Connecting to remote SSH-server from within company firewalled network

Problem 1: Often company firewalls/web proxies only allow outgoing traffic to HTTP and HTTPS ports, but you also would like to connect to a remote SSH-server.

A trick is to start the remote SSH-server at the port which is normally reserved for HTTPS-traffic. Most of the time it is in this way possible to connect to your SSH-server from within your office network to the SSH-server. This depends also on how intelligent the firewall/proxy is. Maybe you also have to enter a proxy username/password, some external hosts could be blocked or maybe even the traffic is analysed, is it real HTTPS? Think about deep packet inspection (DPI) where not only the header but also the payload is analysed.

Problem 2

So problem 1 is solved.. but now I also would like to run a real HTTPS-server on the HTTPS-port at the same box where SSH is running..  but this port is in use already.

SSLH – SSL/SSH multiplexer

For this problem I have found a nice tool called SSLH. This is a SSL/SSH multiplexer. There are two versions, a Perl and C-implementation. I’m using the later.

SSL (Secure Sockets Layer) is the cryptographic protocol to secure the HTTP-traffic (HTTPS).

Trash the previous setup for SSH we need a new one.

Configure SSH

Stop the SSH-server again (but not remote otherwise you get locked out 🙂 ). Configure the SSH-server so it is listening on the normal SSH-port (22) again.

Configure HTTPS-server

Now configure your HTTPS-server (Apache?) so it is listening for HTTPS/SSL connections on a free port. I used 8080 which is reserved for alternative HTTP-traffic but this is a arbitrary choice.

Wrap things up – configure SSLH

Next step is to configure SSLH. Depending on the behaviour of the client connecting to port 443, SSLH can determine where to route the traffic, either to the SSH-server or the HTTPS/SSL-server:

How can this proxy find out what kind of protocol is using a TCP connection to port 443, without being connected (yet) to the server? We actually rely on a slight difference between the SSL and SSH protocols (found thanks to ethereal):

SSH

Once the TCP connection is established, the server speaks first, presenting itself by saying something like:

SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-1

SSL

With SSL, it’s always the client that speaks first.

Source: CPAN – Perl Net-Proxy -> SSLH

To configure SSLH we have to specify where to route the SSL and SSH traffic. For Ubuntu 10.04.2 LTS the configuration file is: /etc/default/sslh

DAEMON_OPTS="-u sslh -p 0.0.0.0:443 -s 127.0.0.1:22 -l 127.0.0.1:8080 -P /var/run/sslh.pid"

Explanation

  • -p 0.0.0.0:443 Listening address – SSLH is listening on port 443 on all available interfaces.
  • -s 127.0.0.1:22 Target address for SSH – Route SSH traffic to port 22 on the localhost.
  • -l 127.0.0.1:8080 Target address for SSL – Route HTTPS/SSL traffic to port 8080 on the localhost

Interesting TCP/IP ports

Description Port
SSH 22
HTTP 80
alternative HTTP 8080
HTTPS 443

Read more