Tunneling SSH through HTTPs

Traefik Traefik v2 (latest)
1

I stumbled upon an article describing to use an nginx webserver to tunnel SSH traffic through HTTPs:
https://iyzico.engineering/proxy-ssh-using-tls-sni-and-nginx-8a18f93f709

The reason why this this sounds really interesting to me, is that this would enable:

  • Using SNI and route SSH traffic to different systems with just one exposed port based on the DNS name. This is not possible with pure SSH over TCP as discussed here: Routing SSH traffic with Traefik v2
  • Potentially more secure setups where no SSH port 22/TCP is exposed at all (often targeted with brute force authentication attempts).
  • Make systems available to be reached by SSH, even though only HTTPs traffic is allowed (strictly configured corporate FWs)

I wonder if a comparable setup would be possible with Traefik instead of nginx.

2

Yes likely it is, it is encapsulating ssh in tls. The ProxyCommand in .sshconfig is the magic.
On the traefik side this is a TLS enabled TCP router.

Marginally. People who probe 22 are going to probe 443. It would remove your from the low hanging fruit category.

Really, don't put ssh on the public internet. Put it behind a vpn or a just-in-time access control.

Places that are enforcing this usually have some policies that circumventing such result in disciplinary action.

3

This just seems like SSH with extra steps.

Like cakiwi said, you are just removing yourself from the low-hanging fruit. Which is not necessarily a bad thing. Don't get me wrong. One less zombie VPS host on the internet, great.

Nobody is denying the "cool" factor. But don't do it "in the name of security".

Brute forcers don't want a challenge. That's why they are running scripts in the first place. fail2ban, PermitRootLogin no, and key-based authentication only is sufficiently "just as secure". They try root 3 times, get fail2banned. Move on.

Better yet, implement blacklists. China, India, Poland, Turkey, Iran, Vietnam, any country you know DAMN well, you aren't going to ssh from, can knock your fail2ban bans down 90%.

You are not going to be hidden from wiser eyes.

Hi, network admin here.

Here's what I'll see.

  • You have one site you REALLY like to visit that's NOT normal (google, reddit, spotify). Enough to warrant an investigation when I get bored. (Orange Flag)
  • The IP address reverses to a VPS. But what are you streaming over HTTPS all day? (Red Flag)
  • You have connections opening and closing all day to the same place (or long running connections). Are you funneling out company secrets slowly? Are you installing something malicious? (Very Red Flag)

Now, that's if I'm lazy.

If I did my job right, you'd already have the company SSL Proxy certificate on your machine (it is a corporate machine on the corporate network, after all). That SSL Proxy certificate actually permits the firewall to be the SSL terminator, so you are not making a connection to your server, you are making it to my proxy. And I'm fully aware you are tunneling SSH traffic.

I'd have my write-up done in an hour or two and on my boss's desk.

2 Likes
4

Heh - this is why some people employ stunnel and route that over HTTPS so that an outer tunnel can be stripped, but the inner one is less likely to be so. Or a certificate checker that detects the corporate cert instead of the expected client cert. But putty was/is always good for standalone operation and connecting to local ports (i.e. double wrapped stunnel endpoints).

However, you've got to be fairly determined for that, and (as mentioned) it's going to raise question marks :slight_smile:

Forcepoint (formerly WebSense) can detect and nobble SSH over HTTPS fairly easily, and also breaks (at least single wrapped) stunnel connections.

Easier ways to get SSH with Traefik are:

a) Install Guacamole & guacd, and set Guacamole up to SSH to your box. You just access Guacamole.

Connection TO Guacamole is pure HTTPS (which may be decrypted) although the onward Guacamole/GUACD connection (on your LAN) can remain encrypted. Put Guacamole behind oAuth and ideally enable 2FA (on both oAuth and/or Guacamole)

b) Install kasmweb-chrome (and hide that behind oAuth as it has only rudimentary security) and use that as a jump box to stuff - or for remote browsing.

Each of the above look like HTTPS and not SSH, because they are.

I have WireGuard behind Traefik, so I am "on LAN" wherever I am, but if WireGuard fails, I can access Guacamole securely and get onto my boxes. Guacamole keeps sessions open as well, so you can close your tabs as necessary and just resume at leisure.

For the other option, setup knockd on your router, so that port 22 (or 443, or other) only open for 30 seconds after the successful knock, then close down. It stops (as much) fingerprinting although doesn't explain connections.

My use case? Accessing home CCTV and my home iLO remotely, in as secure a way as I can concoct :slight_smile:

5

Nice. I remember reading about this once. weekend_projects.push('apache guacamole')

Another product to love.

A slight improvement on this is fwknopd requires just 1 packet and prevent replay attacks.

2 Likes
6

A "gotcha" for Guacamole is that (depending on your chosen container/builds) you may encounter:

a) Lack of guacamole <-> guacd encryption
b) Find that ed25519 SSH keys won't work (you need libssh2 1.9 which is not (yet) in any of the containers I've seen....) and it may have had to be there when guacd got built/compiled. Debian Buster only has 1.8 (so far).

I can recommend :
oznu/guacamole:1.1.0-amd64 (1.2.0 has prompt related issues)
guacamole/guacd:latest

I will check into fwknopd :slight_smile: