sslh version 1.8+

Questions to IPFire Addons.
digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 12th, 2019, 9:40 am

Hi,

@cmisch

Thank you very much!
Could not figure out how to send a personal mail.

Digger

digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 13th, 2019, 4:35 pm

Hi cmisch,

in the meantime I've installed the binaries.
First I installed the version offered by pakfire, then the package from ummegge via update. Then changing to your binaries. Renaming sslh-fork > sslh.
Editing the file in /etc/init.d sslh. Concating the example from ummegge and your extension (look at the attached file). The daemon starts, everything looks fine, but there is no connect to neither the web server nor ovpn.

Have I to activate the setcap stuff. I'm a little bit confused. Hints are very wellcome.

Greetings digger.
Attachments
sslhconf.rtf
(3.25 KiB) Downloaded 12 times

ummeegge
Community Developer
Community Developer
Posts: 4893
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » April 13th, 2019, 5:15 pm

Hi digger,
please check also that you restart sslh manually

Code: Select all

/etc/init.d/sslh restart
since the update.sh provides an command for restart which is used by pakfire. You can also add a '-v' in the configure options so you get a little more verbose output. /var/log/messages should also display some more info´s of what is happening.
digger wrote:
April 13th, 2019, 4:35 pm
Then changing to your binaries. Renaming sslh-fork > sslh.
This should be already done while package building.
digger wrote:
April 13th, 2019, 4:35 pm
Have I to activate the setcap stuff.
The setcap commands wasn´t needed here but i connected also only via 127.0.0.20...

cmisch wrote:
April 11th, 2019, 7:07 pm
I would not recommend to run sshd on an internet reachable port.
You can ssh to your box after you connect via openvpn :-) (thats what i am doing)
Sure, me too :D .

Best,

UE
Image
Image

cmisch
Posts: 8
Joined: June 2nd, 2012, 9:39 pm
Location: Germany

Re: sslh version 1.8+

Post by cmisch » April 13th, 2019, 6:51 pm

Hi

@digger
pls try to use --listen 0.0.0.0:443 and run with --user sslh

Code: Select all

DAEMON_OPTS="
--user sslh
-n --transparent
--listen 0.0.0.0:443
--tls ${WEBSERVER}:${WEBSERV_PORT}
--openvpn ${LO}:${OVPN_PORT}
--pidfile /var/run/sslh.pid
-C /var/empty
"
create the user sslh (if not alread done)

Code: Select all

# Add user and group for sslh if not already done
if ! grep -q sslh /etc/passwd; then
    groupadd sslh;
    useradd -g sslh -M -s /sbin/nologin sslh
fi
make sure your init script is executable and the links for start/stop are existing

Code: Select all

chmod 750 /etc/init.d/sslh
ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
ln -svf /etc/init.d/sslh /etc/rc.d/rc0.d/K02sslh
ln -svf /etc/init.d/sslh /etc/rc.d/rc3.d/S98sslh
ln -svf /etc/init.d/sslh /etc/rc.d/rc6.d/K02sslh
ls -l /etc/rc.d/rc*.d/*sslh* /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
Did you checked that openvpn runs on Port 1194 ?
Check in /var/ipfire/ovpn/server.conf
port 1194
# no port-share option

set the capabilities (just in case)

Code: Select all

setcap cap_net_bind_service,cap_net_admin+pe /usr/sbin/sslh-select
setcap cap_net_bind_service,cap_net_admin+pe /usr/sbin/sslh-fork
i am using a link instead copying

Code: Select all

ln -svf /usr/sbin/sslh-fork /usr/sbin/sslh
or

Code: Select all

ln -svf /usr/sbin/sslh-select /usr/sbin/sslh
Check link

Code: Select all

ls -l /usr/sbin/sslh* 
To check for errors try to run the command on commandline in foreground (-f)

Code: Select all

/usr/sbin/sslh -v -f -u sslh -n --transparent --listen 0.0.0.0:443 --tls 192.168.3.222:443 --openvpn 127.0.0.20:1194 --pidfile /var/run/sslh.pid -C /var/empty
and check for errors.
It doesn't matter if you use sslh-fork or sslh-select. Difference explanation on authors Website.

Wish you Good Luck for you tests

@ummeegge
about using ssh directly at port 443
thought you are using it because of your provided initscript with the included option --ssh 127.0.0.1:222 which accepts ssh and forward it to local ssh on port 222


P.S.: I am offline again till next Wednesday :-(

ummeegge
Community Developer
Community Developer
Posts: 4893
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » April 13th, 2019, 8:02 pm

Hi all,
cmisch wrote:
April 13th, 2019, 6:51 pm
@ummeegge
about using ssh directly at port 443
thought you are using it because of your provided initscript with the included option --ssh 127.0.0.1:222 which accepts ssh and forward it to local ssh on port 222
tried to get close to the old configuration with this --> https://git.ipfire.org/?p=ipfire-2.x.gi ... s/next#l23 which can makes sense if you do not use any kind of VPN but this might be also a discussion worth on the dev mailinglist...
cmisch wrote:
April 13th, 2019, 6:51 pm
create the user sslh (if not alread done)

Code: Select all

# Add user and group for sslh if not already done
if ! grep -q sslh /etc/passwd; then
    groupadd sslh;
    useradd -g sslh -M -s /sbin/nologin sslh
fi
make sure your init script is executable and the links for start/stop are existing

Code: Select all

chmod 750 /etc/init.d/sslh
ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
ln -svf /etc/init.d/sslh /etc/rc.d/rc0.d/K02sslh
ln -svf /etc/init.d/sslh /etc/rc.d/rc3.d/S98sslh
ln -svf /etc/init.d/sslh /etc/rc.d/rc6.d/K02sslh
ls -l /etc/rc.d/rc*.d/*sslh* /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
The initscript permission are 754 but the rest should be part of the package -->

Code: Select all

$ grep 'sslh' /etc/passwd /etc/group 
/etc/passwd:sslh:x:1007:1007::/home/sslh:/sbin/nologin
/etc/group:sslh:x:1007:

Code: Select all

$ ls /etc/rc.d/rc?.d | grep sslh
K02sslh
S98sslh
K02sslh
We have meanwhile some good info´s collected in here in my opinion, might be a new wiki worth if the update will be shipped and if digger can give also some positive feedback ?
cmisch wrote:
April 13th, 2019, 6:51 pm
P.S.: I am offline again till next Wednesday :-(
Have a good time and am happy to see you again in here :) .

Best,

UE
Image
Image

digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 14th, 2019, 7:36 pm

Hi all,

thanks for reply.

I have some strange behaviours.
Starting the test in foreground I got some responses on the console.

**** writing deferred on fd -1
probing for tls: PROBE_MATCH
connecting to 192.168.3.222:443 family 2 len 16
forward to tls failed:connect: Connection timed out
sslh-fork.c:110:connect: Connection timed out

Obviously sslh could not connect to the web server in dmz. Is a firewall rule needed for the webservers reply allowing to connect sslh?


After that initial test, there was no further output at the console, when starting the test again - nothing happens.

digger

digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 14th, 2019, 7:47 pm

@ummeegge


Slightly different output:

[root@ipfire ~]# grep 'sslh' /etc/passwd /etc/group
/etc/passwd:sslh:x:1002:1002::/home/sslh:/sbin/nologin
/etc/group:sslh:x:1002:

1002 not 1007

Does this matter?

digger

digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 14th, 2019, 8:45 pm

It seems, that after that initial response every connection to sslh is blocked.

In the firewall log - DROP_INPUT port 443.
How to fix that.

I think, the initial success results of shortly disabled ovpn running on that port before.
I've created a rule: opening port 443 pointing to the red interface.
no success.

I'm sure, it's a problem of the firewall. Can't open the port for connect.

digger

ummeegge
Community Developer
Community Developer
Posts: 4893
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » April 15th, 2019, 2:00 pm

Hi digger,
digger wrote:
April 14th, 2019, 7:47 pm
1002 not 1007

Does this matter?
No.
digger wrote:
April 14th, 2019, 8:45 pm
I'm sure, it's a problem of the firewall. Can't open the port for connect.
Am not sure with this, am missing a little the jump into the SSLH chain but am also currently not into that specific. May cmisch do have some usable debugging ideas related to that one ?

Am currently also a little out of time to step into a deeper specific testing round with this...


Best,

UE
Image
Image

digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 19th, 2019, 11:21 am

Hi ummeegge,

thanks for reply, I will stay tuned.

Happy Eastern!

digger

cmisch
Posts: 8
Joined: June 2nd, 2012, 9:39 pm
Location: Germany

Re: sslh version 1.8+

Post by cmisch » April 20th, 2019, 11:33 am

Hi

the uid of sslh should have no affect.

I am using sslh-select (but sslh-fork work too on my setup)

I am using the attached /etc/init.d/sslh script. (check for your settings at the top of file).
Check your firewall rules at the functions SET_ROUTE_FUNCT() and DEL_ROUTE_FUNCT().
The mangle rules are needed to get the answer of the webserver routed.
(was the problem on my setup at start of using webserver not runningat ipfire machine)

check your firewall rules to/from Webserver
You need a rule to accept packages from/to ${WEBSERVER} to port 443 at firewall
wrote: In the firewall log - DROP_INPUT port 443.
How to fix that.

I've created a rule: opening port 443 pointing to the red interface.
no success.
Yes you need a rule to accept TCP 443 on Firewall RED from Standard networks Any.
I assume the source of the dropped packages is your Webserver too?
You need to accept also packages on 443 at ORANGE Interface because the answer from your webserver must be modified.
sslh will set your ipfire machine as source into the package that is send to webserver.
The webserver will answer with destination ipfire at orange interface.
This has to be translated back to the original source ip
Try inaddition
Source WebserverIP Destination Standard networks Any TCP 443
Source Firewall Orange Destination WebserverIP All

The needed rules depend on your general rules (default deny all policy Blocked on all chains)
As i rember there was a change in core update 128 so that you need now rules from DMZ to internet.
"of the system: Previously, systems on the ORANGE network were always allowed to connect to the Internet on RED. "

Code: Select all

export WEBSERVER="192.168.3.222"
iptables -L FORWARDFW -n |grep ${WEBSERVER}
iptables -L OUTGOINGFW -n |grep ${WEBSERVER}
I always tested using commandline till it works.

Code: Select all

export LO="127.0.0.20"
export TABLE="100"
export WEBSERVER="192.168.3.222"
export WEBSERV_PORT=443
export OVPN_PORT=1194

ip rule add fwmark 0x1 lookup ${TABLE}
ip route add local 0.0.0.0/0 dev lo table ${TABLE}
ip rule add from ${LO}/32 table ${TABLE}
ip route flush cache
iptables -t mangle -N SSLH
iptables -t mangle -A SSLH -j MARK --set-mark 0x1
iptables -t mangle -A SSLH -j ACCEPT
iptables -t mangle -I PREROUTING -p tcp -s ${WEBSERVER} --sport ${WEBSERV_PORT} -j SSLH

/usr/sbin/sslh-select -v -f -u sslh -n --transparent --listen 0.0.0.0:443 --tls ${WEBSERVER}:${WEBSERV_PORT} --openvpn ${LO}:${OVPN_PORT} --pidfile /var/run/sslh.pid -C /var/empty

iptables -t mangle -D PREROUTING -p tcp -s 192.168.201.11 --sport 443 -j SSLH
iptables -t mangle -F SSLH
iptables -t mangle -X SSLH
ip rule del from ${LO}/32 table ${TABLE}
ip route del local 0.0.0.0/0 dev lo table ${TABLE}
ip rule del fwmark 0x1 lookup ${TABLE}
ip route flush cache
you may also use te following commands to check your setup and packets

Code: Select all

ip rule show
ip route show
tcpdump -ni orange0 -vv dst port 443
hope that helps and you find the missing rule.
Attachments
sslh.txt
rename to sslh and place at /etc/init.d/sslh and use dos2unix
(3.04 KiB) Downloaded 8 times

digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 20th, 2019, 11:51 am

Hi cmish,

thank‘ s for reply.
Will give it a try on monday.
Happy eastern!

Digger

digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 21st, 2019, 11:58 am

Many thanks to cmish and ummeege!

It works!

digger

ummeegge
Community Developer
Community Developer
Posts: 4893
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » April 21st, 2019, 5:59 pm

Hi all,
just to take now one step further and get a good plan for a merge request. I would leave the initscript pretty much the same as it was before so i would leave the transparent option completely out an bring all back to 127.0.0.1 are you guys ready for a nice wiki where we can extend the knowledge collected in here ? Would start with a regular wiki and you extend it to the transparent options ?

Sound is good ?

Best and a happy easter celebration to you.

UE
Image
Image

digger
Posts: 14
Joined: August 13th, 2017, 10:32 am

Re: sslh version 1.8+

Post by digger » April 28th, 2019, 12:09 pm

Hi all,

ummeegge, what is to be done by me?

digger

Post Reply