SSLH

From wiki.techunit.org
Jump to: navigation, search

Introduction

sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client.

Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.

Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.

sslh supports IPv6, privilege dropping, transparent proxying, and more.

Configuration

  • Realized on ubuntu 14.04
  • sslh version : 1.15

Installation

aptitude install sslh -y

Configure SSLH

Minimal

RUN=yes

# binary to use: forked (sslh) or single-thread (sslh-select) version
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="--user sslh -n --listen <server public IP>:443 --openvpn 127.0.0.1:1194 --ssh 127.0.0.1:22 --ssl 127.0.0.1:8443 --pidfile /var/run/sslh/sslh.pid"
# --user                define user used by daemon
# --listen              define the listen address:port                     !Need to be modify
# --openvpn             openvpn address:port
# --ssh                 openssh address:port
# --ssl                 webserver address:port (nginx/apache ...)
# --pidfile             /path/to/the/pid/file.pid

Transparent mode

Previous solution work well, however, you could see that address logged is now your server address. You need an additional step to make it transparent.

  • To realize it, packets need to be mark
  • Here is my solution
  • Modify this line in /etc/default/sslh
DAEMON_OPTS="--user root -n --transparent --listen <server public IP>:443 --openvpn 127.0.0.2:1194 --ssh 127.0.0.2:22 --ssl 127.0.0.2:8443 --pidfile /var/run/sslh/sslh.pid"

Temporary

  • Now run theses commands
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
ip rule add from 127.0.0.2/32 table 100
  • Restart sslh
service sslh restart
  • To revert
ip rule del fwmark 0x1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100
ip rule del from 127.0.0.2/32 table 100

Permanent

  • To make it persistence, you have to modify /etc/network/interfaces
iface eth0 inet static
	address <your server public IP>
	netmask 255.255.255.0
	gateway <your network Gateway>
	dns-nameservers 8.8.8.8 8.8.4.4
	dns-search example.com
        # Add this block
	post-up ip rule add fwmark 0x1 lookup 100
	post-up ip route add local 0.0.0.0/0 dev lo table 100
	post-up ip rule add from 127.0.0.2/32 table 100
	pre-down ip rule del fwmark 0x1 lookup 100
	pre-down ip route del local 0.0.0.0/0 dev lo table 100
	pre-down ip rule del from 127.0.0.2/32 table 100
        # End
  • Reboot the server and check the persistence

Sources