Repository files navigation

In case your FW policy forbidsSSH access to the DMZ or internalnetwork from outside, but you still want to use ssh on machineswhich only have one open port, e.g.HTTP, you can usesshttpd.

sshttpd can multiplex the following protocol pairs:

• SSH/HTTP
• SSH/HTTPS
• SSH/SMTP (without SMTP multiline banners)
• HTTPS SNI multiplexing
• SSH/HTTPS with SNI multiplexing

Be sure you run recent Linux kernel and installnf-conntrack as wellaslibcap andlibcap-devel if you want to use the capability feature.On older systems the nf-conntrack module is named nf-conntrack-ipv4.

Insidesrc dir:

$ make

There is a newsplice branch inside the git.git checkout splicebeforemake, if you want to test this new branch. It implementszero-copy in terms of thesplice(2) system call which has a performancebenefit since it avoids copying the network data between user and kernelland back and forth (read()/write()), which could also just be spliced kernel-internallyat the "extra cost" of two additional pipe descriptors per connection.

proudly sponsored by:

This paragraph describes the setup where all services run on the same hostassshttpd itself. The muxing happens to the same IP/IP6 address thatthe outside connects arrive to, so basically just the ports are changing perdetected service.

sshttpd is an easy to use OSI-Layer5 switching daemon. It runstransparently onHTTP(S) port (-L switch, default 80) and decideson incoming connections whether this isSSH orHTTP(S) traffic.If itsHTTP(S) traffic, it switches the traffic to theHTTP_PORT(-H, default 8080) and if itsSSH traffic toSSH_PORT (-S, default22) respectively.

After the build it is time to pick the right netfilter script for setting up the fw rules.Iniptables directory you will find the old styleiptables version and innftthe new version fornft (but currently only using the compat layer).

You need to editnf-setup script (nf6-setupif using IPv6) to match your network device and$PORTS (22 and8080are just fine for the SSH/HTTP case) and run it to install the proxy rules.Yoursshd has to run on$SSH_PORT and your webserver on$HTTP_PORT.Thats basically it. Go ahead and runsshttpd (as root) and it will layer5-switchyour traffic destinated to TCP port 80:

Take care when running nf-setup on a remote host in an SSH session - it will firewall port 22

# ./nf-setupUsing network device eth0Setting up port 22 ...Setting up port 8080 ...# ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/emptysshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot.#

If you want to muxSMTP withsshttpd, just give25 as-L parameter,2525as-H parameter, and setup your smtp daemon to listen on 2525. Thenedit thenf-setup script to match these ports. In theMakefile, change theSMTP_DOMAIN andSSH_BANNER to your needs (SSH_BANNER must match exactlyyours of the runningsshd).SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server.

When muxing IPv6 connections, the setup is basically the same; just use thenf6-setupscript and invokesshttpd with-6.

You can runsshttpd also on your gateway machine and transparently proxy/muxall of yourHTTP(S)/SSH traffic to your internal LAN. To do so, runsshttpd with-T and usenf-tproxy rather thannf-setup as a template for your FW setup.Carefully readnf-tproxy so you don't lock yourself out of the network and allthe network devices and IP addresses match your setup.

Withsshttpd you can also mux based on the HTTPS SNI. Just set up yournf-setup to contain the SNI ports (there are already samples) and invokesshttpd with-N name:port e.g.sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350to hide a sshd on 22 and adrops setup on port 7350 behind port 443, and at the same time servingyour webserver from port 4433 to be visible to outside on port 443.This works becausedrops sets the SNI ofdrops.v2 in outgoing connects.Multiple-N switches are allowed so you could mux a lot of servicesvia SNI. The ports/services must run all on the same machine where the original requestwas destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via-S 0.

You don't need to patch any of your ssh/web/smtp client or server software. Itworks as is.sshttpd runs only on Linux and needsIP_TRANSPARENT support.It would work without, but by usingIP_TRANSPARENT it is possible to evenhave unmodified syslogs, e.g. the original source IP/port of incoming connectionsis passed as-is to the SSH/HTTP/SMTP servers.

Make sure thenf_conntrack andnf_conntrack_ipv4 ornf_conntrack_ipv6 modules are loaded.sshttpd is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcingmeasurement.sshttpd has small footprint and was optimized for speed so it also runson heavily loaded web servers.

Since version 0.24,sshttpd also supports multiple CPU cores. Unless-n 1 is used as switch,sshttpd binds one thread per CPU core,to better exploit the hardware if running on heavily used web servers.It still runs this fixed number of threads no matter how many 1000s connectionit handles at the same time.sshttpd runs asnobody user inside achroot() (configurable via-U and-R switch)if compiled withUSE_CAPS. It can also distinguish betweenSSH andSSLsessions, you just have to use anLOCAL_PORT (-L) of 443 or 4433 and changetheHTTP_PORT in thenf-setup script to match your webserversHTTPS port.You cannot mix HTTP/SSH and HTTPS/SSH in onesshttpd instance but you canrun two sshttpd's to reach that goal: one onLOCAL_PORT 80 and one onLOCAL_PORT 443.

As per 2017 it seems you have to provide alternative facts for everything,so here are some good writeups from other people for better understanding or in case mydescription was too brief:

• by stalkr
• by Will Rouesnel
• by Yves