1월 15 2023

https를 통해서 ssh 접속하기 – sslh.

Ubuntu 리눅스에서 sslh 사용하기.

sslh의 개념과 CentOS에서의 사용은 이전 글 https://blog.boxcorea.com/wp/archives/1689을 참고하면 된다.

작업환경: ubuntu 22.04, nginx(https, 443port) 사용중.

1. sslh 설치
우분투리눅스에서 sslh 설치는 apt 명령어로 간단하게 설치할 수 있다.
설치 중간에 sslh를 inetd가 제어하도록 할지 단독으로 실행할지를 묻는데, 여기서는 단독실행(standalone)하도록 했다.

admin@wolf:~$ sudo apt install sslh
[sudo] password for admin:
Reading package lists... Done
...
Setting up sslh (1.20-1) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 78.)
debconf: falling back to frontend: Readline
sslh configuration
------------------

sslh can be run either as a service from inetd, or as a standalone server. Each choice has its own benefits. With only a few
connection per day, it is probably better to run sslh from inetd in order to save resources.

On the other hand, with many connections, sslh should run as a standalone server to avoid spawning a new process for each
incoming connection.

  1. from inetd  2. standalone

Run sslh: 2

Adding system-user for sslh daemon
Created symlink /etc/systemd/system/multi-user.target.wants/sslh.service → /lib/systemd/system/sslh.service.
...
No VM guests are running outdated hypervisor (qemu) binaries on this host.

2. sslh 설정.

sslh 설정 파일은 /etc/default/sslh 이다. 여기서, DAEMON_OPTS에 필요한 설정을 하면 된다.

원본은 아래와 같다.

admin@wolf:~$ sudo vi /etc/default/sslh

DAEMON=/usr/sbin/sslh

DAEMON_OPTS="--user sslh --listen :443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfi

아래처럼 변경한다.
기존 웹서버(https)가 실행중인 포트가 443이므로, 웹서버가 사용하는 포트를 다른 포트로 변경한다. 여기서는 8443으로 변경했다. 실제로 apache2 설정을 변경하고 재 실행해야 한다. 여기서는 생략하도록 하겠다.
변경하지 않으면 웹서버가 443포트를 bind하고 있기 때문에, sslh가 실행되지 않는다.

DAEMON=/usr/sbin/sslh

#DAEMON_OPTS="--user sslh --listen :443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"
DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:8443 --pidfile /var/run/sslh/sslh.pid"

만약, 웹서버를 사용하지 않는다면 아래와 같이 설정하면 된다.

DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"

3. sslh 서비스 실행

systemctl 명령으로 sslh 서비스를 실행한다.

admin@wolf:~$ sudo systemctl start sslh

서비스가 제대로 실행되고 있다면 아래와 비슷한 화면을 볼 수 있다.

admin@wolf:~$ sudo systemctl status sslh
● sslh.service - SSL/SSH multiplexer
     Loaded: loaded (/lib/systemd/system/sslh.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2023-01-13 15:57:22 KST; 3min 3s ago
       Docs: man:sslh(8)
   Main PID: 97779 (sslh)
      Tasks: 2 (limit: 4575)
     Memory: 756.0K
        CPU: 1.391s
     CGroup: /system.slice/sslh.service
             ├─97779 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --tls 127.0.0.1 8443 --pi>
             └─97780 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --tls 127.0.0.1 8443 --pi>

Jan 13 15:57:25 admin sslh[97782]: tls:connection from 172.30.192.121:63972 to wolf:https forwarded from localhost:50062 >
Jan 13 15:57:25 admin sslh[97783]: tls:connection from 172.30.192.121:63974 to wolf:https forwarded from localhost:50068 >
Jan 13 15:57:26 admin sslh[97786]: tls:connection from 172.30.192.121:63975 to wolf:https forwarded from localhost:50082 >
Jan 13 15:57:26 admin sslh[97785]: tls:connection from 172.30.192.121:63976 to wolf:https forwarded from localhost:50092 >
Jan 13 15:57:26 admin sslh[97787]: tls:connection from 172.30.192.121:63977 to wolf:https forwarded from localhost:50108 >
Jan 13 15:57:26 admin sslh[97788]: tls:connection from 172.30.192.121:63978 to wolf:https forwarded from localhost:50120 >
Jan 13 15:57:26 admin sslh[97789]: tls:connection from 172.30.192.121:63979 to wolf:https forwarded from localhost:50134 >
Jan 13 15:57:26 admin sslh[97790]: tls:connection from 172.30.192.121:63980 to wolf:https forwarded from localhost:50136 >
Jan 13 15:57:26 admin sslh[97791]: tls:connection from 172.30.192.121:63981 to wolf:https forwarded from localhost:50148 >
Jan 13 15:57:26 admin sslh[97792]: tls:connection from 172.30.192.121:63982 to wolf:https forwarded from localhost:50164 >

4. 다른 서버나 터미널에서 sslh 설정된 서버에 접속 확인.
아래에서 IP주소 172.16.100.123이 sslh가 설정된 서버다.

ssh 접속 확인.

$ ssh fox@172.16.100.123 -p 443
fox@172.16.100.123's password:

웹서버 접속 확인. 정상적인 접속이 아니므로 400 bad request를 응답하는것이 보인다.

$ telnet 172.16.100.123 443
Trying 172.16.100.123...
Connected to 172.16.100.123.
Escape character is '^]'.
GET
HTTP/1.1 400 Bad Request
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 13 Jan 2023 07:04:29 GMT
Content-Type: text/html
Content-Length: 166
Connection: close


400 Bad Request


400 Bad Request


nginx/1.18.0 (Ubuntu)



Connection closed by foreign host.

답글 남기기

Your email address will not be published.