TMBTC Post

Setting up sslh as a protocol demultiplexer


SSH SSLH SSL

Setting up sslh as a protocol demultiplexer

2017-10-05
setting-up-sslh-as-a-protocol-demultiplexer
I've recently run into a situation where I couldn't access my servers from within a client's network. They severely limited outgoing ports and, unfortunately, ssh was one of those blocked. After a bit of searching I came across sslh.

sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client. By default, probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are already implemented, and any other protocol that can be tested using a regular expression, can be implemented.

According to the sslh website, its already packaged for Debian, Gentoo, and FreeBSD and a few other systems. The steps below will be based off one of my Unbuntu machines. Lets get started.
Install it via normal method.
sudo apt-get install sslh
During the install process, you might get asked if you want to install sslh as a service or stand alone. I chose service because I'm running this on a server. For desktop and development / testing standalone might work better for you.


The process is disabled by default so you don't have to worry about your web server breaking just yet. There is a rough quickstart guide here (but the man page is a bit easier to follow when looking for details):
/usr/share/doc/sslh/README.Debian

Apache2

Because sslh will be listening to port 443, you will need to configure your web server to listen to 443 on your loopback interface (127.0.0.1). The following pertains to Apache; however, I'm sure with a little googling you can probably find a guide on how to change the listening interface for your chosen web server.

On Apache change the /etc/apache2/ports.conf file updating all of the Listen directives from this:
Listen 443
to this:
Listen 127.0.0.1:443
If you’re using Virutalhosts in Apache, make sure to update all of the SSL configurations changing the virtualhost listening interface:port info from this:
virtualhost *:443
to this:
virtualhost 127.0.0.1:443
Restart Apache and validate its listening to the correct interface.
$ sudo netstat -plunt | grep apache | grep 443
The result should look something like this:
tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      14923/apache2
You can see apache is now listening to port 443 on the loopback interface (127.0.0.1).

sslh

Now it's time to configure sslh. The configuration can be found here /etc/default/sslh.
sudo vi /etc/default/sslh
We need to change two things, first set it so sslh will start, so change
RUN=no
to yes
RUN=yes
We now need to change the IP that sslh will be listening to for https :443 and ssh :22 connections, so we’ll change this line
DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"
To another use another IP, I used the systems local IP (yours will be different)
DAEMON_OPTS="--user sslh --listen 10.10.0.110:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"
Start sslh
sudo /etc/init.d/sslh start
Check to see if sslh is listening to port 443 on your local IP (in the example above 10.10.0.110).
sudo netstat -plunt | grep 443
The result should look something like this:
tcp        0      0 10.10.0.110:443        0.0.0.0:*               LISTEN      15150/sslh
tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      14923/apache2
You can see sslh is listening on 10.10.0.110 and apache2 is listening on 127.0.0.1.
Test your connection from a remote host, pointing to your IP or Domain using port 443
ssh -p 443 user@domainname.com
If you ran into any issues, try running ssh and adding the -v switch to help debug the issue. The sslh service writes it's logs /var/log/syslog so be sure to check that too.
Hope you found this useful. Happy ssh'ing.

You might also like
simple-bash-script-to-email-server-status

Simple Bash Script To Email Server Status

2012-08-22

I didn't want to constantly have to log into my servers in order to check on key performance indicators so I decided to write a simple script that would do the checking for me. After collecting results, the script emails them to me. There are a few tools called within the script you might need to install. I also convert any tabs into spaces in order to make sure things line up nicely inside my email. #!/bin/bash SERVER="myserver001" TOEMAIL="admin@myservers.com" FROMEMAIL="myserver001@myserverscom" # Who is logged in and what are they up to WHO=`w` #


Read More...

how-to-fix-pagehandlerfactory-integrated-has-a-bad-module-when-setting-up-asp-net

How to fix: “PageHandlerFactory-Integrated” has a bad module when setting up ASP.NET

2012-08-22

I was recently setting up IIS 7.5 on Windows 2008 R2 for an ASP.NET site and came across the following 500 error: Handler "PageHandlerFactory-Integrated" has a bad module "ManagedPipelineHandler" in its module list. After a bit of searching, it turns out ASP.NET was not completely installed with IIS even though I checked that box in the "Add Feature" dialog. I found a number of suggestions but found this command. It fixed my issues and got rid of the error. %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i For a 32 bit system, use the


Read More...