sslh version 1.8+

Questions to IPFire Addons.
slilie
Posts: 12
Joined: January 20th, 2011, 9:49 pm

sslh version 1.8+

Post by slilie » February 3rd, 2014, 11:47 am

Hi,

I have seen that sslh is only available in version 1.7. Newer versions allow to run OpenVPN and https and ssl on the same port while 1.7 has no support for OpenVPN. Is it possible to update sslh to a newer (latest) version(source here:http://www.rutschle.net/tech/sslh-1.15.tar.gz): Is there any developer available that could run the compile? I will certainly do the testing and report back and even write a Wiki page for it but I don't have the time to jump through all the hoops to get a development system set up.
Thanks
Sven

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » February 5th, 2014, 9:22 am

Hi slilie,
have compiled now sslh-1.15 without libconfig or libwrap. You can download it from here --> http://people.ipfire.org/~ummeegge/sslh-1.15/

Installation:
- Copy sslh-1.15-5.ipfire to /opt/pakfire/tmp.
- Unpack it with

Code: Select all

tar xvf sslh-1.15-5.ipfire

- Install it with

Code: Select all

./install.sh

- [ctrl - c] brings the console back to live.

You can find the etc.default.sslh file under /etc/sslh, possibly a good idea if you make a copy of it and rename the copy to sslh <-- this name is important for the initscript.
Haven´t copy the initscript into the .ipfire package until now, but you can try this one which is a little modified but from the source package:

Code: Select all

#! /bin/sh

### BEGIN INIT INFO
# Provides:      sslh
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:   2 3 4 5
# Default-Stop:      1
# Short-Description:   sslh proxy ssl & ssh connections
### END INIT INFO

set -e
tag=sslh
facility=user.info

# /etc/init.d/sslh: start and stop the sslh proxy daemon

if test -f /etc/sslh/sslh; then
    . /etc/sslh/sslh
fi

# The prefix is normally filled by make install. If
# installing by hand, fill it in yourself!
PREFIX=/usr
DAEMON=$PREFIX/sbin/sslh

start()
{
        echo "Start services: sslh"
        $DAEMON --user ${USER} --pidfile ${PID} --listen ${LISTEN} --ssh ${SSH} --ssl ${SSL}
        logger -t ${tag} -p ${facility} -i 'Started sslh'
}

stop()
{
        echo "Stop services: sslh"
   killall $DAEMON
         logger -t ${tag} -p ${facility} -i 'Stopped sslh'
}


case "$1" in
     start)
          start
          ;;
     stop)
          stop
          ;;
    restart)
          stop
          sleep 5
          start
          ;;
     *)
          echo "Usage: /etc/init.d/sslh {start|stop|restart}" >&2
          ;;
esac

exit 0


copy it to /etc/rc.d/init.d with the name sslh.

- After you have made your appropriate configuration, it should be possible to start|stop|restart sslh with an

Code: Select all

/etc/init.d/sslh start|stop|restart


Haven´t test it cause thats your job now  :) .

Greetings

UE

EDIT: Have even looked for sslh´s position in the different runlevels.

rc0.d K02sslh
rc3.d S98sslh
rc6.d K02sslh

On a system where you haven´t installed sslh before, you can set the symlinks like this:

Code: Select all

ln -s ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
ln -s ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
ln -s ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
Last edited by ummeegge on February 6th, 2014, 6:22 am, edited 1 time in total.
Image
Image

Duglum
Posts: 21
Joined: October 7th, 2009, 7:47 pm

Re: sslh version 1.8+

Post by Duglum » June 12th, 2014, 1:18 pm

Was there any reply in this case by slilie or anyone else?

I'd love to have a modern SSLH on my ipfire to use Tunnelier with. This way i would be able to ditch my WinSSHD running on a box behind ipfire, but i have way to less knowdlegde of unixoid system to get this stuff running in the form it currently is.

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » June 12th, 2014, 2:50 pm

No !!!
slilie wrote:Is there any developer available that could run the compile? I will certainly do the testing and report back and even write a Wiki page for it but I don't have the time to jump through all the hoops to get a development system set up.

Did the requested Job (it´s only my time) but there was no response  :( .
Image
Image

Duglum
Posts: 21
Joined: October 7th, 2009, 7:47 pm

Re: sslh version 1.8+

Post by Duglum » June 12th, 2014, 8:30 pm

A real pity, but thanks for your response nonetheless. :)

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » June 13th, 2014, 4:46 pm

Your welcome.
As a sideline, stunnel --> http://wiki.ipfire.org/en/addons/stunnel/start is meanwhile also available on IPFire.

UE
Image
Image

Duglum
Posts: 21
Joined: October 7th, 2009, 7:47 pm

Re: sslh version 1.8+

Post by Duglum » June 13th, 2014, 5:12 pm

stunnel sounds good, but i'm really unsure it would be able to handle what i need.

The Current situation is: My Windows Box at home runs Bitvise WinSSHD on Port 443 and i have a destination NAT configured on the ipfire box.

The (Windows-)Client is behind a HTTP Proxy and uses Bitvise Tunnelier to connect to the WinSSHD through the proxy. The proxy is the only way for me to reach the internet, thats why i have to use port 443. I then tunnel stuff like VNC through that for me to be able to reach my box at home from behind the Proxy Server.

Would that be possible with stunnel?

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » June 15th, 2014, 10:43 am

It´s now OT but take a look into this --> http://www.symantec.com/connect/article ... -microsoft , you need to check it by yourself to fit your needs.

Otherwise, an sslh-1.15 binary for IPFire is linked in this thread, i think also it isn´t that hard to install (all is described above) and to make a fast test how it works.

UE
Image
Image

penne
Posts: 682
Joined: September 21st, 2011, 12:48 pm

Re: sslh version 1.8+

Post by penne » June 15th, 2014, 10:51 am

with ssh u can set up an tunnel too....i guess there's no need to install additional softtware.

http://netz10.de/2011/01/10/ssh-tunnel/

greets

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: sslh version 1.8+

Post by ummeegge » June 15th, 2014, 1:01 pm

It depends on the kind of proxy filtering i think (SSH uses his own protocol), but possibly also o.k.

UE
Image
Image

Duglum
Posts: 21
Joined: October 7th, 2009, 7:47 pm

Re: sslh version 1.8+

Post by Duglum » June 15th, 2014, 1:04 pm

As the WinSSHD also uses SSH, maybe it would be fine... i'd have to test that.

But how can i change the Port SSH listens on to 443? 22 or 222 won't work from behind the Proxy. I guess a simple PAT rule in the ipchains/firewall rules wouldn't work for a local service, right?

Duglum
Posts: 21
Joined: October 7th, 2009, 7:47 pm

Re: sslh version 1.8+

Post by Duglum » June 16th, 2014, 11:16 am

Found it, i just added Port 80 in the /etc/ssh/sshd_config as a test and allowed external access to that Port: Works like a charm!

Very cool, i always thought i'd need additional Software to do that...

Only remaining question: When i press the "Save" Button in the SSH Config GUI, it changes the config file as well. After that there are two lines "Port 22" and my Port 80 is gone.

Will that only happen when i change the config, or would that also happen when i install an update?

But nonetheless, thanks to everyone in this Thread. :)

penne
Posts: 682
Joined: September 21st, 2011, 12:48 pm

Re: sslh version 1.8+

Post by penne » June 16th, 2014, 11:43 am

Hoi,

theres no need to change the internal ssh port....u can make an external port forwarding from 443 to internal 22...

greets

Duglum
Posts: 21
Joined: October 7th, 2009, 7:47 pm

Re: sslh version 1.8+

Post by Duglum » June 16th, 2014, 3:20 pm

Just tried that... it works!

Aaaand there goes the WinSSHD. Thank you very much. :)

cmisch
Posts: 8
Joined: June 2nd, 2012, 9:39 pm
Location: Germany

Re: sslh version 1.8+

Post by cmisch » April 1st, 2019, 1:31 pm

Hi

(Yes i know its an old topic)
Searching for sslh version to run Webserver in DMZ and openvpn on port 443.
As openvpn port-share option changes the source IP for apache logfile.
ipfire included version sslh v1.7a did not support the --openvpn option.
Unfortunately your provided link to version 1.15 in this thread is gone.

Not so easy to get it run:
From description of sslh i need option --transparent which need libcap or has to run sslh as root
I managed to compile sslh-v1.20 with libconfig and libcap!
Maybe ipfire do not support libcap? Found in log/_build.base.log:libcap support: no
but

Code: Select all

 setcap cap_net_bind_service,cap_net_admin+pe /usr/sbin/sslh-fork
works and log shows
turning into sslh
capabilities: = cap_net_admin+ep
Now i am failing with the needed firewall rules for transparent proxy
Needed rules from sslh description are:

Code: Select all

iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
My log shows
connecting to 192.168.x.x:https family 2 len 16
forward to tls failed:connect: Connection timed out
sslh-fork.c:110:connect: Connection timed out
forward to tls failed:connect: Connection timed out
sslh-fork.c:110:connect: Connection timed out
and there is no incomming packet on my webserver.

Can someone help me to adapt the rules to ipfire?
I think i need to apply the rules to POSTROUTING?
Is it possible at all?

Thanks for any answer

Post Reply