| Linode Forum https://forum.linode.com/ |
|
| How to access my linode behind a farwall that locks port 22? https://forum.linode.com/viewtopic.php?f=19&t=10275 |
Page 3 of 4 |
| Author: | sblantipodi [ Thu Jul 25, 2013 3:05 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
vonskippy wrote: Maybe his employer's IT Dept puts those port blocks on their outbound network because they, you know, expect their workers to . . . . work, and not manage their hobbies on company time. //just saying// I don't manage my hobby, I need to use an email client 
|
|
| Author: | Piki [ Thu Jul 25, 2013 4:00 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
vonskippy wrote: Maybe his employer's IT Dept puts those port blocks on their outbound network because they, you know, expect their workers to . . . . work, and not manage their hobbies on company time. //just saying// If you're replying to my post, note that I did not mention anything about ports, but instead the listening address. Unless the OP's Linode starts spamming his employer's network, I doubt they'll block his Linode's IP address. Hence my suggestion to not use a listening address still stand, although this suggestions is entirely safe to ignore
|
|
| Author: | sblantipodi [ Thu Jul 25, 2013 4:06 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
Piki wrote: use a listening address still stand, although this suggestions is entirely safe to ignore it seems that you know what ListenAddress is, what is this parameter exactly ? |
|
| Author: | Piki [ Thu Jul 25, 2013 4:21 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
sblantipodi wrote: Piki wrote: use a listening address still stand, although this suggestions is entirely safe to ignore it seems that you know what ListenAddress is, what is this parameter exactly ? It's to tell sshd what IP addresses to listen for connections on. For instance, if you decide to set up your Linode as a shared host, you could purchase a separate IP address for each individual customer. If you don't want those customers to have ssh access, you could have one additional IP address just for yourself (one your customers aren't allowed to use) and make sshd listen only on that reserved address. This is just an example, there's nothing really stopping those customers from attempting to ssh to your reserved address (or using it for a domain). ListenAddress is probably best used on an internal network, however reasons for using it will vary. |
|
| Author: | kangaby [ Sun Aug 04, 2013 3:08 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
You could bind ssh to port 443 on you IP6 address and hope the corporate network passes IP6 traffic. Purchase a 2nd IP4 address and bind ssh to port 443 on that new IP address. Even if you go down this path, and your corporate network admins are worth their salt, they'll be doing some form of content inspection that will tell them your ssh traffic on port 443 just isn't https traffic, and they'll kill it anyway. |
|
| Author: | sblantipodi [ Sun Aug 04, 2013 5:40 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
kangaby wrote: You could bind ssh to port 443 on you IP6 address and hope the corporate network passes IP6 traffic. Purchase a 2nd IP4 address and bind ssh to port 443 on that new IP address. Even if you go down this path, and your corporate network admins are worth their salt, they'll be doing some form of content inspection that will tell them your ssh traffic on port 443 just isn't https traffic, and they'll kill it anyway. they inspect traffic, they have some other ports opened, they kill connection if they don't see https traffic. 443 is opened without any control and I solved using the multiplexer on that port. |
|
| Author: | sblantipodi [ Tue Oct 01, 2013 6:47 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
I finded a huge problem on this approach. SSLH is a multiplexer that redirect all the incoming traffic 443 to the correct port. The huge problem in this approach is that all people who access my HTTPS site is redirected to 8443 (the port where SSL is listening) but with the 127.0.0.1 address. My logs are full of different people using the HTTPS service but the only IP Address I find in log now is 127.0.0.1 This is clear because people connect to HTTPS standard port (443) the multiplexer redirect from localhost to the 8443. In this way logs means nothing, I cannot trace any IP address and this is not good al all, fail2ban obviously stopped working too. Is there a possible solution to this problem? Any idea? |
|
| Author: | hoopycat [ Tue Oct 01, 2013 6:54 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
Use a network connection that doesn't block port 22? |
|
| Author: | sblantipodi [ Tue Oct 01, 2013 7:04 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
hoopycat wrote: Use a network connection that doesn't block port 22? come on, be serious! it's never that easy 
|
|
| Author: | Ox- [ Tue Oct 01, 2013 4:50 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
Normal web reverse proxies like HAProxy and nginx have capability of passing along real IP address in HTTP headers. sslh does it a little differently though. From the README: Code: ==== Transparent proxy support ==== |
|
| Author: | sblantipodi [ Tue Oct 01, 2013 6:04 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
Thanks for the reply!!! I'm reading the readme too but I don't understood how to enable this "transparent mode"... have you understood it? |
|
| Author: | sblantipodi [ Wed Oct 02, 2013 2:50 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
I'm starting the sslh with --transparent option but when I go to an https site I get this error: setsockopt: Operation not permitted if I remove the --transparent it works like a charm. I alsa done setcap cap_net_bind_service,cap_net_admin+pe sslh for a try but same problem. any idea? |
|
| Author: | Ox- [ Sat Oct 05, 2013 2:21 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
Can you try running it as root and see if it works? If it works as root that means the sslh README was probably incomplete and you need more permissions than cap_net_admin. |
|
| Author: | sblantipodi [ Sat Oct 05, 2013 2:27 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
Ox- wrote: Can you try running it as root and see if it works? If it works as root that means the sslh README was probably incomplete and you need more permissions than cap_net_admin. If I set Quote: ListeAddress MYLINODEIP in /etc/ssh/sshd_config and I run it as root with this settings in the /etc/rc.d/init.d/sslh Quote: OPTIONS="--user root --pidfile $PIDFILE -p MYLINODEIP:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:22" It works like a charm, but in this way it is using root 
|
|
| Author: | sblantipodi [ Sat Oct 05, 2013 2:56 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
I must be a problem of permission because it says: setsockopt: Operation not permitted if I run as a normal user. no problem by root. |
|
| Page 3 of 4 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|