SSLH: Hiding SSH/HTTPS/OpenVPN/Telegram behind a single port 443

CarderPlanet

CarderPlanet

Professional
Messages
2,556
Reputation
7
Reaction score
572
Points
83
SSH/HTTPS/OpenVPN/Telegram and all on the same port?! What?!
- Yes!
Click to expand...
  • Do you want to hide the presence of some services?
  • Is everything blocked on a public wi-fi network except port 443 (https)?
  • Have you set up a Telegram Proxy/OpenVPN and don't want it to "shine"?
  • SSH connection to your server from censored countries?

There is only one answer to all these questions - Multiplexing SSL / TLS connections, or SSLH.

In this post, we will look at how to hide a bunch of services behind 1 port in 1 command.

Why?
With the recent release of Telegram Proxy, which almost completely looks like SSL traffic, an interesting question appeared in the comments:

After a quick check of the capabilities of the sslh application, it seemed to me that it would not be possible to "start", but I was very interested in this application, and, as it turned out, you can still cross a snake with a hedgehog.

How?
The SSLH application is a multiplexer, in other words, it analyzes traffic (actually performing mini-DPI work) and, depending on the type of traffic, directs it to the local port 8443/999/991 or any other...

This allows us to use DPI technology for good for the firsttime.

Task
For an example of using SSLH, let's set the task:

The following applications are installed on the server-Telegram Proxy, Apache, SSH, and we want to allow all these services to enter the world through port 443.

The server in our example is Ubuntu 16.04.4 LTS, Apache2 + LetsEncrypt, SSH,Telegram Proxy in Docker.

At the moment, it runs, as expected, Apache.

Installation & Configuration
Install SSLH:
Code: 
sudo apt-get install --no-install-recommends sslh

During installation, you will be asked about the usage mode, there are two of them:
  • stable but more resource intensive
  • fast, but with loss of connections when the process crashes

I am in favor of the second option, you can of course choose another one.

Let's check if our miracle works with the following command:
Code: 
sudo sslh-select -f --listen IP:8443 --tls 127.0.0.1:443  --ssh 127.0.0.1:22 --anyprot 127.0.0.1:9443

IP-external IP of the server
8443 - port on which our multiplexer will be launched
443 - where Apache lives
Pay attention to the anyprot option — this is where our Telegram Proxy will live, in other words, if the traffic does not fit any type, send it there.

Attention! If your configuration doesn't include Telegram or SSH, remove the extra startup keys.

Let's check it out?
Open the browser at the address of your server with port 8443 — You should see a response from Apache. Then try connecting via SSH or Telegram Proxy.

Migrating Apache to another port
To migrate Apache from a standard port (443) to another one, such as 7443, visit the following files:
Code: 
sudo nano /etc/apache2/ports.conf
sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf

In the example Apache + SSL/HTTPS was installed using LetsEncrypt with a different certificate, the configuration files may be in different paths.

Autoplay
It's time to set up autorun.

Editing the file:
Code: 
sudo nano /etc/default/sslh

In the DAEMON_OPTS= field, add attributes when running the sslh-select command, set RUN to=yes.

Let's launch it:
Code: 
sudo systemctl start sslh

Let's make sure that everything is fine:
Code: 
sudo systemctl status sslh

What is the result?
After completing this tutorial, you should have a server that has several services available at once via a single port (which ones are of your choice).

How's it going with OpenVPN? what other protocols can the app use?
At the time of writing this post, sslh can define and multiplex the following protocols:
[--ssh <addr>]
[--openvpn <addr>]
[--tinc <addr>]
[--xmpp <addr>]
[--http <addr>]
[--ssl <addr>]
[--tls <addr>]
[--anyprot <addr>]

Before using it, it is better to make sure what protocols your version supports (in case it is newer) using:
Code: 
sslh-select -h

Links
SSLH development takes place on github, here in this repository: github.com/yrutschle/sslh

Docker
I didn't manage to build a working version of sslh in docker along with all other services, in my opinion, a docker-compose file that can be raised on port 443 will be interesting:
  • Apache + LetsEncrypt
  • Telegram Proxy
  • OpenVPN (optional)
  • Use local SSH

If someone succeeds - write in the comments - we will add it to the article, in my opinion, it will be useful.
 
You must log in or register to reply here.

Similar threads

Tomcat
In the US, they decided to troll hackers hiding in Russia
Replies
0
Views
12
Tomcat
Tomcat
Tomcat
Crytic-compilers: Hackers are increasingly hiding infostealers in developer repositories
Replies
0
Views
10
Tomcat
Tomcat
Tomcat
RedTail: Ghost Miner Attacks Firewalls by Hiding in Cryptocurrency Pools
Replies
0
Views
6
Tomcat
Tomcat
Tomcat
Fraudsters in the field of online betting are increasingly hiding behind rented or purchased other people’s accounts
Replies
0
Views
19
Tomcat
Tomcat
Tomcat
Chinese hackers are hiding in the "blind zone": ORB as a new level of disguise
Replies
0
Views
29
Tomcat
Tomcat
Top