How to access my linode behind a farwall that locks port 22?
I need to access my linode behind a firewall that blocks port 22.
The firewall permits traffic on port 80 and 443, I can't switch my ssh port to 80 or 443 because there is a web server running on my linode.
Is there a way to do some tricks to tunnel SSH over HTTP?
I read this guide but I understood nothing:
Thanks
55 Replies
@vonskippy:
It has to allow more then just 80 & 443, or you wouldn't get email.
Infact I can't get the email if not using the webmail.
@vonskippy:
It has to allow more then just 80 & 443, or you wouldn't get email.
Not all places allow IMAP/POP/SMTP. However I do agree more should be open (unless they have the resources to host their own DNS cache).
sblantipodi, you have four options:
* Change SSH's port to something you DO have access to
Adjust the firewall, or ask someone with firewall access to allow port 22
Use LISH from Linode Manager
Find a web-based SSH client (they do exist)
@Piki:
@vonskippy:It has to allow more then just 80 & 443, or you wouldn't get email.
Not all places allow IMAP/POP/SMTP. However I do agree more should be open (unless they have the resources to host their own DNS cache).
sblantipodi, you have four options:
* Change SSH's port to something you DO have access to
Adjust the firewall, or ask someone with firewall access to allow port 22
Use LISH from Linode Manager
Find a web-based SSH client (they do exist)
I need to access SSH to do tunnels, if I have access to SSH I can tunnel email ports for example. I don't need something like lish, I need ssh access.
I know that I can tunnel ssh traffic via http, there is proxytunnel to allow me this, the only problem is to understand how it works.
Have you considered switching ssh to port 8080? Most places allow it, even if they block everything else.
@Piki:
Requiring a tunnel narrows you down to the first two options: Change the ssh port, or adjust the firewall to allow it.
Have you considered switching ssh to port 8080? Most places allow it, even if they block everything else.
8080 is locked and as I mentioned 80 and 443 ports are just used by apache.
4. Use Lish to disable (temporarily) your Linode's firewall
Instruct nmap to scan your Linode for ports 1-65535
Do something else while you wait for nmap to finish
If any ports show up that isn't need on your Linode or local network, pick one and switch ssh to that
Since nmap can't scan through blocked ports, anything blocked by the firewall will appear closed from nmap's perspective, therefor you'll see exactly what's allowed.
@Piki:
How about some other port? Any place is almost required to have more than two ports open. If you don't know of any other open ports, you can easily discover them via nmap:
4. Use Lish to disable (temporarily) your Linode's firewall
Instruct nmap to scan your Linode for ports 1-65535
Do something else while you wait for nmap to finish
If any ports show up that isn't need on your Linode or local network, pick one and switch ssh to that
Since nmap can't scan through blocked ports, anything blocked by the firewall will appear closed from nmap's perspective, therefor you'll see exactly what's allowed.
I haven't understood this, if I disable firewall, and I nmap my linode, only opened ports will be shown (if firewall doesn't block it)
so it does not seems a good method to discover what are the "openable ports"
@sblantipodi:
I haven't understood this, if I disable firewall, and I nmap my linode, only opened ports will be shown (if firewall doesn't block it)
so it does not seems a good method to discover what are the "openable ports"
nmap doesn't scan for openable ports, it scans for opened ports that you can use for ssh.
There is no method to discover openable ports, those are already set by standards governing low-level network protocols. ssh uses the protocol known as TCP, which allows any port from 1 to 65535. Chances are, the firewall at your location has a handful already opened (including 80 and 443), along with some others that you can discover either with a portscanner like nmap, or by asking whomever controls the firewall.
@Piki:
Any place is almost required to have more than two ports open.
Not to a random user machine. This is pretty common at corporations. There will be specific holes for the mail servers, etc, but not to a user machine, and in that case, 80/443 may not even be open, instead they'd be proxied.
If you are accessing your Linode within a corporate environment which I am assuming, using a ssh client (putty) would suffice. However, you mention that your linode_box is running a web server and cannot bind sshd to those ports.
Another way is to create the SSH tunnel on other_box where you have root access to bind on ports 80 or 443. Then the command would be:
ssh -v -4 -L otherbox.example.com:80:linodebox.example.com:22 yourlogin@otherbox.example.com
This will create a listen port 80 on the otherbox and fowards the connection to port 22 on your linodebox. Then you would need to use an ssh client to connect to other_box port 80
Hope this helps and not confuse you.
Another option is, install ajaxterm or anyterm on your linode web server.
I can't bind SSH to 80 and 443 because my linode runs a webserver
I don't have another linux machine where bind ssh to 80 or 443
I don't need an ajax console because I need ssh to tunneling
@sblantipodi:
I suggest to all suggestor to understand what the problem is:
- I can't bind SSH to 80 and 443 because my linode runs a webserver
Use sslh, you can bind it to port 443 and it will forward to https/ssh depending on what you use to connect to it.
I switched my SSH to pot 21, now I can connect to SSH without any problems from my corporate network.
The problem is that as soon as I try to tunnel something on my SSH the SSH connection is closed.
Does it depends on my linode or the corporate firewall?
Thanks.
@kyhwana:
@sblantipodi:I suggest to all suggestor to understand what the problem is:
- I can't bind SSH to 80 and 443 because my linode runs a webserver
Use sslh, you can bind it to port 443 and it will forward to https/ssh depending on what you use to connect to it.
this is a great finding, I installed it on my linode, but how use this software now?
I cannot find a guide.
@sblantipodi:
@kyhwana:
@sblantipodi:I suggest to all suggestor to understand what the problem is:
- I can't bind SSH to 80 and 443 because my linode runs a webserver
Use sslh, you can bind it to port 443 and it will forward to https/ssh depending on what you use to connect to it.
this is a great finding, I installed it on my linode, but how use this software now?
I cannot find a guide.
Read the readme/website.
@kyhwana:
Read the readme/website.
Readme doesn't help at all…
I change my 443 SSL port to 8443, and I switch my SSH port to 443.
How can I redirect all https traffic to 8443 using apache?
I switched the SSL port to 8443, I configured the sslh file,
ports 443 is opened my sslh, when I try to connect to SSH using 443, my server says, connection refused (tryed also with iptables off)
any idea?
@sblantipodi:
I configured SSLH, started it correctly.
I switched the SSL port to 8443, I configured the sslh file,
ports 443 is opened my sslh, when I try to connect to SSH using 443, my server says, connection refused (tryed also with iptables off)
any idea?
Are you sure sslh is actually running and listening on your external/publioc interface?
(Paste "sudo netstat -plant")
If I connect from a normal internet connection I can ssh 4888 without problem.
Now I told SSLH to listen on 443 and to redirect the SSH traffic to 4888.
If I SSH 443, I get connection refused also from a normal internet connection.
It also redirect the ssh traffic correctly to the ssh port port SSH reject this redirection,
probably I need to configure ssh.
any idea?
In my ssh_config file I had:
ListenAddress mylinodepublicip
with this configuration I was not able to use sslh correctly.
Now I changed to
ListenAddress 127.0.0.1
and now it works like a charm.
I have SSL running on 8443, SSH on 4888, SSLH on 443 that redirects corretly SSH and HTTPS traffic to the correct port.
Is there a security issues in this way of managing things?
Is there a security issues with
ListenAddress 127.0.0.1
???
//just saying//
@vonskippy:
Maybe his employer's IT Dept puts those port blocks on their outbound network because they, you know, expect their workers to . . . . work, and not manage their hobbies on company time.
//just saying//
I don't manage my hobby, I need to use an email client
@vonskippy:
Maybe his employer's IT Dept puts those port blocks on their outbound network because they, you know, expect their workers to . . . . work, and not manage their hobbies on company time.
//just saying//
If you're replying to my post, note that I did not mention anything about ports, but instead the listening address. Unless the OP's Linode starts spamming his employer's network, I doubt they'll block his Linode's IP address.
Hence my suggestion to not use a listening address still stand, although this suggestions is entirely safe to ignore
@Piki:
use a listening address still stand, although this suggestions is entirely safe to ignore
:wink:
it seems that you know what ListenAddress is, what is this parameter exactly ?
@sblantipodi:
@Piki:use a listening address still stand, although this suggestions is entirely safe to ignore
:wink: it seems that you know what ListenAddress is, what is this parameter exactly ?
It's to tell sshd what IP addresses to listen for connections on.
For instance, if you decide to set up your Linode as a shared host, you could purchase a separate IP address for each individual customer. If you don't want those customers to have ssh access, you could have one additional IP address just for yourself (one your customers aren't allowed to use) and make sshd listen only on that reserved address.
This is just an example, there's nothing really stopping those customers from attempting to ssh to your reserved address (or using it for a domain). ListenAddress is probably best used on an internal network, however reasons for using it will vary.
Purchase a 2nd IP4 address and bind ssh to port 443 on that new IP address.
Even if you go down this path, and your corporate network admins are worth their salt, they'll be doing some form of content inspection that will tell them your ssh traffic on port 443 just isn't https traffic, and they'll kill it anyway.
@kangaby:
You could bind ssh to port 443 on you IP6 address and hope the corporate network passes IP6 traffic.
Purchase a 2nd IP4 address and bind ssh to port 443 on that new IP address.
Even if you go down this path, and your corporate network admins are worth their salt, they'll be doing some form of content inspection that will tell them your ssh traffic on port 443 just isn't https traffic, and they'll kill it anyway.
they inspect traffic, they have some other ports opened, they kill connection if they don't see https traffic.
443 is opened without any control and I solved using the multiplexer on that port.
SSLH is a multiplexer that redirect all the incoming traffic 443 to the correct port.
The huge problem in this approach is that all people who access my HTTPS site is redirected to 8443 (the port where SSL is listening) but with the 127.0.0.1 address.
My logs are full of different people using the HTTPS service but the only IP Address I find in log now is 127.0.0.1
This is clear because people connect to HTTPS standard port (443) the multiplexer redirect from localhost to the 8443.
In this way logs means nothing, I cannot trace any IP address and this is not good al all, fail2ban
obviously stopped working too.
Is there a possible solution to this problem?
Any idea?
@hoopycat:
Use a network connection that doesn't block port 22?
come on, be serious! it's never that easy
sslh does it a little differently though. From the README:
==== Transparent proxy support ====
On Linux (only?) you can use the --transparent option to
request transparent proying. This means services behind sslh
(Apache, sshd and so on) will see the external IP and ports
as if the external world connected directly to them. This
simplifies IP-based access control (or makes it possible at
all).
sslh needs extended rights to perform this: you'll need to
give it cap_net_admin capabilities (see appropriate chapter)
or run it as root (but don't do that).
The firewalling tables also need to be adjusted as follow
(example to connect to https on 4443 -- adapt to your needs
(I don't think it is possible to have httpd listen to 443 in
this scheme -- let me know if you manage that))):
# iptables -t mangle -N SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
# iptables -t mangle -A SSLH --jump ACCEPT
# ip rule add fwmark 0x1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100
This will only work if sslh does not use any loopback
addresses (no 127.0.0.1 or localhost), you'll need to use
explicit IP addresses (or names):
sslh --listen 192.168.0.1:443 --ssh 192.168.0.1:22 --ssl 192.168.0.1:4443
This will not work:
sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443
I'm reading the readme too but I don't understood how to enable this "transparent mode"…
have you understood it?
setsockopt: Operation not permitted
if I remove the --transparent it works like a charm.
I alsa done
setcap capnetbindservice,capnet_admin+pe sslh
for a try
but same problem.
any idea?
If it works as root that means the sslh README was probably incomplete and you need more permissions than capnetadmin.
@Ox-:
Can you try running it as root and see if it works?
If it works as root that means the sslh README was probably incomplete and you need more permissions than capnetadmin.
If I set
> ListeAddress MYLINODEIP
in /etc/ssh/sshd_config
and I run it as root with this settings in the /etc/rc.d/init.d/sslh
> OPTIONS="–user root --pidfile $PIDFILE -p MYLINODEIP:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:22"
It works like a charm, but in this way it is using root
setsockopt: Operation not permitted
if I run as a normal user.
no problem by root.
Can you pastebin the full contents of your firewall configuration? This command will print it in the terminal for you, and it must be ran as root:
iptables-save
My current theory is that you are trying to run a program that is trying to BIND to port 22. Except, port 22 is a privileged port and only things running as root can do so:
-Tim
@theckman:
What exactly are you trying to do? What commands are you running?
Can you pastebin the full contents of your firewall configuration? This command will print it in the terminal for you, and it must be ran as root:
iptables-save
My current theory is that you are trying to run a program that is trying to BIND to port 22. Except, port 22 is a privileged port and only things running as root can do so:
-Tim
thanks for the answer:
# Generated by iptables-save v1.4.7 on Sat Oct 5 21:24:10 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-DOVECOT - [0:0]
:fail2ban-SMTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-Squid - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-dovecot-pop3imap - [0:0]
:fail2ban-php-url - [0:0]
:fail2ban-roundcube - [0:0]
:fail2ban-squirrelmail - [0:0]
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-roundcube
-A INPUT -p tcp -m tcp --dport 3128 -j fail2ban-Squid
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-php-url
-A INPUT -p tcp -m multiport --dports 143,993,110,995 -j fail2ban-DOVECOT
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 443 -j fail2ban-apache
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-SMTP
-A INPUT -p tcp -m tcp --dport 41414 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 443,1080 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443,1080 -j fail2ban-squirrelmail
-A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap
-A INPUT -p tcp -m multiport --dports 80,1080 -j fail2ban-php-url
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A INPUT -m recent --remove --name portscan --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 41414 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 41414 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-DOVECOT -j RETURN
-A fail2ban-SMTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-Squid -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-dovecot-pop3imap -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-php-url -j RETURN
-A fail2ban-roundcube -j RETURN
-A fail2ban-squirrelmail -j RETURN
COMMIT
# Completed on Sat Oct 5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct 5 21:24:10 2013
*security
:INPUT ACCEPT [380:57250]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [349:227280]
COMMIT
# Completed on Sat Oct 5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct 5 21:24:10 2013
*raw
:PREROUTING ACCEPT [387:59380]
:OUTPUT ACCEPT [349:227280]
COMMIT
# Completed on Sat Oct 5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct 5 21:24:10 2013
*nat
:PREROUTING ACCEPT [13:2474]
:POSTROUTING ACCEPT [58:3890]
:OUTPUT ACCEPT [58:3890]
COMMIT
# Completed on Sat Oct 5 21:24:10 2013
# Generated by iptables-save v1.4.7 on Sat Oct 5 21:24:10 2013
*mangle
:PREROUTING ACCEPT [387:59380]
:INPUT ACCEPT [380:57250]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [294:216695]
:POSTROUTING ACCEPT [352:229872]
:SSLH - [0:0]
-A OUTPUT -o eth0 -p tcp -m tcp --sport 41414 -j SSLH
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8443 -j SSLH
-A SSLH -j MARK --set-xmark 0x1/0xffffffff
-A SSLH -j ACCEPT
COMMIT
# Completed on Sat Oct 5 21:24:10 2013
I have non standard ports for ssh and https
What are you trying to do that causes that error? I need a specific command, preferably with full prompt being shown as well as the error.
@theckman:
Those firewall rules seem a bit ridiculous, but have fun with that…
What are you trying to do that causes that error? I need a specific command, preferably with full prompt being shown as well as the error.
why ridiculous?
have you got some some better rules? can you share it?
I'm starting sslh as a service in CentOS, the purpose is to connect to ssh and https using port 443.
It works fine if the /etc/rc.d/init.d/sslh
contains this lines:
OPTIONS="–user nobody --pidfile $PIDFILE -p MYLINODEIP1:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:nonstandardport"
In this way every logs does not contain any valid ip address because everyone who connect to https or ssh is logged as MYLINODEIP.
To solve this problem sslh gives the --transparent option but this options doesn't work on my linode if not used as root.
OPTIONS="--user root --pidfile $PIDFILE -p MYLINODEIP1:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:nonstandardport"
> # iptables -t mangle -N SSLH
iptables -t mangle -A OUTPUT –protocol tcp --out-interface eth0 --sport 22 --jump SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
> sslh –transparent --user MYEXISTING USER --pidfile /tmp/sslh -p MYIP:443 --ssl MYIP:8443 --ssh MYIP:42424
plus
> iptables -t mangle -N SSLH;
iptables -t mangle -A OUTPUT –protocol tcp --out-interface eth0 --sport 42424--jump SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH;
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1;
iptables -t mangle -A SSLH --jump ACCEPT;
ip rule add fwmark 0x1 lookup 100;
ip route add local 0.0.0.0/0 dev lo table 100;
works like a charm.
If I try to start it like a service with the
service sslh start
it doesn't work. Operation not permitted.
Have you got any suggestion on starting it as a service?
Thanks.
Are you trying to start sslh as root?
-Tim
@theckman:
The rules seem like overkill and don't really protect you against anything. But alas, you have free rein over your system.
Are you trying to start sslh as root?
-Tim
If I start it as root it works like a charm,
If I start it as normal user it works like a charm,
if I start it at boot with
chkconfig sslh on
when I reboot I get the
setsockopt: Operation not permitted
error when I try to use the SSLH port to connect.
It seems that the sslh command looses the capabilities
(setcap capnetbindservice,capnet_admin+pe /usr/sbin/sslh)
when it starts like a service and I don't want this.
make sure it's changed to the final user before calling
sslh, if using --transparent.
Ok, but how can I change to final user before calling sslh?
> OPTIONS="–transparent -- MYUSERNAM --pidfile /tmp/sslh -p MYIP:443 --ssl MYIP:8443 --ssh MYIP:NONSTANDARDPORT"
PIDFILE="/tmp/sslh"
start() {
echo -n "Starting SSL-SSH-Switch: "
if [ -f $PIDFILE ]; then
PID=
cat $PIDFILE
echo sslh already running: $PID
exit 2;
else
daemon
–user MYUSERNAME $SSLH $OPTIONSRETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $PIDFILE
****ip rule add fwmark 0x1 lookup 100; ip route add local 0.0.0.0/0 dev lo table 100;****
return $RETVAL
fi
}
stop() {
echo -n "Shutting down SSL-SSH-Switch: "
echo
killproc sslh
echo
rm -f $PIDFILE
****ip rule del fwmark 0x1 lookup 100; ip route del local 0.0.0.0/0 dev lo table 100;****
return 0
}
I also added the ip route del/add and ip rule add/del in order to not type this command at every boot.
In the /etc/ssh/sshd_config
I enabled the
ListenAddress MYPUBLICIP
than I added this rule
iptables -t mangle -N SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport NONSTANDARDPORT --jump SSLH;
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH;
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1;
iptables -t mangle -A SSLH --jump ACCEPT;
ip rule add fwmark 0x1 lookup 100;
ip route add local 0.0.0.0/0 dev lo table 100;
Problem solved!
Now fail2ban works again with the multiplexer running and I can trace the IP of the user connecting to multiplexed port correctly.