How to access my linode behind a farwall that locks port 22?

As title,

I need to access my linode behind a firewall that blocks port 22.

The firewall permits traffic on port 80 and 443, I can't switch my ssh port to 80 or 443 because there is a web server running on my linode.

Is there a way to do some tricks to tunnel SSH over HTTP?

I read this guide but I understood nothing:

http://dag.wieers.com/howto/ssh-http-tunneling/

Thanks

55 Replies

Use a network connection that doesn't block port 22?

It has to allow more then just 80 & 443, or you wouldn't get email.

@vonskippy:

It has to allow more then just 80 & 443, or you wouldn't get email.

Infact I can't get the email if not using the webmail.

@vonskippy:

It has to allow more then just 80 & 443, or you wouldn't get email.

Not all places allow IMAP/POP/SMTP. However I do agree more should be open (unless they have the resources to host their own DNS cache).

sblantipodi, you have four options:
* Change SSH's port to something you DO have access to

  • Adjust the firewall, or ask someone with firewall access to allow port 22

  • Use LISH from Linode Manager

  • Find a web-based SSH client (they do exist)

@Piki:

@vonskippy:

It has to allow more then just 80 & 443, or you wouldn't get email.

Not all places allow IMAP/POP/SMTP. However I do agree more should be open (unless they have the resources to host their own DNS cache).

sblantipodi, you have four options:
* Change SSH's port to something you DO have access to

  • Adjust the firewall, or ask someone with firewall access to allow port 22

  • Use LISH from Linode Manager

  • Find a web-based SSH client (they do exist)

I need to access SSH to do tunnels, if I have access to SSH I can tunnel email ports for example. I don't need something like lish, I need ssh access.

I know that I can tunnel ssh traffic via http, there is proxytunnel to allow me this, the only problem is to understand how it works.

Requiring a tunnel narrows you down to the first two options: Change the ssh port, or adjust the firewall to allow it.

Have you considered switching ssh to port 8080? Most places allow it, even if they block everything else.

@Piki:

Requiring a tunnel narrows you down to the first two options: Change the ssh port, or adjust the firewall to allow it.

Have you considered switching ssh to port 8080? Most places allow it, even if they block everything else.

8080 is locked and as I mentioned 80 and 443 ports are just used by apache.

How about some other port? Any place is almost required to have more than two ports open. If you don't know of any other open ports, you can easily discover them via nmap:

4. Use Lish to disable (temporarily) your Linode's firewall

  1. Instruct nmap to scan your Linode for ports 1-65535

  2. Do something else while you wait for nmap to finish

  3. If any ports show up that isn't need on your Linode or local network, pick one and switch ssh to that

Since nmap can't scan through blocked ports, anything blocked by the firewall will appear closed from nmap's perspective, therefor you'll see exactly what's allowed.

@Piki:

How about some other port? Any place is almost required to have more than two ports open. If you don't know of any other open ports, you can easily discover them via nmap:

4. Use Lish to disable (temporarily) your Linode's firewall

  1. Instruct nmap to scan your Linode for ports 1-65535

  2. Do something else while you wait for nmap to finish

  3. If any ports show up that isn't need on your Linode or local network, pick one and switch ssh to that

Since nmap can't scan through blocked ports, anything blocked by the firewall will appear closed from nmap's perspective, therefor you'll see exactly what's allowed.

I haven't understood this, if I disable firewall, and I nmap my linode, only opened ports will be shown (if firewall doesn't block it)

so it does not seems a good method to discover what are the "openable ports"

Are you the one controlling the firewall? If so, open port 22. If not, your options are limited, an HTTP tunnel is your only option (or web-based SSH like Lish or something hosted on your own box).

@sblantipodi:

I haven't understood this, if I disable firewall, and I nmap my linode, only opened ports will be shown (if firewall doesn't block it)

so it does not seems a good method to discover what are the "openable ports"

nmap doesn't scan for openable ports, it scans for opened ports that you can use for ssh.

There is no method to discover openable ports, those are already set by standards governing low-level network protocols. ssh uses the protocol known as TCP, which allows any port from 1 to 65535. Chances are, the firewall at your location has a handful already opened (including 80 and 443), along with some others that you can discover either with a portscanner like nmap, or by asking whomever controls the firewall.

@Piki:

Any place is almost required to have more than two ports open.

Not to a random user machine. This is pretty common at corporations. There will be specific holes for the mail servers, etc, but not to a user machine, and in that case, 80/443 may not even be open, instead they'd be proxied.

You could try using sslh.

http://www.rutschle.net/tech/sslh.shtml

Install AjaxTerm? http://antony.lesuisse.org/software/ajaxterm/

@sblantipodi

If you are accessing your Linode within a corporate environment which I am assuming, using a ssh client (putty) would suffice. However, you mention that your linode_box is running a web server and cannot bind sshd to those ports.

Another way is to create the SSH tunnel on other_box where you have root access to bind on ports 80 or 443. Then the command would be:

ssh -v -4 -L otherbox.example.com:80:linodebox.example.com:22 your[email protected]box.example.com

This will create a listen port 80 on the otherbox and fowards the connection to port 22 on your linodebox. Then you would need to use an ssh client to connect to other_box port 80

Hope this helps and not confuse you.

Another option is, install ajaxterm or anyterm on your linode web server.

I suggest to all suggestor to understand what the problem is:

  • I can't bind SSH to 80 and 443 because my linode runs a webserver

  • I don't have another linux machine where bind ssh to 80 or 443

  • I don't need an ajax console because I need ssh to tunneling

@sblantipodi:

I suggest to all suggestor to understand what the problem is:

  • I can't bind SSH to 80 and 443 because my linode runs a webserver

Use sslh, you can bind it to port 443 and it will forward to https/ssh depending on what you use to connect to it.

I finded that I can open port 21.

I switched my SSH to pot 21, now I can connect to SSH without any problems from my corporate network.

The problem is that as soon as I try to tunnel something on my SSH the SSH connection is closed.

Does it depends on my linode or the corporate firewall?

Thanks.

@kyhwana:

@sblantipodi:

I suggest to all suggestor to understand what the problem is:

  • I can't bind SSH to 80 and 443 because my linode runs a webserver

Use sslh, you can bind it to port 443 and it will forward to https/ssh depending on what you use to connect to it.

this is a great finding, I installed it on my linode, but how use this software now?

I cannot find a guide.

@sblantipodi:

@kyhwana:

@sblantipodi:

I suggest to all suggestor to understand what the problem is:

  • I can't bind SSH to 80 and 443 because my linode runs a webserver

Use sslh, you can bind it to port 443 and it will forward to https/ssh depending on what you use to connect to it.

this is a great finding, I installed it on my linode, but how use this software now?

I cannot find a guide.

Read the readme/website.

@kyhwana:

Read the readme/website.

Readme doesn't help at all…

I'm thinking on a solution that needs no additional software.

I change my 443 SSL port to 8443, and I switch my SSH port to 443.

How can I redirect all https traffic to 8443 using apache?

I configured SSLH, started it correctly.

I switched the SSL port to 8443, I configured the sslh file,

ports 443 is opened my sslh, when I try to connect to SSH using 443, my server says, connection refused (tryed also with iptables off)

any idea?

@sblantipodi:

I configured SSLH, started it correctly.

I switched the SSL port to 8443, I configured the sslh file,

ports 443 is opened my sslh, when I try to connect to SSH using 443, my server says, connection refused (tryed also with iptables off)

any idea?
Are you sure sslh is actually running and listening on your external/publioc interface?

(Paste "sudo netstat -plant")

Hi, my SSH is configured on port 4888.

If I connect from a normal internet connection I can ssh 4888 without problem.

Now I told SSLH to listen on 443 and to redirect the SSH traffic to 4888.

If I SSH 443, I get connection refused also from a normal internet connection.

I'm quite sure that SSLH is working ok since it redirect my HTTPS traffic to port 8443 correctly.

It also redirect the ssh traffic correctly to the ssh port port SSH reject this redirection,

probably I need to configure ssh.

any idea?

Ok, I finded the arcane.

In my ssh_config file I had:

ListenAddress mylinodepublicip

with this configuration I was not able to use sslh correctly.

Now I changed to

ListenAddress 127.0.0.1

and now it works like a charm.

I have SSL running on 8443, SSH on 4888, SSLH on 443 that redirects corretly SSH and HTTPS traffic to the correct port.

Is there a security issues in this way of managing things?

Is there a security issues with

ListenAddress 127.0.0.1

???

I cannot think of any security issue with using 127.0.0.1, or really any IP address you have direct access to on the machine running ssh. However, you can safely run ssh on your Linode without a ListenAddress (just place a # in front of it). ListenAddress is meant primarily for machines with multiple IP addresses where it's more desirable to use only one or two.

Maybe his employer's IT Dept puts those port blocks on their outbound network because they, you know, expect their workers to . . . . work, and not manage their hobbies on company time.

//just saying//

@vonskippy:

Maybe his employer's IT Dept puts those port blocks on their outbound network because they, you know, expect their workers to . . . . work, and not manage their hobbies on company time.

//just saying//

I don't manage my hobby, I need to use an email client ;)

@vonskippy:

Maybe his employer's IT Dept puts those port blocks on their outbound network because they, you know, expect their workers to . . . . work, and not manage their hobbies on company time.

//just saying//

If you're replying to my post, note that I did not mention anything about ports, but instead the listening address. Unless the OP's Linode starts spamming his employer's network, I doubt they'll block his Linode's IP address.

Hence my suggestion to not use a listening address still stand, although this suggestions is entirely safe to ignore :wink:

@Piki:

use a listening address still stand, although this suggestions is entirely safe to ignore :wink:

it seems that you know what ListenAddress is, what is this parameter exactly ?

@sblantipodi:

@Piki:

use a listening address still stand, although this suggestions is entirely safe to ignore :wink:

it seems that you know what ListenAddress is, what is this parameter exactly ?

It's to tell sshd what IP addresses to listen for connections on.

For instance, if you decide to set up your Linode as a shared host, you could purchase a separate IP address for each individual customer. If you don't want those customers to have ssh access, you could have one additional IP address just for yourself (one your customers aren't allowed to use) and make sshd listen only on that reserved address.

This is just an example, there's nothing really stopping those customers from attempting to ssh to your reserved address (or using it for a domain). ListenAddress is probably best used on an internal network, however reasons for using it will vary.

You could bind ssh to port 443 on you IP6 address and hope the corporate network passes IP6 traffic.

Purchase a 2nd IP4 address and bind ssh to port 443 on that new IP address.

Even if you go down this path, and your corporate network admins are worth their salt, they'll be doing some form of content inspection that will tell them your ssh traffic on port 443 just isn't https traffic, and they'll kill it anyway.

@kangaby:

You could bind ssh to port 443 on you IP6 address and hope the corporate network passes IP6 traffic.

Purchase a 2nd IP4 address and bind ssh to port 443 on that new IP address.

Even if you go down this path, and your corporate network admins are worth their salt, they'll be doing some form of content inspection that will tell them your ssh traffic on port 443 just isn't https traffic, and they'll kill it anyway.

they inspect traffic, they have some other ports opened, they kill connection if they don't see https traffic.

443 is opened without any control and I solved using the multiplexer on that port.

I finded a huge problem on this approach.

SSLH is a multiplexer that redirect all the incoming traffic 443 to the correct port.

The huge problem in this approach is that all people who access my HTTPS site is redirected to 8443 (the port where SSL is listening) but with the 127.0.0.1 address.

My logs are full of different people using the HTTPS service but the only IP Address I find in log now is 127.0.0.1

This is clear because people connect to HTTPS standard port (443) the multiplexer redirect from localhost to the 8443.

In this way logs means nothing, I cannot trace any IP address and this is not good al all, fail2ban

obviously stopped working too.

Is there a possible solution to this problem?

Any idea?

@hoopycat:

Use a network connection that doesn't block port 22?

come on, be serious! it's never that easy :)

Normal web reverse proxies like HAProxy and nginx have capability of passing along real IP address in HTTP headers.

sslh does it a little differently though. From the README:

==== Transparent proxy support ====

On Linux (only?) you can use the --transparent option to
request transparent proying. This means services behind sslh
(Apache, sshd and so on) will see the external IP and ports
as if the external world connected directly to them. This
simplifies IP-based access control (or makes it possible at
all).

sslh needs extended rights to perform this: you'll need to
give it cap_net_admin capabilities (see appropriate chapter)
or run it as root (but don't do that).

The firewalling tables also need to be adjusted as follow
(example to connect to https on 4443 -- adapt to your needs
(I don't think it is possible to have httpd listen to 443 in
this scheme -- let me know if you manage that))):

# iptables -t mangle -N SSLH
# iptables -t mangle -A  OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
# iptables -t mangle -A SSLH --jump ACCEPT
# ip rule add fwmark 0x1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100

This will only work if sslh does not use any loopback
addresses (no 127.0.0.1 or localhost), you'll need to use
explicit IP addresses (or names):

sslh --listen 192.168.0.1:443 --ssh 192.168.0.1:22 --ssl 192.168.0.1:4443

This will not work:
sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443

Thanks for the reply!!!

I'm reading the readme too but I don't understood how to enable this "transparent mode"…

have you understood it?

I'm starting the sslh with –transparent option but when I go to an https site I get this error:

setsockopt: Operation not permitted

if I remove the --transparent it works like a charm.

I alsa done

setcap capnetbindservice,capnet_admin+pe sslh

for a try

but same problem.

any idea?

Can you try running it as root and see if it works?

If it works as root that means the sslh README was probably incomplete and you need more permissions than capnetadmin.

@Ox-:

Can you try running it as root and see if it works?

If it works as root that means the sslh README was probably incomplete and you need more permissions than capnetadmin.

If I set
> ListeAddress MYLINODEIP
in /etc/ssh/sshd_config

and I run it as root with this settings in the /etc/rc.d/init.d/sslh
> OPTIONS="–user root --pidfile $PIDFILE -p MYLINODEIP:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:22"

It works like a charm, but in this way it is using root :(

I must be a problem of permission because it says:

setsockopt: Operation not permitted

if I run as a normal user.

no problem by root.

What exactly are you trying to do? What commands are you running?

Can you pastebin the full contents of your firewall configuration? This command will print it in the terminal for you, and it must be ran as root:

iptables-save

My current theory is that you are trying to run a program that is trying to BIND to port 22. Except, port 22 is a privileged port and only things running as root can do so:

-Tim

@theckman:

What exactly are you trying to do? What commands are you running?

Can you pastebin the full contents of your firewall configuration? This command will print it in the terminal for you, and it must be ran as root:

iptables-save

My current theory is that you are trying to run a program that is trying to BIND to port 22. Except, port 22 is a privileged port and only things running as root can do so:

-Tim

thanks for the answer:

# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-Squid - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-dovecot-pop3imap - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-roundcube - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-roundcube
-A INPUT -p tcp -m tcp --dport 3128 -j fail2ban-Squid
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 41414 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443,1080 -j fail2ban-squirrelmail
-A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 41414 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 41414 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-Squid -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-dovecot-pop3imap -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-roundcube -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sat Oct  5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*security
:INPUT ACCEPT [380:57250]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [349:227280]
COMMIT
# Completed on Sat Oct  5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*raw
:PREROUTING ACCEPT [387:59380]
:OUTPUT ACCEPT [349:227280]
COMMIT
# Completed on Sat Oct  5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*nat
:PREROUTING ACCEPT [13:2474]
:POSTROUTING ACCEPT [58:3890]
:OUTPUT ACCEPT [58:3890]
COMMIT
# Completed on Sat Oct  5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct  5 21:24:10 2013
*mangle
:PREROUTING ACCEPT [387:59380]
:INPUT ACCEPT [380:57250]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [294:216695]
:POSTROUTING ACCEPT [352:229872]
:SSLH - [0:0]
-A OUTPUT -o eth0 -p tcp -m tcp --sport 41414 -j SSLH
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8443 -j SSLH
-A SSLH -j MARK --set-xmark 0x1/0xffffffff
-A SSLH -j ACCEPT
COMMIT
# Completed on Sat Oct  5 21:24:10 2013

I have non standard ports for ssh and https

Those firewall rules seem a bit ridiculous, and may get in the way of things you try to do in the future…so yeah.

What are you trying to do that causes that error? I need a specific command, preferably with full prompt being shown as well as the error.

@theckman:

Those firewall rules seem a bit ridiculous, but have fun with that…

What are you trying to do that causes that error? I need a specific command, preferably with full prompt being shown as well as the error.

why ridiculous?

have you got some some better rules? can you share it?

I'm starting sslh as a service in CentOS, the purpose is to connect to ssh and https using port 443.

It works fine if the /etc/rc.d/init.d/sslh

contains this lines:

OPTIONS="–user nobody --pidfile $PIDFILE -p MYLINODEIP1:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:nonstandardport"

In this way every logs does not contain any valid ip address because everyone who connect to https or ssh is logged as MYLINODEIP.

To solve this problem sslh gives the --transparent option but this options doesn't work on my linode if not used as root.

OPTIONS="--user root --pidfile $PIDFILE -p MYLINODEIP1:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:nonstandardport"

PS: I've done the commands in the readme too:

https://github.com/yrutschle/sslh/blob/ … EADME#L185">https://github.com/yrutschle/sslh/blob/master/README#L185
> # iptables -t mangle -N SSLH

iptables -t mangle -A OUTPUT –protocol tcp --out-interface eth0 --sport 22 --jump SSLH

iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH

iptables -t mangle -A SSLH --jump MARK --set-mark 0x1

iptables -t mangle -A SSLH --jump ACCEPT

ip rule add fwmark 0x1 lookup 100

ip route add local 0.0.0.0/0 dev lo table 100

I'm going mad but this time I get a step forward.
> sslh –transparent --user MYEXISTING USER --pidfile /tmp/sslh -p MYIP:443 --ssl MYIP:8443 --ssh MYIP:42424
plus
> iptables -t mangle -N SSLH;

iptables -t mangle -A OUTPUT –protocol tcp --out-interface eth0 --sport 42424--jump SSLH;

iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH;

iptables -t mangle -A SSLH --jump MARK --set-mark 0x1;

iptables -t mangle -A SSLH --jump ACCEPT;

ip rule add fwmark 0x1 lookup 100;

ip route add local 0.0.0.0/0 dev lo table 100;

works like a charm.

If I try to start it like a service with the

service sslh start

it doesn't work. Operation not permitted.

Have you got any suggestion on starting it as a service?

Thanks.

The rules seem like overkill and don't really protect you against anything. But alas, you have free rein over your system.

Are you trying to start sslh as root?

-Tim

@theckman:

The rules seem like overkill and don't really protect you against anything. But alas, you have free rein over your system.

Are you trying to start sslh as root?

-Tim

If I start it as root it works like a charm,

If I start it as normal user it works like a charm,

if I start it at boot with

chkconfig sslh on

when I reboot I get the

setsockopt: Operation not permitted

error when I try to use the SSLH port to connect.

It seems that the sslh command looses the capabilities

(setcap capnetbindservice,capnet_admin+pe /usr/sbin/sslh)

when it starts like a service and I don't want this.

on the mailing list they say:

http://rutschle.net/pipermail/sslh/2013 … 00443.html">http://rutschle.net/pipermail/sslh/2013-October/000443.html

make sure it's changed to the final user before calling

sslh, if using --transparent.

Ok, but how can I change to final user before calling sslh?

Ok, I solved by adding –user to the daemon

> OPTIONS="–transparent -- MYUSERNAM --pidfile /tmp/sslh -p MYIP:443 --ssl MYIP:8443 --ssh MYIP:NONSTANDARDPORT"

PIDFILE="/tmp/sslh"

start() {

echo -n "Starting SSL-SSH-Switch: "

if [ -f $PIDFILE ]; then

PID=cat $PIDFILE

echo sslh already running: $PID

exit 2;

else

daemon –user MYUSERNAME $SSLH $OPTIONS

RETVAL=$?

echo

[ $RETVAL -eq 0 ] && touch $PIDFILE

****ip rule add fwmark 0x1 lookup 100;

ip route add local 0.0.0.0/0 dev lo table 100;****

return $RETVAL

fi

}

stop() {

echo -n "Shutting down SSL-SSH-Switch: "

echo

killproc sslh

echo

rm -f $PIDFILE

****ip rule del fwmark 0x1 lookup 100;

ip route del local 0.0.0.0/0 dev lo table 100;****

return 0

}
I also added the ip route del/add and ip rule add/del in order to not type this command at every boot.

In the /etc/ssh/sshd_config

I enabled the

ListenAddress MYPUBLICIP

than I added this rule

iptables -t mangle -N SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport NONSTANDARDPORT --jump SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH;
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1;
iptables -t mangle -A SSLH --jump ACCEPT;
ip rule add fwmark 0x1 lookup 100;
ip route add local 0.0.0.0/0 dev lo table 100;

Problem solved!

Now fail2ban works again with the multiplexer running and I can trace the IP of the user connecting to multiplexed port correctly.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct