Sharing one port between SSL, SSH and OpenVPN

As I’m running many different Linux servers I’m always looking for new features.

Just today I found an article about SSLH. It allows you to run different services at one port, by identifying the data sent at the request.

This is a technique that I’m already using at my JAVA server where I run at one port HTTP server and my own protocols, because each of them identify it self by different but constant header.

It also looks to me as very simple way how to mask there there is actually running SSH or OpenVPN client at the server.

I’m using CentOS 6 at my servers and traditional command:

yum install sslh

didn’t found the package.

Fortunately the code is stored at the git hub. So I just downloaded the code:

mkdir /home/install/sslh
cd /home/install
git clone https://github.com/yrutschle/sslh
cd sslh

and then compiled the code by

make install

The installation it self have to be done manually, by copying the binaries:

cp sslh-fork /usr/sbin
cp sslh-select /usr/sbin

You don’t have to copy both binaries. I found at the documentation that sslh-fork is older method that is tested and proven as perfectly functional, but each connection start it’s own instance. sslh-select is one server where each connection takes just 16 bytes, but it’s less tested.

I chose for my purpose sslh-fork.

Then you need to copy the init script and config – as I’m using CentOS I used etc.rc.d.init.d.sslh.centos 

cp scripts/etc.rc.d.init.d.sslh.centos /etc/init.d/sslh
cp scripts/etc.default.sslh /etc/sslh

Now I started the server but I got error:

Starting sslh: /bin/bash: line 1: 27702 Segmentation fault      (core dumped) /usr/sbin/sslh-select -F /etc/sslh.cfg

I found this article and to fix it I edited /etc/init.d/sslh.

First I commented out line CONFIG and added line OPTIONS

PROGNAME=sslh
SSLH=${SSLH:-/usr/sbin/sslh-fork}
SSLH_LANG=${SSLH_LANG:-C}
#CONFIG=${CONFIG:-/etc/sslh.cfg}
PIDFILE=${PIDFILE:-/var/run/sslh/sslh.pid}
LOCKFILE=${LOCKFILE:-/var/lock/subsys/sslh}
STOP_TIMEOUT=${STOP_TIMEOUT:-10}
OPTIONS="--user nobody -p x.x.x.x:443 --ssl localhost:443 --ssh localhost:22 --openvpn localhost:8080"
RETVAL=0

Changes are marked as bold and x.x.x.x have to be replaced with your external IP.

Then you need to create directory /var/run/sslh/

mkdir /var/run/sslh/

link the script to be started as part of the system

ln /etc/init.d/sslh /etc/rc3.d/S91sslh -s

Last step is to setup HTTP server to not listen at the external port but only at localhost. That’s at the config /etc/httpd/conf.d/ssl.conf line Listen 443.

I just changed it to:

Listen 127.0.0.1:443
Listen 10.0.0.1:443

because I have also intranet with IP range 10.0.0.0/24.

Restart the apache and then simply start the sslh by

/etc/init.d/sslh start

 

It works on first shot.

HTTPS reacts without any problem, SSH and openvpn has little but of delay, but they are usable.

 

Leave a Reply

Your email address will not be published. Required fields are marked *