lost that transparent function !!!! so i'm using sslh but, as you, cannot get transparent proxy to work.

if you have any advance on this, please post it, i'll post you if i make work sshttp or sslh with transparent proxy on jessie (or maybe i'll try it directly on stretch).

good luck!
bye!

FlexMcMurphy
Posts: 59
Joined: Mon May 19, 2014 3:47 pm

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Fri May 25, 2018 10:28 pm

Hello,

Yes I got Transparent Proxying to work with SSLH and iptables are not needed at all. Instead this solution just uses the linux kernel IP routing table. By the way you don't need Transparent Proxy support at all if you think you do to make SSLH work with Fail2Ban then that is totally un-necessary because the log-file still contains the ip address of anyone connecting to SSLH anyway.

Commands to set up (and remove) the route and rules are added to the sslh systemd service so they are created when sslh starts and removed when sslh stops. Any feedback about whether it is safe or wise to do it this way much appreciated! I use a raspberry pi running Raspbian which is like Debian Stretch. sslh, apache2 and sshd are all running on the same Pi which is connected by ethernet cable to my router.

Update the systemd sslh.service file:

Code: Select all

$ systemctl stop sslh
$ nano /lib/systemd/system/sslh.service

Code: Select all

[Unit]
Description=SSL/SSH multiplexer
After=network.target
Documentation=man:sslh(8)
 
[Service]
ExecStart=/usr/local/sbin/sslh -F /etc/sslh/sslh.cfg
KillMode=process
 
# Set routing rules/route automatically on sslh service start
PermissionsStartOnly=true
 
# Add the ip rules and route to enable Transparent Proxy
ExecStartPre=/sbin/ip rule add fwmark 0x1 lookup 100
ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev lo table 100
ExecStartPre=/sbin/ip rule add from 127.0.0.2/32 table 100
ExecStartPre=/sbin/ip route flush cache
 
# Remove the ip rules and route to enable Transparent Proxy
ExecStopPost=/sbin/ip rule del fwmark 0x1 lookup 100
ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 100
ExecStopPost=/sbin/ip rule del from 127.0.0.2/32 table 100
ExecStopPost=/sbin/ip route flush cache
 
[Install]
WantedBy=multi-user.target

Update the sslh configuration file:

Code: Select all

$ nano /etc/sslh/sslh.cfg

Code: Select all

verbose: false;
foreground: true;
inetd: false;
numeric: true;
transparent: true;
timeout: 2;
user: "sslh";
pidfile: "/var/run/sslh.pid";
chroot: "/var/empty";
 
# Change hostname with your external address name.
listen:
(
{ host: "192.168.1.124"; port: "4433"; }
);
 
# this solution was recommended from: [b]wiki.techunit.org/SSLH[/b]
protocols:
(
        { name: "ssh"; service: "ssh"; host: "127.0.0.2"; port: "1022"; log_level: 1; },
        { name: "ssl"; host: "127.0.0.2"; port: "444"; log_level: 1; }
);
In my setup sslh is installed on machine with ip: 192.168.1.124 and listens on port 4433. I set up port forwarding on my router from external port 443 to internal port 4433. sslh sends de-multiplexed traffic to the web server on port 444 and ssh server on port 1021 addressing them as though they are on ip address: 127.0.0.2. I don’t know if this is a good strategy or if something might break this solution.

I added port 1022 to sshd config: /etc/ssh/sshd_config and in apache2 I updated ports.conf like this:

/etc/apache2/ports.conf

Replace:
Listen 80

<IfModule ssl_module>
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

With:
Listen 80

<IfModule ssl_module>
Listen 443
Listen 127.0.0.2:444
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
Listen 127.0.0.2:444
</IfModule>

I also duplicated the Virtualhost definitions for my website… one starts with <VirtualHost 127.0.0.2:444> and the other with <VirtualHost _default_:443> This makes apache2 listen on ports 444 and 443. With sslh running web traffic goes to apache on port 444 but if I want to turn off sslh for some reason then I only have to switch the port forwarding in my router.

Capabilities
sslh needs extended rights to perform Transparent Proxying:
• If you want to run it as the sslh user then you'll need to give the sslh binary CAP_NET_ADMIN capabilities:
• $ setcap cap_net_bind_service,cap_net_admin+pe
• Then you have to run sslh as the sslh user
• It is NOT recommended to run sslh as root.
• If you are using a binary that was compiled with the USELIBCAP=1 then the necessary capabilities are given to the sslh user automatically!

Here is how to give capabilities via filesystem (if you are not using an SSLH binary that was compiled with USELIBCAP=1)
$ setcap cap_net_bind_service,cap_net_admin+pe /usr/local/sbin/sslh
-- Take away the capabilities
$ setcap cap_net_bind_service,cap_net_admin-pe /usr/local/sbin/sslh
-- Check what capabilities sslh has
$ getcap /usr/local/sbin/sslh

What are you using SSLH for?

Now I use SSLH with sTunnel4 to SSH (tls encrypted) and HTTPS together over port 443.

Let me know if you have any further questions.

Flex

fit
Posts: 8
Joined: Sat Feb 21, 2015 6:03 am
Location: Buenos Aires, Argentina

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Sat May 26, 2018 1:37 am

OK Flex, first at all many thanks.

I applied your solution with sslh and it works, but i noticed that https/ssh (tls) are not logging the original ip. Just http. That's and advance, but i need to log original ip with tls service too. I'm asking myself if that's the reasons because your are using stunnel.

my setup and my reasons are very similar to yours.

rpi3 + jessie + apache2 + sshd + fail2ban

Your solution was working until i tried to enable Transparent Proxy with CAPS_NET_ADMIN via setcap cap_net_bind_service,cap_net_admin+pe /usr/local/sbin/sslh

now i cannot connect from outside (internet) to my network (is not big problem because i'm on servers keyboard/monitor, so i can retouch cfgs).

So i tried to remove thouse capabilities with setcap cap_net_bind_service,cap_net_admin-pe /usr/local/sbin/sslh but if i do "getcap /usr/local/sbin/sslh" i can see and empty path that previously didn't show it. So i tried getcap -r /usr/local/sbin/sslh and now doesn't show anything if i check capabilities with getcap. Then restarted sshd, sslh, and cannot connect anyway.

Seems that enabling capabilities with setcap broken something, i'm trying to get the previous state when it works firstly (without logging real ip on tls connections), but i don't know how.

Anyway, your helped me a lot with your response, i forgot about sshttp and focused on sslh new cfg. Interesting!

If you know what's happing to me, i'll appreciate your words.

I can copy to you the log of "systemctl status sslh", when i cannot connect from outside to my sshd.

May 25 22:20:00 xxx.yyy.com sslh[1905]: forward to ssh failed:connect: Connection timed out
May 25 22:20:00 xxx.yyy.com sslh[1905]: connect: Connection timed out

it seems that sslh cannot connect sshd service (?)

however i can see it the established connection with netstat , but for some reason it can go any further from there.

tcp 0 1 18x.3x.10.184:43820 127.0.0.1:222 SYN_SENT 2272/sslh
tcp 0 1 18x.3x.10.184:43822 127.0.0.1:222 SYN_SENT 2273/sslh
tcp 0 0 192.168.1.2:444 18x.3x.10.184:43820 ESTABLISHED 2272/sslh
tcp 0 1 18x.3x.10.184:43809 127.0.0.1:222 SYN_SENT 2236/sslh
tcp 0 0 192.168.1.2:444 18x.3x.10.184:43799 ESTABLISHED 2100/sslh

i think the playing enabling net capabilities is hanged somewhere.

how can i check if my sslh was build with that capabilities, so i don't need to experiment with setcap..?

thanks! =) bye
fit

fit
Posts: 8
Joined: Sat Feb 21, 2015 6:03 am
Location: Buenos Aires, Argentina

Re: sshttp - https/ssh demultiplexer - How to install on Pi

Sat May 26, 2018 5:47 am

Flex, i make it work adding the rules:

ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
ip rule add from 127.0.0.2/32 table 100

i didnt know about that, i followed the link inside your example.

now i'll make that rules permanent.

didnt need to setcap, my build allready is configured with transparent proxy.

many thanks for your help =)

bye!
fit

Return to “Networking and servers”

Who is online

Users browsing this forum: Bordex and 10 guests