Add optional port multiplexer role

Author: blackandred

.templates/inventory/group_vars/all.yaml

@@ -162,3 +162,9 @@ default_role_fail2ban:
 default_role_system_settings:
     timezone: Europe/Rome
     locale: "en_GB.UTF-8"
+
+
+default_role_port_multiplexer:
+    sslh_route_to_ssh_port: 22
+    sslh_route_to_http_port: 80
+    sslh_route_to_tls_port: 4443

playbooks/prepare-machine.yml

@@ -29,77 +29,94 @@
       # ===================================
       - name: Set system settings
         when: role_system_settings is defined
+        tags: system_settings
         block:
           - name: Include required vars
             set_fact:
             args: "{{ default_role_system_settings | combine(role_system_settings | default({}), recursive=True) }}"
 
           - include_role: name=system-settings
-            tags: system_settings
 
       # ==========
       # Multi User
       # ==========
       - name: Users management role
         when: role_users is defined
+        tags: users
         block:
           - name: Include required vars
             set_fact:
             args: "{{ default_role_users | combine(role_users | default({}), recursive=True) }}"
 
           - include_role: name=blackandred.server_multi_user
-            tags: users
 
       # ==============
       # Basic Software
       # ==============
       - name: Basic Software role
         when: role_basic_software is defined
+        tags: basic_software
         block:
           - name: Include required vars
             set_fact:
             args: "{{ default_role_basic_software | combine(role_basic_software | default({}), recursive=True) }}"
 
           - include_role: name=blackandred.server_basic_software
-            tags: basic_software
 
       # ========
       # Tweaking
       # ========
       - name: Tweaking role
         when: role_tune is defined
+        tags: tune
         block:
           - name: Include required vars
             set_fact:
             args: "{{ default_role_tune | combine(role_tune | default({}), recursive=True) }}"
 
           - include_role: name=infrastructure-ansible-tweak-os
-            tags: tune
 
       # ====
       # Logs
       # ====
       - name: Logs role
         when: role_logs is defined
+        tags: logs
         block:
           - name: Include required vars
             set_fact:
             args: "{{ default_role_logs | combine(role_logs | default({}), recursive=True) }}"
 
           - include_role: name=infrastructure-ansible-logs
-            tags: logs
 
+      # =========================
+      # Security - IPS - Fail2Ban
+      # =========================
       - name: Fail2ban role
         when: role_fail2ban is defined
+        tags: fail2ban
         block:
           - name: Include required vars
             set_fact:
             args: "{{ default_role_fail2ban | combine(role_fail2ban | default({}), recursive=True) }}"
 
           - name: Touch /var/log/auth.log
             become: yes
-            path: /var/log/auth.log
-            state: touch
+            file:
+                path: /var/log/auth.log
+                state: touch
 
           - include_role: name=oefenweb.fail2ban
-            tags: fail2ban
+
+      # ==========================================
+      # Security - optional ports to mask SSH port
+      # ==========================================
+      - name: Multiplexer role
+        when: role_port_multiplexer is defined
+        tags: port-multiplexer
+        block:
+          - name: Include required vars
+            set_fact:
+            args: "{{ default_role_port_multiplexer | combine(role_port_multiplexer | default({}), recursive=True) }}"
+
+          - include_role: name=port-multiplexer

roles/port-multiplexer/README.md

@@ -0,0 +1,21 @@
+Port multiplexer
+================
+
+Sets up multiple protocols like VPN, SSH, HTTPS on single port.
+
+- Additional layer of security by hiding services behind regular 443 port, no one would expect it
+- Misleads the eavesdropping by mixing different services on one port (privacy)
+- Proxies transparently, so the source IP address is preserved and fail2ban can be still used together to provide maximum security
+
+**Before using this role make sure that nothing is listening on 443 port on 0.0.0.0 (does not collide with 127.0.0.1:443)**
+
+
+Read more:
+https://confluence.jaytaala.com/display/TKB/Transparent+SSLH%3A+using+a+single+port+to+transparently+route+incoming+traffic+for+Apache%2C+OpenVPN%2C+and+SSH
+
+
+
+Alternative solutions
+---------------------
+
+- Port knocking

roles/port-multiplexer/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+
+- tags: port-multiplexer
+  block:
+    - name: Install sslh
+      become: yes
+      package:
+          name: sslh
+          state: present
+
+    - name: Detect gateway interface
+      become: yes
+      shell: "ip route | head -n 1 | awk '/default/ { print $3 }'"
+      register: gw_interface_out
+
+    - name: Set gateway interface
+      set_fact:
+          gateway_interface: "{{ gw_interface_out.stdout }}"
+
+    - name: Create iptables script for transparent proxying
+      become: yes
+      template:
+          src: "{{ item.path }}"
+          dest: "/{{ item.path }}"
+          mode: u+rwx,g+rx,o+rx
+      with_items:
+          - { path: usr/local/bin/sslh-transparent, mode: u+rwx,g+rx,o+rx }
+          - { path: etc/default/sslh, mode: u+rwx,g+r,o+r }
+          - { path: etc/systemd/system/sslh-transparent.service, mode: u+rw,g+r,o+r }
+          - { path: etc/sslh.cfg, mode: u+rw,g+r,o+r }
+
+    - name: Enable services
+      become: yes
+      systemd:
+          name: "{{ item }}"
+          state: started
+      with_items:
+          - sslh
+          - sslh-transparent

roles/port-multiplexer/templates/etc/default/sslh

@@ -0,0 +1,3 @@
+RUN=no
+DAEMON=/usr/sbin/sslh
+DAEMON_OPTS="--user sslh -F /etc/sslh.cfg --pidfile /var/run/sslh/sslh.pid"

roles/port-multiplexer/templates/etc/sslh.cfg

@@ -0,0 +1,21 @@
+verbose: 0;
+foreground: true;
+inetd: false;
+numeric: false;
+transparent: true;
+timeout: 2;
+user: "nobody";
+chroot: "/tmp";
+syslog_facility: "auth";
+
+listen:
+(
+    { host: "0.0.0.0"; port: "443"; }
+);
+
+protocols:
+(
+     { name: "ssh"; service: "ssh"; host: "127.0.0.1"; port: "{{ sslh_route_to_ssh_port | default('22') }}"; keepalive: true; fork: true; tfo_ok: true },
+     { name: "http"; host: "127.0.0.1"; port: "{{ sslh_route_to_http_port | default('80') }}"; },
+     { name: "tls"; host: "127.0.0.1"; port: "{{ sslh_route_to_tls_port | default('443') }}"; tfo_ok: true }
+);

roles/port-multiplexer/templates/etc/systemd/system/sslh-transparent.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=sslh transparent (see /usr/local/sbin/ssl-transparent)
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/sbin/sslh-transparent
+
+[Install]
+WantedBy=multi-user.target

roles/port-multiplexer/templates/usr/local/bin/sslh-transparent

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+sysctl -w net.ipv4.conf.default.route_localnet=1
+sysctl -w net.ipv4.conf.all.route_localnet=1
+
+# DROP martian packets as they would have been if route_localnet was zero
+# Note: packets not leaving the server aren't affected by this, thus sslh will still work
+iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
+iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
+
+# Mark all connections made by ssl for special treatment (here sslh is run as user "sslh")
+iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+
+# Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark)
+iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
+
+ip rule add fwmark 0x1 lookup 100
+ip route add local 0.0.0.0/0 dev lo table 100