I am currently working at a client were they have locked down the network, except for ports 80 and 443. I need to connect to our server using SSH, but the same server also runs our website. We do not want to invest in a new server or place a second network card.
我目前在客户端工作,他们已经锁定了网络,除了端口80和443.我需要使用SSH连接到我们的服务器,但同一台服务器也运行我们的网站。我们不想投资新服务器或放置第二张网卡。
I have been searching the internet for away to setup our linux server (running CentOS 5), so that there is a daemon listening on port 443 that depending on the client protocol forwards the request to the correct internal port (SSH 22 or HTTPS moved to a differentport_.
我一直在网上搜索设置我们的linux服务器(运行CentOS 5),以便有一个守护进程监听端口443,根据客户端协议将请求转发到正确的内部端口(SSH 22或HTTPS移动到一个不同的港口。
There are a lot of people on internet looking for this kind solution, but no clear instructions how to do this.
互联网上有很多人正在寻找这种解决方案,但没有明确说明如何做到这一点。
Anyone have ideas/clear instructions how to do this?
任何人都有想法/明确说明如何做到这一点?
Regards, nidkil
5 个解决方案
#1
sslh : http://www.rutschle.net/tech/sslh.shtml
sslh:http://www.rutschle.net/tech/sslh.shtml
I'm using 1.5; I haven't tried 1.6b yet, and 1.3 has a problem with leaving zombies around.
我用的是1.5;我还没有尝试过1.6b,并且1.3在离开僵尸时遇到了问题。
Run it on port 443; if no data is sent with 2 seconds (the default), it forwards to ssh. Otherwise, it forwards to your web server.
在端口443上运行它;如果没有数据以2秒(默认值)发送,则转发到ssh。否则,它会转发到您的Web服务器。
I'm running it on my website (http://mikeage.net) -- you can netcat in if you want to see both login banners.
我在我的网站(http://mikeage.net)上运行它 - 如果你想看到两个登录横幅,你可以netcat。
In my case, it also has another purpose. We have an even more restrictive setup than you: all ports are blocked, but 80 and 443 can be reached via proxy. I can have SSH use a program like corkscrew (or putty natively) to proxy my SSH connection via the company proxy to my server:443, where after a brief delay, my SSH server responds with it's login banner. I can also serve webpages over the standard HTTPS (and do, in fact).
就我而言,它还有另一个目的。我们的设置比您更具限制性:所有端口都被阻止,但可以通过代理访问80和443。我可以让SSH使用像corkscrew(或putty本地)这样的程序来通过公司代理将我的SSH连接代理到我的服务器:443,在短暂的延迟之后,我的SSH服务器用它的登录横幅进行响应。我还可以通过标准HTTPS提供网页(实际上也可以)。
#2
An easy solution to your problem might be to assign multiple IP addresses to your box and bind your SSH to port 443 on a separate IP; you can usually assign multiple IP addresses to a single adapter, no need to add a second network card. Otherwise I don't know of any out of the box solutions for what you want to do. You would probably have to create a custom daemon for that, which would be a little tricky but doable.
解决问题的一个简单方法可能是为您的盒子分配多个IP地址,并将SSH绑定到另一个IP上的端口443;您通常可以为单个适配器分配多个IP地址,而无需添加第二个网卡。否则,我不知道你想做什么的任何开箱即用的解决方案。你可能不得不为它创建一个自定义守护进程,这有点棘手但可行。
#3
The firewall restrictions are in place for a reason. They may not be good ones, but they make sense to the person who implemented it or caused it to be implemented. I wouldn't attempt to violate the company policy on external connections.
出于某种原因,防火墙限制到位。它们可能不是好的,但它们对实施它或使其实现的人有意义。我不会试图违反有关外部连接的公司政策。
If your need is legitimate, I would request that the port, or an alternate, be opened to the addresses you require. If that doesn't work then perhaps a VPN solution would be acceptable.
如果您的需要是合法的,我会要求将端口或备用端口打开到您需要的地址。如果这不起作用,那么VPN解决方案可能是可以接受的。
In the case where the network folks are just insanely protective, unwilling to respond to reason, or plain incompetent, I'd want to make sure I had sign-off from a manager who's willing to go to bat for me WHEN it becomes an issue before I implemented a work-around. Anything else could reasonably end up with your employment being terminated. After all, you are talking about violating a company security policy.
如果网络人员只是疯狂地保护,不愿意回应理性,或者根本不称职,我想确保我已经从一位愿意为我殴打的经理签字,当它变成一个问题时在我实施解决方案之前。任何其他事情都可能合理地结束你的工作被终止。毕竟,您正在谈论违反公司安全政策。
#4
You could build a small web application listening on port 443 that enables a reverse SSH shell towards the IP of the incoming connection, using public key authentication. Say:
您可以构建一个侦听端口443的小型Web应用程序,该应用程序使用公钥身份验证为反向SSH shell启用传入连接的IP。说:
- You authenticate on the web application; the web application retrieves your IP
- The application starts a SSH tunnel from its IP to your IP (at port 22)
- The SSH server on your machine ends the tunnel and listens at localhost:8080
- Then, you start a SSH session with localhost:8080. The commands in the following interactive session are redirected to the remote host.
您在Web应用程序上进行身份验证; Web应用程序检索您的IP
应用程序启动从其IP到您的IP的SSH隧道(在端口22)
计算机上的SSH服务器结束隧道并侦听localhost:8080
然后,使用localhost:8080启动SSH会话。以下交互式会话中的命令将重定向到远程主机。
#5
If you have apache on our centos box, you can use mod_proxy to redirect requests from one port to another. I use this to redirect requests to http://webmin.myserver.com to http://myserver.com:10000 (webmin running on an inaccessible port)
如果你的centos框上有apache,你可以使用mod_proxy将请求从一个端口重定向到另一个端口。我使用它将请求重定向到http://webmin.myserver.com到http://myserver.com:10000(webmin在无法访问的端口上运行)
ServerName webmin.myserver.co.uk
SSLProxyEngine On
ProxyRequests Off
ProxyPass / https://myserver.co.uk:10000/
ProxyPassReverse / https://myserver.co.uk:10000/
Place the above in your virtual server directive, and you're good to go. This may not work with Putty, but if you install webmin it has a SSH module you can access via a browser.
将上面的内容放在虚拟服务器指令中,你就可以了。这可能不适用于Putty,但如果您安装webmin,它有一个SSH模块,您可以通过浏览器访问。
#1
sslh : http://www.rutschle.net/tech/sslh.shtml
sslh:http://www.rutschle.net/tech/sslh.shtml
I'm using 1.5; I haven't tried 1.6b yet, and 1.3 has a problem with leaving zombies around.
我用的是1.5;我还没有尝试过1.6b,并且1.3在离开僵尸时遇到了问题。
Run it on port 443; if no data is sent with 2 seconds (the default), it forwards to ssh. Otherwise, it forwards to your web server.
在端口443上运行它;如果没有数据以2秒(默认值)发送,则转发到ssh。否则,它会转发到您的Web服务器。
I'm running it on my website (http://mikeage.net) -- you can netcat in if you want to see both login banners.
我在我的网站(http://mikeage.net)上运行它 - 如果你想看到两个登录横幅,你可以netcat。
In my case, it also has another purpose. We have an even more restrictive setup than you: all ports are blocked, but 80 and 443 can be reached via proxy. I can have SSH use a program like corkscrew (or putty natively) to proxy my SSH connection via the company proxy to my server:443, where after a brief delay, my SSH server responds with it's login banner. I can also serve webpages over the standard HTTPS (and do, in fact).
就我而言,它还有另一个目的。我们的设置比您更具限制性:所有端口都被阻止,但可以通过代理访问80和443。我可以让SSH使用像corkscrew(或putty本地)这样的程序来通过公司代理将我的SSH连接代理到我的服务器:443,在短暂的延迟之后,我的SSH服务器用它的登录横幅进行响应。我还可以通过标准HTTPS提供网页(实际上也可以)。
#2
An easy solution to your problem might be to assign multiple IP addresses to your box and bind your SSH to port 443 on a separate IP; you can usually assign multiple IP addresses to a single adapter, no need to add a second network card. Otherwise I don't know of any out of the box solutions for what you want to do. You would probably have to create a custom daemon for that, which would be a little tricky but doable.
解决问题的一个简单方法可能是为您的盒子分配多个IP地址,并将SSH绑定到另一个IP上的端口443;您通常可以为单个适配器分配多个IP地址,而无需添加第二个网卡。否则,我不知道你想做什么的任何开箱即用的解决方案。你可能不得不为它创建一个自定义守护进程,这有点棘手但可行。
#3
The firewall restrictions are in place for a reason. They may not be good ones, but they make sense to the person who implemented it or caused it to be implemented. I wouldn't attempt to violate the company policy on external connections.
出于某种原因,防火墙限制到位。它们可能不是好的,但它们对实施它或使其实现的人有意义。我不会试图违反有关外部连接的公司政策。
If your need is legitimate, I would request that the port, or an alternate, be opened to the addresses you require. If that doesn't work then perhaps a VPN solution would be acceptable.
如果您的需要是合法的,我会要求将端口或备用端口打开到您需要的地址。如果这不起作用,那么VPN解决方案可能是可以接受的。
In the case where the network folks are just insanely protective, unwilling to respond to reason, or plain incompetent, I'd want to make sure I had sign-off from a manager who's willing to go to bat for me WHEN it becomes an issue before I implemented a work-around. Anything else could reasonably end up with your employment being terminated. After all, you are talking about violating a company security policy.
如果网络人员只是疯狂地保护,不愿意回应理性,或者根本不称职,我想确保我已经从一位愿意为我殴打的经理签字,当它变成一个问题时在我实施解决方案之前。任何其他事情都可能合理地结束你的工作被终止。毕竟,您正在谈论违反公司安全政策。
#4
You could build a small web application listening on port 443 that enables a reverse SSH shell towards the IP of the incoming connection, using public key authentication. Say:
您可以构建一个侦听端口443的小型Web应用程序,该应用程序使用公钥身份验证为反向SSH shell启用传入连接的IP。说:
- You authenticate on the web application; the web application retrieves your IP
- The application starts a SSH tunnel from its IP to your IP (at port 22)
- The SSH server on your machine ends the tunnel and listens at localhost:8080
- Then, you start a SSH session with localhost:8080. The commands in the following interactive session are redirected to the remote host.
您在Web应用程序上进行身份验证; Web应用程序检索您的IP
应用程序启动从其IP到您的IP的SSH隧道(在端口22)
计算机上的SSH服务器结束隧道并侦听localhost:8080
然后,使用localhost:8080启动SSH会话。以下交互式会话中的命令将重定向到远程主机。
#5
If you have apache on our centos box, you can use mod_proxy to redirect requests from one port to another. I use this to redirect requests to http://webmin.myserver.com to http://myserver.com:10000 (webmin running on an inaccessible port)
如果你的centos框上有apache,你可以使用mod_proxy将请求从一个端口重定向到另一个端口。我使用它将请求重定向到http://webmin.myserver.com到http://myserver.com:10000(webmin在无法访问的端口上运行)
ServerName webmin.myserver.co.uk
SSLProxyEngine On
ProxyRequests Off
ProxyPass / https://myserver.co.uk:10000/
ProxyPassReverse / https://myserver.co.uk:10000/
Place the above in your virtual server directive, and you're good to go. This may not work with Putty, but if you install webmin it has a SSH module you can access via a browser.
将上面的内容放在虚拟服务器指令中,你就可以了。这可能不适用于Putty,但如果您安装webmin,它有一个SSH模块,您可以通过浏览器访问。