• Stars
    star
    861
  • Rank 52,968 (Top 2 %)
  • Language
    C++
  • Created almost 13 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SSH/HTTP(S) multiplexer. Run a webserver and a sshd on the same port w/o changes.

sshttp - hiding SSH servers behind HTTP

0. Intro

In case your FW policy forbids SSH access to the DMZ or internal network from outside, but you still want to use ssh on machines which only have one open port, e.g. HTTP, you can use sshttpd.

sshttpd can multiplex the following protocol pairs:

  • SSH/HTTP
  • SSH/HTTPS
  • SSH/SMTP (without SMTP multiline banners)
  • HTTPS SNI multiplexing
  • SSH/HTTPS with SNI multiplexing

1. Build

Be sure you run recent Linux kernel and install nf-conntrack as well as libcap and libcap-devel if you want to use the capability feature. On older systems the nf-conntrack module is named nf-conntrack-ipv4.

Inside src dir:

$ make

There is a new splice branch inside the git. git checkout splice before make, if you want to test this new branch. It implements zero-copy in terms of the splice(2) system call which has a performance benefit since it avoids copying the network data between user and kernel land back and forth (read()/write()), which could also just be spliced kernel-internally at the "extra cost" of two additional pipe descriptors per connection.

proudly sponsored by:

2. Setup for single host

This paragraph describes the setup where all services run on the same host as sshttpd itself. The muxing happens to the same IP/IP6 address that the outside connects arrive to, so basically just the ports are changing per detected service.

sshttpd is an easy to use OSI-Layer5 switching daemon. It runs transparently on HTTP(S) port (-L switch, default 80) and decides on incoming connections whether this is SSH or HTTP(S) traffic. If its HTTP(S) traffic, it switches the traffic to the HTTP_PORT (-H, default 8080) and if its SSH traffic to SSH_PORT (-S, default 22) respectively.

After the build it is time to pick the right netfilter script for setting up the fw rules. In iptables directory you will find the old style iptables version and in nft the new version for nft (but currently only using the compat layer).

You need to edit nf-setup script (nf6-setupif using IPv6) to match your network device and $PORTS (22 and 8080 are just fine for the SSH/HTTP case) and run it to install the proxy rules. Your sshd has to run on $SSH_PORT and your webserver on $HTTP_PORT. Thats basically it. Go ahead and run sshttpd (as root) and it will layer5-switch your traffic destinated to TCP port 80:

Take care when running nf-setup on a remote host in an SSH session - it will firewall port 22

# ./nf-setup
Using network device eth0
Setting up port 22 ...
Setting up port 8080 ...
# ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/empty
sshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot.
#

If you want to mux SMTP with sshttpd, just give 25 as -L parameter, 2525 as -H parameter, and setup your smtp daemon to listen on 2525. Then edit the nf-setup script to match these ports. In the Makefile, change the SMTP_DOMAIN and SSH_BANNER to your needs (SSH_BANNER must match exactly yours of the running sshd). SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server.

When muxing IPv6 connections, the setup is basically the same; just use the nf6-setup script and invoke sshttpd with -6.

3. Transparent proxy setup

You can run sshttpd also on your gateway machine and transparently proxy/mux all of your HTTP(S)/SSH traffic to your internal LAN. To do so, run sshttpd with -T and use nf-tproxy rather than nf-setup as a template for your FW setup. Carefully read nf-tproxy so you don't lock yourself out of the network and all the network devices and IP addresses match your setup.

4. SNI Mux

With sshttpd you can also mux based on the HTTPS SNI. Just set up your nf-setup to contain the SNI ports (there are already samples) and invoke sshttpd with -N name:port e.g. sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350 to hide a sshd on 22 and a drops setup on port 7350 behind port 443, and at the same time serving your webserver from port 4433 to be visible to outside on port 443. This works because drops sets the SNI of drops.v2 in outgoing connects. Multiple -N switches are allowed so you could mux a lot of services via SNI. The ports/services must run all on the same machine where the original request was destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via -S 0.

5. Misc

You don't need to patch any of your ssh/web/smtp client or server software. It works as is. sshttpd runs only on Linux and needs IP_TRANSPARENT support. It would work without, but by using IP_TRANSPARENT it is possible to even have unmodified syslogs, e.g. the original source IP/port of incoming connections is passed as-is to the SSH/HTTP/SMTP servers.

Make sure the nf_conntrack and nf_conntrack_ipv4 or nf_conntrack_ipv6 modules are loaded. sshttpd is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing measurement. sshttpd has small footprint and was optimized for speed so it also runs on heavily loaded web servers.

Since version 0.24, sshttpd also supports multiple CPU cores. Unless -n 1 is used as switch, sshttpd binds one thread per CPU core, to better exploit the hardware if running on heavily used web servers. It still runs this fixed number of threads no matter how many 1000s connection it handles at the same time. sshttpd runs as nobody user inside a chroot() (configurable via -U and -R switch) if compiled with USE_CAPS. It can also distinguish between SSH and SSL sessions, you just have to use an LOCAL_PORT (-L) of 443 or 4433 and change the HTTP_PORT in the nf-setup script to match your webservers HTTPS port. You cannot mix HTTP/SSH and HTTPS/SSH in one sshttpd instance but you can run two sshttpd's to reach that goal: one on LOCAL_PORT 80 and one on LOCAL_PORT 443.

6. Alternative docu

As per 2017 it seems you have to provide alternative facts for everything, so here are some good writeups from other people for better understanding or in case my description was too brief:

More Repositories

1

opmsg

opmsg message encryption
C++
744
star
2

grab

experimental and very fast implementation of a grep
C++
257
star
3

fraud-bridge

ICMP and DNS tunneling via IPv4 and IPv6
C++
189
star
4

crash

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX
C++
174
star
5

lophttpd

lots of performance (or lots of porn, if you prefer) httpd: Easy, chrooted, fast and simple to use HTTP server for static content. Runs on Linux, BSD, Android and OSX/Darwin. It's free but if you like it, consider donating to the EFF: https://supporters.eff.org/donate
C++
135
star
6

psc

E2E encryption for multi-hop tty sessions or portshells + TCP/UDP port forward
C++
109
star
7

troubleshooter

setroubleshootd xSports
C
93
star
8

fernmelder

async mass DNS resolver
C++
82
star
9

drops

opmsg p2p transport network
C++
70
star
10

plasmapulsar

PLASMA PULSAR
C
69
star
11

injectso

C
52
star
12

libusipp

unix socket interface for C++ raw IP/IP6/UDP/TCP, Layer2 etc. framework
C++
39
star
13

harddns

RFC8484 and DoH/JSON resolver
C++
38
star
14

pam_schroedinger

Uncertainty for brute forcers during login.
C++
25
star
15

odd

optimized dd
C
20
star
16

qdns

QUANTUM-DNS server
C++
18
star
17

call-graphs

17
star
18

u2f

U2F toolset
C++
17
star
19

QI

Quantum Insert/FoxAcid case study
C++
15
star
20

sslps

OpenSSL Privilege Separation
C
15
star
21

greenday

DGC forensics
Perl
13
star
22

devpops

Companion Worm research
Go
13
star
23

tensor-pwn

AI fun
Python
11
star
24

loaded

IPv4 and IPv6 load balancer
C++
9
star
25

hoschi

hoschi BTC mapper
C++
9
star
26

contrib

Various HTTP, SSH, SSL, localhost etc. related contributions of me, which are too small to have an own repo each
Python
9
star
27

7350topless

C
8
star
28

dropsview

Fancy ncurses frontend for opmsg + drops
C++
8
star
29

aio

scalable Linux implementation for IEEE 1003.1-2004 AIO
C
8
star
30

tinkershell

Perl
7
star
31

number

C++
7
star
32

opmsg-qr

opmsg QR convenience
C
6
star
33

massbind

mass adding ip6 addresses
C
5
star
34

plugmein

pcap USB keyboard sniffer
C++
4
star
35

papyrus

C
3
star
36

test

just ignore
1
star
37

maps

some geojson maps
1
star
38

cloud-clock

C++
1
star
39

polyglots

some polyglots
Shell
1
star
40

bananajoe

Banana Boomsh
C
1
star