SSH allows log N method in the restricted network
Reproduced indicate the source: This link from osnosn the blog , written in 2020-03-06.
Key words:
- SSH over HTTPS
- iptables recent
- sslh
- haproxy
- proxy tunnel
- webssh
Reference ways of connecting:
- Use ping temporary key to open SSH: 22-port, secure remote management as simple as SSH login , Link 1 , Link 2
- Order of the temporary open ssh remote port , remote secretly ordered the temporary open ssh port
- SSLH – A SSL/SSH MULTIPLEXER, SSLH(github)
- Use SSH over HTTP Proxy Firewall breakthrough
- Tunneling SSH over HTTP(S)
- Allow a port at the same time to do two things: http / https and ssh
- Using HAProxy to make SSH and SSL available on the same port
- SSH over HTTPS with proxytunnel and nginx
- How to use ssh over http or https?
- webssh
- Corkscrew - ssh over https
- nginx> 1.15.2: using https nginx and implement methods common port to bypass the firewall restrictions ssh ssh login
- On Linux shared SSH and HTTPS tools on the same port: SSLH
My approach
- C write a program (called rdr_port), the function of this program is to (have a parameter passing), insert a port redirection rule in the firewall based on source IP, after ten seconds, and then delete this rule.
- For example, source IP = 1.2.3.4
- The corresponding iptables,
iptables -t nat -A PREROUTING -s 1.2.3.4 -p tcp --dport 443 -j REDIRECT --to 22 - For nftables,
nft -ea add rule ip nat PREROUTING ip saddr 1.2.3.4 tcp dport 443 redirect to 22 - After the program then wait 10 seconds, and then delete this port redirection rules.
- The corresponding iptables,
iptables -t nat -D PREROUTING -s 1.2.3.4 -p tcp --dport 443 -j REDIRECT --to 22 - For nftables, delete must handle value.
nft delete rule ip nat PREROUTING handle 12
- This program is compiled executable file. This program set the SUID,
chmod 4555 rdr_port, because modifying firewall rules require root privileges. - Write a dynamic page with php, java, python, or other languages, after writing a form, enter a password, call the rdr_port. It can make 443 (or 80, or other port) temporarily redirected to 22, during which time you can use ssh to login. While the firewall rules will be deleted without affecting the ssh connection has been established.
- The C program (rdr_port), I finished iptables version. nft's not changing for the better.
- Program execution, as follows,
- Starts, acquires legitimacy parameters, check the parameter.
- Written firewall rules.
- To become its own daemon. Such main exit, on the Web page script calls returned.
(Perhaps a simple fork () once to exit the main program, subroutines continue. Do not become daemon) - Create a timer or watch.
- Time to delete firewall rules.
- drop out.
Reproduced indicate the source: This link from osnosn the blog .