stuck behind a firewall that allows only http/https connections? offer ssh over a TLS tunnel!
configure haproxy server to accept TLS connections with ALPN ssh/2.0
configure ssh client to create TLS connections with ALPN ssh/2.0 using ProxyCommand
tired of constant attacks against sshd? require port knocking!
configure nftables ruleset to permit connections to sshd based on port knocks
configure ssh client to issue port knocks using ProxyCommand
While sslh allows multiplexing of ssh and https connections on the same port, it does not wrap ssh and this allows a firewall to block connections. The use of ALPN allows haproxy to route connections without resorting to payload inspection.
fwknopd offers secure port-knocking and knockd offers simple port-knocking. Both are user-land daemons that require root privileges to observe packets and to update firewall rules, so nftables (kernel-land) is used instead. Additionally, the objective is to reduce the attack surface of sshd, not to add another authentication layer such as what fwknopd would provide.
The haproxy TLS settings and the apache2 headers achieve A+ ratings with Qualys and Mozilla Observatory.
This solution requires the following packages:
- apache2
- dehydrated
- dehydrated-apache2
- haproxy
- openssh-server
- nftables