tag:blogger.com,1999:blog-9099779.post1177747609685375123..comments2024-03-23T23:09:17.426+01:00Comments on StalkR's Blog: SSH/HTTP(S) multiplexing with sshttpStalkRhttp://www.blogger.com/profile/15113480981262771031noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-9099779.post-88150376227568424512013-11-25T07:23:48.265+01:002013-11-25T07:23:48.265+01:00Thank you very much for your answers :)
Thank you very much for your answers :)<br />Alainnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-29690667218435440892013-11-24T23:05:28.731+01:002013-11-24T23:05:28.731+01:00Yes. And for optimal performance base your kernel ...Yes. And for optimal performance base your kernel config on theirs (/boot/config-3.2.13-grsec-xxxx-grs-ipv6-64).<br />Alternatively you can use a generic distro kernel (e.g. debian/ubuntu maintain some), or ask the provider to include this module in their next release.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-60570886128293333372013-11-24T21:56:41.828+01:002013-11-24T21:56:41.828+01:00indeed it does not work:
modprobe xt_socket
FATAL:...indeed it does not work:<br />modprobe xt_socket<br />FATAL: Could not load /lib/modules/3.2.13-grsec-xxxx-grs-ipv6-64/modules.dep: No such file or directory<br />uname -r<br />3.2.13-grsec-xxxx-grs-ipv6-64<br />(i use a dedicated server and the kernel is tuned by the provider)<br />well, does this mean i have to recompile my kernel?<br />Alainnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-42531586083922113572013-11-24T19:03:48.653+01:002013-11-24T19:03:48.653+01:00mod socket is provided by the netfilter kernel mod...mod socket is provided by the netfilter kernel module xt_socket http://cateee.net/lkddb/web-lkddb/NETFILTER_XT_MATCH_SOCKET.html<br />Try to load it with: modprobe xt_socket<br />If it works, re-try loading ferm rules and you should be good.<br /><br />If it doesn't work, what is your kernel? (uname -r)<br />Maybe you need a more recent one and/or re-compile with this enabled.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-82925524463719461712013-11-24T12:35:54.830+01:002013-11-24T12:35:54.830+01:00Hi StalKR,
Thanks a lot for your answer.
Here'...Hi StalKR,<br /><br />Thanks a lot for your answer.<br />Here's the output with your command:<br /><br />ferm --slow --lines /etc/ferm/ferm.conf<br />/sbin/iptables -t mangle -P FORWARD ACCEPT<br />/sbin/iptables -t mangle -P INPUT ACCEPT<br />/sbin/iptables -t mangle -P OUTPUT ACCEPT<br />/sbin/iptables -t mangle -P PREROUTING ACCEPT<br />/sbin/iptables -t mangle -P POSTROUTING ACCEPT<br />/sbin/iptables -t mangle -F<br />/sbin/iptables -t mangle -X<br />/sbin/iptables -t mangle -N SSHTTPS<br />/sbin/iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 443 --jump SSHTTPS<br />/sbin/iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 224 --jump SSHTTPS<br />/sbin/iptables -t mangle -A PREROUTING --protocol tcp --sport 443 --match socket --jump SSHTTPS<br />iptables: No chain/target/match by that name.<br /><br />Firewall rules rolled back.<br />### and then:<br />iptables -L<br />Chain INPUT (policy ACCEPT)<br />target prot opt source destination<br /><br />Chain FORWARD (policy ACCEPT)<br />target prot opt source destination<br /><br />Chain OUTPUT (policy ACCEPT)<br />target prot opt source destination<br /><br /><br />But a tried to comment/uncomment lines in my ferm.conf, and the line causing the error is:<br />chain PREROUTING { proto tcp sport (443 224) mod socket jump SSHTTPS; }<br /><br />so, it seems that a king of 'module' for 'socket' is not loaded?<br />I'm quite novice with iptables ...<br /><br />I googled about that, but found nothing interesting ...<br /><br />Can you help me?<br /><br />Thanks again,<br />Alain<br /><br />Alainnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-59674685579331432632013-11-24T10:33:55.281+01:002013-11-24T10:33:55.281+01:00Hi Alain, try loading ferm with:
# ferm --slow --l...Hi Alain, try loading ferm with:<br /># ferm --slow --lines /etc/ferm/ferm.conf<br /><br />With --slow, instead of using "iptables-restore" to load all rules at once (making it hard to know which rule failed), it will use "iptables" and load rules one by one (which you will see with --lines). That way, you'll see which rule fails and better understand the issue.<br /><br />It could be because a netfilter module (mangle or socket) isn't available/loaded.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-87980330076003654292013-11-24T08:29:56.207+01:002013-11-24T08:29:56.207+01:00Great article,
I used sslh, but was unhappy becaus...Great article,<br />I used sslh, but was unhappy because of the 127.0.0.1 redirection to apache.<br />But I have a problem with ferm:<br />I set everything like told, but when starting ferm I get this error:<br /><br />service ferm start<br />Starting Firewall: fermiptables-restore: line 15 failed<br />Failed to run /sbin/iptables-restore<br /><br />Firewall rules rolled back.<br /> failed!<br /><br />I only use sshttps, and I set services and ports like this:<br />(apache on 80 and 443 , sshd on 22 and 1444)<br /><br />netstat -ntapu |grep ":22\|:443\|:80"<br />tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 10413/sshd<br />tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 12046/apache2<br />tcp 0 0 0.0.0.0:224 0.0.0.0:* LISTEN 10413/sshd<br />tcp 0 0 0.0.0.0:2244 0.0.0.0:* LISTEN 10870/sshttps<br />tcp6 0 0 :::80 :::* LISTEN 12046/apache2<br />tcp6 0 0 :::22 :::* LISTEN 10413/sshd<br />tcp6 0 0 :::224 :::* LISTEN 10413/sshd<br /><br />and this is what i put in ferm.conf:<br /><br /> 51 domain ip {<br /> 52 # sshttp<br /> 53 #table mangle {<br /> 54 # chain OUTPUT { proto tcp outerface eth0 sport (80 228) jump SSHTTP; }<br /> 55 # chain PREROUTING { proto tcp sport (80 228) mod socket jump SSHTTP; }<br /> 56 # chain SSHTTP { MARK set-mark 0x1; ACCEPT; } # 1st bit<br /> 57 #}<br /> 58 # sshttps<br /> 59 table mangle {<br /> 60 chain OUTPUT { proto tcp outerface eth0 sport (443 224) jump SSHTTPS; }<br /> 61 chain PREROUTING { proto tcp sport (443 224) mod socket jump SSHTTPS; }<br /> 62 chain SSHTTPS { MARK set-mark 0x2; ACCEPT; } # 2nd bit<br /> 63 }<br /> 64 }<br /><br />so, can you tell me where's my mistake?<br /><br />thanks<br /><br />alainAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-63210622830180457822013-07-15T19:21:41.986+02:002013-07-15T19:21:41.986+02:00Anyone know where I can find a CygWin version (lik...Anyone know where I can find a CygWin version (like sslh has) or a full ported Win32/Win64 version?<br /><br />mkanetnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-45723917177319465272012-09-27T19:21:35.160+02:002012-09-27T19:21:35.160+02:00Sorry I don't know why, and strange it shouldn...Sorry I don't know why, and strange it shouldn't affect virtual hosts as they are recognized with "Host:" http header.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-46701279408935932472012-09-26T12:50:17.293+02:002012-09-26T12:50:17.293+02:00Thanks for the guide, works well but kills Virtual...Thanks for the guide, works well but kills Virtual Hosts in apache for me, everything just gets redirected to the default site. Any ideas on resolving this?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-21079808608082522432012-09-13T14:12:23.419+02:002012-09-13T14:12:23.419+02:00Yes and no. Processes can drop their privileges on...Yes and no. Processes can drop their privileges once they don't need them anymore and that's what sshttp does: https://github.com/stealth/sshttp/blob/master/main.cc#L144StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-27372190800864597282012-09-11T15:01:21.308+02:002012-09-11T15:01:21.308+02:00Does IP_TRANSPARENT not involve the proxy running ...Does IP_TRANSPARENT not involve the proxy running as root? Meaning, one vulnerability in sshttp and you've lost your box?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-35636494629133445342012-03-26T17:38:10.809+02:002012-03-26T17:38:10.809+02:00Yes, connecting directly to sshd or httpd from loc...Yes, connecting directly to sshd or httpd from localhost works.<br /><br />Connecting to sshttp(s) from localhost does not work.. because of the way the whole thing works. Try from another host, if your setup is correct it should work.<br /><br /><br />On another note, I noted that from some ISPs, connecting to SSH via sshttp on port 80 does not work. The only reason I see is that the ISP uses a transparent proxy to observe all your http traffic :) So, think of sshttp as a tool to reveal ISPs spying on you! (For these same ISPs, sshttp on 443 works fine, apparently they don't inspect this port.)StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-47937210349044993842012-03-26T16:35:44.658+02:002012-03-26T16:35:44.658+02:00Same here.
$ sudo service sshttps start
sshttpd:...Same here.<br /><br />$ sudo service sshttps start <br />sshttpd: Using HTTP_PORT=443 SSH_PORT=2222 and local port=4443. Going background. Using caps/chroot.<br /><br />$ sudo netstat -luntp | grep -E '(2222|443|4443)'<br />tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 390/sshd <br />tcp 0 0 0.0.0.0:4443 0.0.0.0:* LISTEN 3088/sshttps <br />tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 552/apache2 <br /><br /><br />Correct me if i'm wrong, but at this stage, I should be able to "ssh localhost" on port 2222 AND 4443. I can connect to port 2222 only.<br /><br /><br />$ ssh localhost -p 2222<br />user@host's password: <br /><br />$ ssh localhost -p 4443<br />ssh_exchange_identification: Connection closed by remote hostpassing bynoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-34352362767154654512012-03-20T20:17:53.192+01:002012-03-20T20:17:53.192+01:00Try from another host and make sure you set up the...Try from another host and make sure you set up the netfilter and routing rules.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-86376430618151876512012-03-20T18:27:07.621+01:002012-03-20T18:27:07.621+01:00Hi,
I'm testing your tool I'm trying to f...Hi,<br /><br />I'm testing your tool I'm trying to figure out why it doesn't work.<br />I tried it locally:<br /><br /># /usr/local/sbin/sshttp -S 222 -H 80 -L 2280 -U sshttp -R /var/run/sshttp<br />sshttpd: Using HTTP_PORT=80 SSH_PORT=222 and local port=2280. Going background. Using caps/chroot.<br /><br /># netstat -luntp | grep 2280<br />tcp 0 0 0.0.0.0:2280 0.0.0.0:* LISTEN 16352/sshttp<br /><br /># netstat -luntp | grep 222<br />tcp 0 0 0.0.0.0:222 0.0.0.0:* LISTEN 15074/sshd <br /><br />So when I try to connect via ssh I receive the message below:<br /># ssh localhost -p 2280<br />ssh_exchange_identification: Connection closed by remote host<br /><br />Any suggestion?<br /><br />Thanks,<br />MikeMikehttp://www.google.comnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-19510598765700848462012-03-19T04:38:09.279+01:002012-03-19T04:38:09.279+01:00i use shorewall, please help with using shorewall ...i use shorewall, please help with using shorewall with sshttpsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-90182009957436721682012-03-04T18:29:55.043+01:002012-03-04T18:29:55.043+01:00According to the readme: "sshttpd has small f...According to the readme: "sshttpd has small footprint and was optimized for speed so it also runs on heavily loaded web servers."StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-52349914658956813112012-03-04T13:55:49.562+01:002012-03-04T13:55:49.562+01:00Hello,
How does this impact on performance of norm...Hello,<br />How does this impact on performance of normal http traffic?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9099779.post-27350892327083626542012-03-02T11:36:06.513+01:002012-03-02T11:36:06.513+01:00Cool writeup.Some comments:
Its probably enough to...Cool writeup.Some comments:<br />Its probably enough to multiplex either http/ssh or<br />https/ssh if its the same machine, except you expect one service to<br />be DoS'ed. Second, it is important to block direct access to<br />real SSH and HTTP port, otherwise outside folks can still access<br />it directly. Take care this cannot happen if you run sshd on port 222.<br />(Your NAT might protect you here, but if you dont have a NAT box...)<br />sshttp works perfectly with -S 22 -H 8080 and both ports being blocked on<br />INPUT. sshttp can still access these services as the traffic is going via<br />loopback. So the only outside visible port is 80.<br />sshttp would also work on the NAT (or firewall) box to multiplex<br />ssh/http for a whole subnet (not just locally) but that'd require more<br />complex netfilter setup and additional care to only expose<br />the dedicated machines to outside.Sebastiannoreply@blogger.com