SliTaz Repositories

     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/sshttp/description.txt	Wed May 13 07:41:00 2020 +0100
     1.3 @@ -0,0 +1,133 @@
     1.4 +sshttp - hiding SSH servers behind HTTP
     1.5 +=======================================
     1.6 +
     1.7 +![sshttp](https://github.com/stealth/sshttp/blob/master/sshttp.jpg)
     1.8 +
     1.9 +[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9MVF8BRMX2CWA)
    1.10 +
    1.11 +# 0. Intro
    1.12 +
    1.13 +In case your FW policy forbids __SSH__ access to the DMZ or internal
    1.14 +network from outside, but you still want to use ssh on machines
    1.15 +which only have one open port, e.g. __HTTP__, you can use `sshttpd`.
    1.16 +
    1.17 +_sshttpd_ can multiplex the following protocol pairs:
    1.18 +
    1.19 +* SSH/HTTP
    1.20 +* SSH/HTTPS
    1.21 +* SSH/SMTP (without SMTP multiline banners)
    1.22 +* HTTPS SNI multiplexing
    1.23 +* SSH/HTTPS with SNI multiplexing
    1.24 +
    1.25 +# 1. Build
    1.26 +
    1.27 +Be sure you run recent Linux kernel and install `nf-conntrack` as well
    1.28 +as `libcap` and `libcap-devel` if you want to use the capability feature.
    1.29 +
    1.30 +```
    1.31 +$ make
    1.32 +```
    1.33 +
    1.34 +There is a new `splice` branch inside the git. `git checkout splice`
    1.35 +before `make`, if you want to test this new branch. It implements
    1.36 +zero-copy in terms of the __splice(2)__ system call which has a performance
    1.37 +benefit since it avoids copying the network data between user and kernel
    1.38 +land back and forth (__read()/write()__), which could also just be spliced kernel-internally
    1.39 +at the "extra cost" of two additional pipe descriptors per connection.
    1.40 +
    1.41 +# 2. Setup for single host
    1.42 +
    1.43 +This paragraph describes the setup where all services run on the same host
    1.44 +as _sshttpd_ itself. The muxing happens to the same IP/IP6 address that
    1.45 +the outside connects arrive to, so basically just the ports are changing per
    1.46 +detected service.
    1.47 +
    1.48 +_sshttpd_ is an easy to use OSI-Layer5 switching daemon. It runs
    1.49 +transparently on __HTTP(S)__ port (`-L` switch, default 80) and decides
    1.50 +on incoming connections whether this is __SSH__ or __HTTP(S)__ traffic.
    1.51 +If its __HTTP(S)__ traffic, it switches the traffic to the `HTTP_PORT`
    1.52 +(`-H`, default 8080) and if its __SSH__ traffic to `SSH_PORT` (`-S`, default
    1.53 +22) respectively.
    1.54 +
    1.55 +You need to edit `nf-setup` script to match your network device and `$PORTS` (`22` and `8080`
    1.56 +are just fine for the SSH/HTTP case) and run it to install the proxy rules.
    1.57 +Your _sshd_ has to run on `$SSH_PORT` and your webserver on `$HTTP_PORT`.
    1.58 +Thats basically it. Go ahead and run _sshttpd_ (as root) and it will layer5-switch
    1.59 +your traffic destinated to TCP port 80:
    1.60 +
    1.61 +```
    1.62 +# ./nf-setup
    1.63 +Using network device eth0
    1.64 +Setting up port 22 ...
    1.65 +Setting up port 8080 ...
    1.66 +# ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/empty
    1.67 +sshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot.
    1.68 +#
    1.69 +```
    1.70 +
    1.71 +If you want to mux __SMTP__ with _sshttpd_, just give `25` as `-L` parameter, `2525`
    1.72 +as `-H` parameter, and setup your smtp daemon to listen on 2525. Then
    1.73 +edit the `nf-setup` script to match these ports. In the `Makefile`, change the
    1.74 +`SMTP_DOMAIN` and `SSH_BANNER` to your needs (`SSH_BANNER` must match exactly
    1.75 +yours of the running _sshd_).
    1.76 +SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server.
    1.77 +
    1.78 +When muxing IPv6 connections, the setup is basically the same; just use the `nf6-setup`
    1.79 +script and invoke _sshttpd_ with `-6`.
    1.80 +
    1.81 +# 3. Transparent proxy setup
    1.82 +
    1.83 +You can run _sshttpd_ also on your gateway machine and transparently proxy/mux
    1.84 +all of your __HTTP(S)/SSH__ traffic to your internal LAN. To do so, run _sshttpd_ with
    1.85 +`-T` and use `nf-tproxy` rather than `nf-setup` as a template for your FW setup.
    1.86 +Carefully read `nf-tproxy` so you dont lock yourself out of the network and all
    1.87 +the network devices and IP addresses match your setup.
    1.88 +
    1.89 +# 4. SNI Mux
    1.90 +
    1.91 +With _sshttpd_ you can also mux based on the HTTPS SNI. Just set up your
    1.92 +`nf-setup` to contain the SNI ports (there are already samples) and invoke
    1.93 +_sshttpd_ with `-N name:port` e.g. `sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350`
    1.94 +to hide a sshd on 22 and a [drops setup](https://github.com/stealth/drops) on port 7350 behind port 443, and at the same time serving
    1.95 +your webserver from port 4433 to be visible to outside on port 443.
    1.96 +This works because _drops_ sets the SNI of `drops.v2` in outgoing connects.
    1.97 +Multiple `-N` switches are allowed so you could mux a lot of services
    1.98 +via SNI. The ports/services must run all on the same machine where the original request
    1.99 +was destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via `-S 0`.
   1.100 +
   1.101 +# 5. Misc
   1.102 +
   1.103 +You dont need to patch any of your ssh/web/smtp client or server software. It
   1.104 +works as is. _sshttpd_ runs only on Linux and needs `IP_TRANSPARENT` support.
   1.105 +It would work without, but by using `IP_TRANSPARENT` it is possible to even
   1.106 +have unmodified syslogs, e.g. the original source IP/port of incoming connections
   1.107 +is passed as-is to the SSH/HTTP/SMTP servers.
   1.108 +
   1.109 +Make sure the `nf_conntrack` and `nf_conntrack_ipv4` or `nf_conntrack_ipv6` modules are loaded.
   1.110 +_sshttpd_ is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing
   1.111 +measurement.
   1.112 +_sshttpd_ has small footprint and was optimized for speed so it also runs
   1.113 +on heavily loaded web servers.
   1.114 +
   1.115 +Since version 0.24, _sshttpd_ also supports multiple CPU cores. Unless
   1.116 +`-n 1` is used as switch, _sshttpd_ binds one thread per CPU core,
   1.117 +to better exploit the hardware if running on heavily used web servers.
   1.118 +It still runs this fixed number of threads no matter how many 1000s connection
   1.119 +it handles at the same time.
   1.120 +_sshttpd_ runs as `nobody` user inside a `chroot()` (configurable via `-U` and `-R` switch)
   1.121 +if compiled with `USE_CAPS`. It can also distinguish between __SSH__ and __SSL__
   1.122 +sessions, you just have to use an `LOCAL_PORT (-L)` of 443 or 4433 and change
   1.123 +the `HTTP_PORT` in the `nf-setup` script to match your webservers __HTTPS__ port.
   1.124 +You cannot mix HTTP/SSH and HTTPS/SSH in one _sshttpd_ instance but you can
   1.125 +run two sshttpd's to reach that goal: one on `LOCAL_PORT 80` and one on
   1.126 +`LOCAL_PORT 443`.
   1.127 +
   1.128 +# 6. Alternative docu
   1.129 +
   1.130 +As per 2017 it seems you have to provide alternative facts for everything,
   1.131 +so here are some good writeups from other people for better understanding or in case my
   1.132 +description was too brief:
   1.133 +
   1.134 +* [by stalkr](http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html)
   1.135 +* [by Will Rouesnel](http://blog.wrouesnel.com/articles/Setting%20up%20sshttp/)
   1.136 +* [by Yves](http://yalis.fr/cms/index.php/post/2014/02/22/Multiplex-SSH-and-HTTPS-on-a-single-port)