SliTaz Repositories

1 sshttp - hiding SSH servers behind HTTP

2 =======================================

3

4 

5

6 [](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9MVF8BRMX2CWA)

7

8 # 0. Intro

9

10 In case your FW policy forbids __SSH__ access to the DMZ or internal

11 network from outside, but you still want to use ssh on machines

12 which only have one open port, e.g. __HTTP__, you can use `sshttpd`.

13

14 _sshttpd_ can multiplex the following protocol pairs:

15

16 * SSH/HTTP

17 * SSH/HTTPS

18 * SSH/SMTP (without SMTP multiline banners)

19 * HTTPS SNI multiplexing

20 * SSH/HTTPS with SNI multiplexing

21

22 # 1. Build

23

24 Be sure you run recent Linux kernel and install `nf-conntrack` as well

25 as `libcap` and `libcap-devel` if you want to use the capability feature.

26

27 ```

28 $ make

29 ```

30

31 There is a new `splice` branch inside the git. `git checkout splice`

32 before `make`, if you want to test this new branch. It implements

33 zero-copy in terms of the __splice(2)__ system call which has a performance

34 benefit since it avoids copying the network data between user and kernel

35 land back and forth (__read()/write()__), which could also just be spliced kernel-internally

36 at the "extra cost" of two additional pipe descriptors per connection.

37

38 # 2. Setup for single host

39

40 This paragraph describes the setup where all services run on the same host

41 as _sshttpd_ itself. The muxing happens to the same IP/IP6 address that

42 the outside connects arrive to, so basically just the ports are changing per

43 detected service.

44

45 _sshttpd_ is an easy to use OSI-Layer5 switching daemon. It runs

46 transparently on __HTTP(S)__ port (`-L` switch, default 80) and decides

47 on incoming connections whether this is __SSH__ or __HTTP(S)__ traffic.

48 If its __HTTP(S)__ traffic, it switches the traffic to the `HTTP_PORT`

49 (`-H`, default 8080) and if its __SSH__ traffic to `SSH_PORT` (`-S`, default

50 22) respectively.

51

52 You need to edit `nf-setup` script to match your network device and `$PORTS` (`22` and `8080`

53 are just fine for the SSH/HTTP case) and run it to install the proxy rules.

54 Your _sshd_ has to run on `$SSH_PORT` and your webserver on `$HTTP_PORT`.

55 Thats basically it. Go ahead and run _sshttpd_ (as root) and it will layer5-switch

56 your traffic destinated to TCP port 80:

57

58 ```

59 # ./nf-setup

60 Using network device eth0

61 Setting up port 22 ...

62 Setting up port 8080 ...

63 # ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/empty

64 sshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot.

65 #

66 ```

67

68 If you want to mux __SMTP__ with _sshttpd_, just give `25` as `-L` parameter, `2525`

69 as `-H` parameter, and setup your smtp daemon to listen on 2525. Then

70 edit the `nf-setup` script to match these ports. In the `Makefile`, change the

71 `SMTP_DOMAIN` and `SSH_BANNER` to your needs (`SSH_BANNER` must match exactly

72 yours of the running _sshd_).

73 SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server.

74

75 When muxing IPv6 connections, the setup is basically the same; just use the `nf6-setup`

76 script and invoke _sshttpd_ with `-6`.

77

78 # 3. Transparent proxy setup

79

80 You can run _sshttpd_ also on your gateway machine and transparently proxy/mux

81 all of your __HTTP(S)/SSH__ traffic to your internal LAN. To do so, run _sshttpd_ with

82 `-T` and use `nf-tproxy` rather than `nf-setup` as a template for your FW setup.

83 Carefully read `nf-tproxy` so you dont lock yourself out of the network and all

84 the network devices and IP addresses match your setup.

85

86 # 4. SNI Mux

87

88 With _sshttpd_ you can also mux based on the HTTPS SNI. Just set up your

89 `nf-setup` to contain the SNI ports (there are already samples) and invoke

90 _sshttpd_ with `-N name:port` e.g. `sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350`

91 to hide a sshd on 22 and a [drops setup](https://github.com/stealth/drops) on port 7350 behind port 443, and at the same time serving

92 your webserver from port 4433 to be visible to outside on port 443.

93 This works because _drops_ sets the SNI of `drops.v2` in outgoing connects.

94 Multiple `-N` switches are allowed so you could mux a lot of services

95 via SNI. The ports/services must run all on the same machine where the original request

96 was destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via `-S 0`.

97

98 # 5. Misc

99

100 You dont need to patch any of your ssh/web/smtp client or server software. It

101 works as is. _sshttpd_ runs only on Linux and needs `IP_TRANSPARENT` support.

102 It would work without, but by using `IP_TRANSPARENT` it is possible to even

103 have unmodified syslogs, e.g. the original source IP/port of incoming connections

104 is passed as-is to the SSH/HTTP/SMTP servers.

105

106 Make sure the `nf_conntrack` and `nf_conntrack_ipv4` or `nf_conntrack_ipv6` modules are loaded.

107 _sshttpd_ is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing

108 measurement.

109 _sshttpd_ has small footprint and was optimized for speed so it also runs

110 on heavily loaded web servers.

111

112 Since version 0.24, _sshttpd_ also supports multiple CPU cores. Unless

113 `-n 1` is used as switch, _sshttpd_ binds one thread per CPU core,

114 to better exploit the hardware if running on heavily used web servers.

115 It still runs this fixed number of threads no matter how many 1000s connection

116 it handles at the same time.

117 _sshttpd_ runs as `nobody` user inside a `chroot()` (configurable via `-U` and `-R` switch)

118 if compiled with `USE_CAPS`. It can also distinguish between __SSH__ and __SSL__

119 sessions, you just have to use an `LOCAL_PORT (-L)` of 443 or 4433 and change

120 the `HTTP_PORT` in the `nf-setup` script to match your webservers __HTTPS__ port.

121 You cannot mix HTTP/SSH and HTTPS/SSH in one _sshttpd_ instance but you can

122 run two sshttpd's to reach that goal: one on `LOCAL_PORT 80` and one on

123 `LOCAL_PORT 443`.

124

125 # 6. Alternative docu

126

127 As per 2017 it seems you have to provide alternative facts for everything,

128 so here are some good writeups from other people for better understanding or in case my

129 description was too brief:

130

131 * [by stalkr](http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html)

132 * [by Will Rouesnel](http://blog.wrouesnel.com/articles/Setting%20up%20sshttp/)

133 * [by Yves](http://yalis.fr/cms/index.php/post/2014/02/22/Multiplex-SSH-and-HTTPS-on-a-single-port)