LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-10-2017, 04:47 AM   #1
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Rep: Reputation: 57
All ports blocked except 80 - can secure VPN connections still be done?


Hypothetical situation where all ports are blocked except the HTTP port 80. Can secure connections still be done for VPN purposes?
 
Old 04-10-2017, 05:09 AM   #2
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Hypothetically, you could set-up a server outside that listens to ssh on port 80 and establish an ssh tunnel to that port. Hypothetically, if someone were discovered to do that at work, it could potentially be considered gross misconduct and thus opening oneself to being fired, or banned from whatever network it is that you are looking to work around.
 
1 members found this post helpful.
Old 04-10-2017, 05:34 AM   #3
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
So much for the r3sistance name. Anyway would that oddly configured ssh tunnel interfere with other people's use of the HTTP port?
 
Old 04-10-2017, 05:41 AM   #4
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
There are multiple ways to get a working browser, locally, you could set-up a proxy to the ssh box on an alternative port using the ssh tunnel or you could set-up VNC server on the proxy box and put a VNC connection across the ssh tunnel to use a remote session on that box.

Is there something you are specifically trying to allow or deny here?
 
Old 04-10-2017, 06:01 AM   #5
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
What I have is ultrasurf, a free non-standard VPN-like thing that you normally install its client in a windows machine and it listens on port 80 as a local HTTP proxy except I install it under wine in a linux VM. This VM is set up as a gateway to allow other VMs to connect to the internet through the ultrasurf link, intercepting their HTTP requests. Why ultrasurf instead of any other VPN? Because it is free, Chinese, and hard to block as nothing is standard about it, it even opens decoy connections.

But its security is abysmal, non-existent for the end-user, so your ssh-over-port-80 scheme might do the trick. Except I need to find a public ssh server first and probably pay for it. Any free alternatives?

Last edited by Ulysses_; 04-10-2017 at 06:05 AM.
 
Old 04-10-2017, 08:51 AM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
There's absolutely nothing "hypothetical" about this! This, in my opinion, is how you should always configure your external connections.

Never expose a non-public service (specifically including ssh) directly to the outside world. And, never make it possible to use a pre-shared-key (PSK) password, of any sort, to reach them.

You can use OpenVPN to create a secure portal that cannot be detected, much less attacked.

Ordinarily, OpenVPN uses UDP port #1182. (Other VPN solutions customarily also use other UDP ports.) UDP is a conversationless datagram protocol, using only the "IP" layer of "TCP/IP." Therefore, there are no "sockets," and a "port scan" (which is really a "TCP/IP socket scan") will detect nothing.

Therefore, establish a port-forwarding rule for UDP/1192 (or whatever UDP port-number you agree on), and use this to allow the (Open)VPN machines to communicate with one another. (Port forwarding causes incoming packets to be delivered to a particular machine on your internal network. These will be the encrypted packets.)

Aside from the HTTP(S) TCP/IP ports, you need have no other open ports sockets on any of your servers. The fact that you are port-forwarding is undetectable.

If you now use the tls-auth feature of OpenVPN, as you certainly should, the presence of an OpenVPN server becomes undetectable, because the server will only reply to a supplicant that evidences possession of the proper certificate. All other packets will be silently dropped.

So, in order to connect, a client must possess two digital certificates: one to use with tls-auth (to cause the server to even reply to a connection request), and a second one, which is one-of-a-kind, to gain entry. The second certificate must not have been revoked. (So, if someone's laptop is stolen in the men's room, that certificate can "drop dead" in a matter of minutes without affecting any of the others.)

Authorized users pass through the gantlet, seemingly without impediment, and the remote subnet is "simply there." But, unauthorized L33T H4X0RZ ... can't even detect that the secret passage exists.

All services, including ssh, are only accessible through a successful OpenVPN connection. (Firewall rules are used to make damn-sure that they cannot directly reach, or be reached by, the outside world.)

"Number of failed login attempts?" Zero.

Last edited by sundialsvcs; 04-10-2017 at 09:13 AM.
 
1 members found this post helpful.
Old 04-10-2017, 09:47 AM   #7
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
That sounds cool and is worth further research. But what if there is no path from the openvpn client to the openvpn server simply because a rule somewhere along the way disposes off all UDP and TCP packets except TCP marked as port 80?
 
Old 04-10-2017, 01:20 PM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
You obviously have to make sure that the traffic does get through somehow.

All intervening firewalls must permit both TCP/IP port-80 and whatever UDP port-number you select (default: 1182) to send and to receive traffic.

But, they should allow nothing else. All of the traffic that is "flowing through the tunnel" appears only as encrypted UDP traffic.

In fact, you should specifically prohibit all other protocols or ports from getting in or out. Even if a mis-configured sshd is inadvertently listening on a public-facing port, it should never be able to receive nor to send traffic. The OpenVPN tunnel must be the only thing that it listens to, and the only way by which it will ever hear or say anything.

This arrangement is very secure and, once you get the hang of it very easy to set up. (OpenVPN is much easier to deal with than ipsec, because the engine is a user-mode process that relies on a very simple virtual-device interface merely to get traffic into and out of that user-mode process. "OpenVPN is talking to another copy of itself," and the operating system has very little to do with it.)

Last edited by sundialsvcs; 04-10-2017 at 01:29 PM.
 
Old 04-10-2017, 02:37 PM   #9
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by sundialsvcs View Post
All intervening firewalls must permit both TCP/IP port-80 and whatever UDP port-number you select (default: 1182) to send and to receive traffic.
If you pay attention to a post of mine above, that is about a local proxy I want all my VM's to go through (and that is the local HTTP proxy provided by ultrasurf), you will see that a situation where UDP is completely unavailable is very real, and the question is:

How do you tunnel your own secure connection through a route that only allows HTTP packets associated with port 80? And do it for free. Am I asking for too much?
 
Old 04-10-2017, 03:31 PM   #10
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,677

Rep: Reputation: 3333Reputation: 3333Reputation: 3333Reputation: 3333Reputation: 3333Reputation: 3333Reputation: 3333Reputation: 3333Reputation: 3333Reputation: 3333Reputation: 3333
Doesn't ultrasurf connect via port 80? I might not understand the issue. Only if you are running a server on port 80 would it matter. A connection to the outside can be made on almost any port. See the issues that firewall sites have for trying to block ultrasurf.

However part of your question involves secure connection. I'd think that if you wanted some point to point vpn or other ipsec you could use a single port.
 
Old 04-10-2017, 03:49 PM   #11
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
I have so-far interpreted the question to mean, e.g., "this machine hosts a public-facing HTTP-only web server." Therefore, there is an operational requirement to expose TCP/IP port #80 to the general public.

"But, not anything else."

My recommended solution is to use OpenVPN ... which, like most VPNs, typically uses a UDP (not TCP/IP) port for communication. (A UDP port, since it is not a "socket," cannot be "scanned.")

Now, the target server can be reached in exactly two ways: through TCP/IP port #80, which can be detected, and through a UDP port, which cannot. However, once the (Open)VPN "tunnel" has been established, other services on this computer become accessible. (These services "listen" only to [virtual ...] IP-addresses which represent "the tunnel," and are blocked by firewalls from even-accidentally connecting to anything else.)

For authorized users, connecting to these services is "as easy as pie." But, for the hacker-infested "Internet at large," it is impossible. They can't even detect anything, much less attempt to break into it.

Although OpenVPN is not the only "secure VPN solution" available, and although there might be a few "big-corporate" edge cases which would (perhaps ...) contraindicate it, I consider it to be by-far the easiest one to deal with as a human being.

And ... "VPN versus anything else, such as ssh?" ... (chuckle, snicker, guffaw, ROTFLCMAO) ... "not only no, but™ ... (etc.)"

Last edited by sundialsvcs; 04-10-2017 at 03:57 PM.
 
Old 04-10-2017, 03:51 PM   #12
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
When you use a browser, destination port is 80 (that's the port apache is listening on at internet web sites), but source port can be anything, it's from the browser. If destination port is not 80 (or 81), packets sent from the browser through the ultrasurf tunnel are thrown away.

It's a little more complicated but let's keep things simple: what would be the ADDITIONAL tunneling software (I want to keep using ultrasurf) that would encapsulate all sorts of packets (even ftp, p2p) so they look like they are going to port 80 at some remote web site which is in fact not a web site but a server for the tunnel? Just as a workaround for ultrasurf's limitations.

R3sistance has the solution, it is ssh configured to listen on port 80. Except its hosting is not free. Or you know a hoster that does it for free? Perhaps with an alternative tunneling technology other than ssh?

Last edited by Ulysses_; 04-10-2017 at 04:05 PM.
 
Old 04-11-2017, 08:45 AM   #13
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
You can run more than one tunneling technology at the same time, so long as the IP-address ranges are distinct. In each case you will observe that route rules are in place which direct the traffic into certain virtual network interface devices, which constitute "the tunnel."

I'm not familiar with Ultrasurf so I don't know what sort of traffic-filtering it might do. (But it does not surprise me that they might. Also, it's probably configurable.)

Nevertheless, if the technology is ultimately based on ssh, I wouldn't prefer to use it, because it uses a TCP/IP socket, which can be "scanned" from a distance. Furthermore, depending on exactly how the tunneling is done, it might be possible for some traffic to be sent "in the clear" when you believed that it was passing through the encrypted tunnel.

With ssh you have to "do everything right" to get security. Whereas, with VPN technologies, "it's just there." When you talk to any of the IP-addresses covered by the VPN tunnel, or when they talk to you, "it's encrypted ... period." (VPNs function as a secure router, implemented – usually – in software.)

Last edited by sundialsvcs; 04-11-2017 at 08:54 AM.
 
Old 04-11-2017, 10:19 AM   #14
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,303

Original Poster
Rep: Reputation: 57
I think both HTTP ports (80 and 81) are allowed. Can OpenVPN be configured to generate TCP traffic using ports 80 and 81 only?
 
Old 04-11-2017, 03:45 PM   #15
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
As I said, OpenVPN normally uses UDP, not TCP/IP. You can't bind to TCP/IP ports 80/81 if someone else already has them.

And, you have no need to send OpenVPN's encrypted traffic through anyone else's "tunnel."

What you should simply do here is to adjust the firewalls up and down the line so that the UDP-port traffic is allowed to pass, and is port-forwarded to your OpenVPN server. This has nothing to do with UltraSurf.

Last edited by sundialsvcs; 04-11-2017 at 03:46 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Outbound http connections blocked charu Linux - Newbie 2 11-21-2010 03:04 PM
how to tell what ports are being blocked? metallica1973 Linux - Security 2 12-18-2005 07:19 PM
VPN through firewall with blocked ports Peter1980 Linux - Networking 2 06-03-2005 04:26 AM
Ports Blocked spaceballs Slackware 4 05-02-2005 09:42 PM
getting by blocked ports niehls Linux - Networking 1 07-06-2003 03:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration