spipe-ssh.md 的修订

1

+

# Protecting sshd with spiped

2

+

3

+

This repository shows how to place **spiped** in front of your SSH daemon (`sshd`) in order to add an extra layer of symmetric-key protection and drastically reduce your exposed attack surface.

4

+

5

+

---

6

+

7

+

## What is spiped?

8

+

9

+

`spiped` is a lightweight daemon designed to create symmetrically encrypted and authenticated “pipes” between socket addresses. It binds a local TCP port and forwards traffic to another socket—typically on the same machine—**while encrypting and verifying** all data in transit.

10

+

11

+

It resembles the port-forwarding feature of SSH (`ssh -L`), but uses a pre-shared symmetric key rather than SSH’s full session model, making it simpler and more focused on **secure tunneling**.

12

+

13

+

---

14

+

15

+

## Why protect your SSH daemon with spiped?

16

+

17

+

Running `sshd` behind a `spiped` tunnel adds a strong additional security layer that prevents nearly all unauthorized SSH access attempts before they even reach your server.

18

+

19

+

Because `spiped` only accepts connections encrypted with a pre-shared key, any unauthenticated traffic is dropped immediately—long before it can trigger password guessing, exploit attempts, or even banner visibility.

20

+

21

+

### Key advantages

22

+

23

+

- **Eliminates SSH port scanning & brute-force noise**

24

+

Scanners and bots see nothing: your SSH port becomes completely inaccessible unless the client first establishes a valid `spiped` session.

25

+

26

+

- **Adds symmetric-key access control before SSH**

27

+

Only clients that already possess the shared `spiped` key can even *reach* `sshd`. SSH authentication remains in place, but protected by an extra security layer.

28

+

29

+

- **Prevents protocol fingerprinting**

30

+

Attackers cannot detect that SSH is running at all, reducing exposure to targeted SSH vulnerabilities.

31

+

32

+

- **Simple, low-overhead protection**

33

+

`spiped` uses fast symmetric cryptography and introduces minimal latency.

34

+

35

+

- **Defense in depth**

36

+

Attackers must bypass both the spiped key AND SSH authentication.

37

+

38

+

---

39

+

40

+

## How it works

41

+

42

+

`spiped` runs as a secure encrypted conduit between a *source address* (a public port) and a *target address* (typically `127.0.0.1:22`). All traffic is encrypted, authenticated, and verified before reaching `sshd`.

43

+

44

+

### Flow:

45

+

46

+

1. **Client initiates a spiped session** using the shared key.

47

+

2. **Key exchange** occurs (Diffie-Hellman + HMAC-SHA256).

48

+

3. **Traffic is encrypted** with AES-256-CTR + HMAC-SHA256.

49

+

4. **Verified traffic** is forwarded to `sshd`.

50

+

5. SSH authentication happens normally afterward.

51

+

52

+

### ASCII Diagram

53

+

54

+

```text

55

+

┌────────────────────────────────────────┐

56

+

│ CLIENT │

57

+

│ │

58

+

│ ssh → spiped (client-side) │

59

+

└───────────────┬────────────────────────┘

60

+

│

61

+

│ Encrypted + Authenticated

62

+

│ (AES-256-CTR + HMAC-SHA256)

63

+

▼

64

+

┌────────────────────┐

65

+

│ NETWORK / WAN │

66

+

└───────────┬────────┘

67

+

│

68

+

▼

69

+

┌────────────────────────────────────────┐

70

+

│ SERVER │

71

+

│ │

72

+

│ spiped (server-side) → sshd │

73

+

│ │ decrypt + verify │ │

74

+

│ └──────────────────────┘ │

75

+

└────────────────────────────────────────┘

76

+

```

77

+

78

+

---

79

+

80

+

## Installation & setup (systemd)

81

+

82

+

This example uses:

83

+

84

+

- spiped listening on **0.0.0.0:8022**

85

+

- sshd listening on **127.0.0.1:22**

86

+

- key stored at **/etc/ssh/spiped-secret**

87

+

88

+

### 1. Generate the shared key

89

+

90

+

```bash

91

+

sudo dd if=/dev/urandom bs=32 count=1 of=/etc/ssh/spiped-secret

92

+

sudo chmod 600 /etc/ssh/spiped-secret

93

+

sudo chown root:root /etc/ssh/spiped-secret

94

+

```

95

+

96

+

### 2. Create the systemd service

97

+

98

+

Place this at: `/etc/systemd/system/spiped-ssh.service`

99

+

100

+

```ini

101

+

[Unit]

102

+

Description=Spiped for SSH

103

+

After=network.target

104

+

105

+

[Service]

106

+

Type=simple

107

+

ExecStart=/usr/bin/spiped -F -d -s '[0.0.0.0]:8022' -t '[127.0.0.1]:22' -k /etc/ssh/spiped-secret

108

+

Restart=always

109

+

110

+

[Install]

111

+

WantedBy=multi-user.target

112

+

```

113

+

114

+

Reload systemd:

115

+

116

+

```bash

117

+

sudo systemctl daemon-reload

118

+

```

119

+

120

+

### 3. Enable at boot

121

+

122

+

```bash

123

+

sudo systemctl enable spiped-ssh.service

124

+

```

125

+

126

+

### 4. Start the service

127

+

128

+

```bash

129

+

sudo systemctl start spiped-ssh.service

130

+

```

131

+

132

+

### 5. Stop / restart / disable

133

+

134

+

```bash

135

+

sudo systemctl stop spiped-ssh.service

136

+

sudo systemctl restart spiped-ssh.service

137

+

sudo systemctl disable spiped-ssh.service

138

+

```

139

+

140

+

---

141

+

142

+

## Connecting to a spiped-protected SSH server (client setup via ProxyCommand)

143

+

144

+

You can configure SSH to automatically launch `spiped` using the `ProxyCommand` directive. SSH starts spiped when connecting, pipes traffic through it, and closes it afterward.

145

+

146

+

### 1. Install spiped on the client

147

+

148

+

```bash

149

+

# Debian/Ubuntu

150

+

sudo apt install spiped

151

+

152

+

# Fedora/RHEL

153

+

sudo dnf install spiped

154

+

155

+

# macOS

156

+

brew install spiped

157

+

```

158

+

159

+

### 2. Copy the shared key to the client

160

+

161

+

Store it safely:

162

+

163

+

```

164

+

~/.config/spiped/ssh-secret

165

+

```

166

+

167

+

Fix permissions:

168

+

169

+

```bash

170

+

chmod 600 ~/.config/spiped/ssh-secret

171

+

```

172

+

173

+

### 3. Add SSH config entry

174

+

175

+

Edit `~/.ssh/config`:

176

+

177

+

```

178

+

Host my-spiped-server

179

+

HostName 127.0.0.1

180

+

User USERNAME

181

+

Port 22

182

+

ProxyCommand spiped -e -t '[SERVER_PUBLIC_IP]:8022' -k ~/.config/spiped/ssh-secret -F -o 2>/dev/null

183

+

```

184

+

185

+

### What this does

186

+

187

+

- SSH launches spiped automatically.

188

+

- spiped connects to the server’s encrypted spiped listener.

189

+

- SSH traffic flows through the secure tunnel.

190

+

- spiped terminates when the SSH session closes.

191

+

192

+

### 4. Connect normally

193

+

194

+

```bash

195

+

ssh my-spiped-server

196

+

```

197

+

198

+

### Optional: shorter alias

199

+

200

+

```

201

+

Host prod

202

+

HostName 127.0.0.1

203

+

User USERNAME

204

+

ProxyCommand spiped -e -t '[SERVER_PUBLIC_IP]:8022' -k ~/.config/spiped/ssh-secret -F -o 2>/dev/null

205

+

```

206

+

207

+

Then:

208

+

209

+

```bash

210

+

ssh prod

211

+

```

212

+

213

+

---

214

+

215

+

With this setup, your SSH daemon is fully shielded behind spiped, dramatically reducing exposure while preserving your normal SSH workflow.

scusi / spipe-ssh.md

scusi 修订了这个 Gist 1 month ago. 转到此修订

		@@ -0,0 +1,215 @@
1	+	# Protecting sshd with spiped
2	+
3	+	This repository shows how to place spiped in front of your SSH daemon (`sshd`) in order to add an extra layer of symmetric-key protection and drastically reduce your exposed attack surface.
4	+
5	+	---
6	+
7	+	## What is spiped?
8	+
9	+	`spiped` is a lightweight daemon designed to create symmetrically encrypted and authenticated “pipes” between socket addresses. It binds a local TCP port and forwards traffic to another socket—typically on the same machine—while encrypting and verifying all data in transit.
10	+
11	+	It resembles the port-forwarding feature of SSH (`ssh -L`), but uses a pre-shared symmetric key rather than SSH’s full session model, making it simpler and more focused on secure tunneling.
12	+
13	+	---
14	+
15	+	## Why protect your SSH daemon with spiped?
16	+
17	+	Running `sshd` behind a `spiped` tunnel adds a strong additional security layer that prevents nearly all unauthorized SSH access attempts before they even reach your server.
18	+
19	+	Because `spiped` only accepts connections encrypted with a pre-shared key, any unauthenticated traffic is dropped immediately—long before it can trigger password guessing, exploit attempts, or even banner visibility.
20	+
21	+	### Key advantages
22	+
23	+	- Eliminates SSH port scanning & brute-force noise
24	+	Scanners and bots see nothing: your SSH port becomes completely inaccessible unless the client first establishes a valid `spiped` session.
25	+
26	+	- Adds symmetric-key access control before SSH
27	+	Only clients that already possess the shared `spiped` key can even reach `sshd`. SSH authentication remains in place, but protected by an extra security layer.
28	+
29	+	- Prevents protocol fingerprinting
30	+	Attackers cannot detect that SSH is running at all, reducing exposure to targeted SSH vulnerabilities.
31	+
32	+	- Simple, low-overhead protection
33	+	`spiped` uses fast symmetric cryptography and introduces minimal latency.
34	+
35	+	- Defense in depth
36	+	Attackers must bypass both the spiped key AND SSH authentication.
37	+
38	+	---
39	+
40	+	## How it works
41	+
42	+	`spiped` runs as a secure encrypted conduit between a source address (a public port) and a target address (typically `127.0.0.1:22`). All traffic is encrypted, authenticated, and verified before reaching `sshd`.
43	+
44	+	### Flow:
45	+
46	+	1. Client initiates a spiped session using the shared key.
47	+	2. Key exchange occurs (Diffie-Hellman + HMAC-SHA256).
48	+	3. Traffic is encrypted with AES-256-CTR + HMAC-SHA256.
49	+	4. Verified traffic is forwarded to `sshd`.
50	+	5. SSH authentication happens normally afterward.
51	+
52	+	### ASCII Diagram
53	+
54	+	```text
55	+	┌────────────────────────────────────────┐
56	+	│ CLIENT │
57	+	│ │
58	+	│ ssh → spiped (client-side) │
59	+	└───────────────┬────────────────────────┘
60	+	│
61	+	│ Encrypted + Authenticated
62	+	│ (AES-256-CTR + HMAC-SHA256)
63	+	▼
64	+	┌────────────────────┐
65	+	│ NETWORK / WAN │
66	+	└───────────┬────────┘
67	+	│
68	+	▼
69	+	┌────────────────────────────────────────┐
70	+	│ SERVER │
71	+	│ │
72	+	│ spiped (server-side) → sshd │
73	+	│ │ decrypt + verify │ │
74	+	│ └──────────────────────┘ │
75	+	└────────────────────────────────────────┘
76	+	```
77	+
78	+	---
79	+
80	+	## Installation & setup (systemd)
81	+
82	+	This example uses:
83	+
84	+	- spiped listening on 0.0.0.0:8022
85	+	- sshd listening on 127.0.0.1:22
86	+	- key stored at /etc/ssh/spiped-secret
87	+
88	+	### 1. Generate the shared key
89	+
90	+	```bash
91	+	sudo dd if=/dev/urandom bs=32 count=1 of=/etc/ssh/spiped-secret
92	+	sudo chmod 600 /etc/ssh/spiped-secret
93	+	sudo chown root:root /etc/ssh/spiped-secret
94	+	```
95	+
96	+	### 2. Create the systemd service
97	+
98	+	Place this at: `/etc/systemd/system/spiped-ssh.service`
99	+
100	+	```ini
101	+	[Unit]
102	+	Description=Spiped for SSH
103	+	After=network.target
104	+
105	+	[Service]
106	+	Type=simple
107	+	ExecStart=/usr/bin/spiped -F -d -s '[0.0.0.0]:8022' -t '[127.0.0.1]:22' -k /etc/ssh/spiped-secret
108	+	Restart=always
109	+
110	+	[Install]
111	+	WantedBy=multi-user.target
112	+	```
113	+
114	+	Reload systemd:
115	+
116	+	```bash
117	+	sudo systemctl daemon-reload
118	+	```
119	+
120	+	### 3. Enable at boot
121	+
122	+	```bash
123	+	sudo systemctl enable spiped-ssh.service
124	+	```
125	+
126	+	### 4. Start the service
127	+
128	+	```bash
129	+	sudo systemctl start spiped-ssh.service
130	+	```
131	+
132	+	### 5. Stop / restart / disable
133	+
134	+	```bash
135	+	sudo systemctl stop spiped-ssh.service
136	+	sudo systemctl restart spiped-ssh.service
137	+	sudo systemctl disable spiped-ssh.service
138	+	```
139	+
140	+	---
141	+
142	+	## Connecting to a spiped-protected SSH server (client setup via ProxyCommand)
143	+
144	+	You can configure SSH to automatically launch `spiped` using the `ProxyCommand` directive. SSH starts spiped when connecting, pipes traffic through it, and closes it afterward.
145	+
146	+	### 1. Install spiped on the client
147	+
148	+	```bash
149	+	# Debian/Ubuntu
150	+	sudo apt install spiped
151	+
152	+	# Fedora/RHEL
153	+	sudo dnf install spiped
154	+
155	+	# macOS
156	+	brew install spiped
157	+	```
158	+
159	+	### 2. Copy the shared key to the client
160	+
161	+	Store it safely:
162	+
163	+	```
164	+	~/.config/spiped/ssh-secret
165	+	```
166	+
167	+	Fix permissions:
168	+
169	+	```bash
170	+	chmod 600 ~/.config/spiped/ssh-secret
171	+	```
172	+
173	+	### 3. Add SSH config entry
174	+
175	+	Edit `~/.ssh/config`:
176	+
177	+	```
178	+	Host my-spiped-server
179	+	HostName 127.0.0.1
180	+	User USERNAME
181	+	Port 22
182	+	ProxyCommand spiped -e -t '[SERVER_PUBLIC_IP]:8022' -k ~/.config/spiped/ssh-secret -F -o 2>/dev/null
183	+	```
184	+
185	+	### What this does
186	+
187	+	- SSH launches spiped automatically.
188	+	- spiped connects to the server’s encrypted spiped listener.
189	+	- SSH traffic flows through the secure tunnel.
190	+	- spiped terminates when the SSH session closes.
191	+
192	+	### 4. Connect normally
193	+
194	+	```bash
195	+	ssh my-spiped-server
196	+	```
197	+
198	+	### Optional: shorter alias
199	+
200	+	```
201	+	Host prod
202	+	HostName 127.0.0.1
203	+	User USERNAME
204	+	ProxyCommand spiped -e -t '[SERVER_PUBLIC_IP]:8022' -k ~/.config/spiped/ssh-secret -F -o 2>/dev/null
205	+	```
206	+
207	+	Then:
208	+
209	+	```bash
210	+	ssh prod
211	+	```
212	+
213	+	---
214	+
215	+	With this setup, your SSH daemon is fully shielded behind spiped, dramatically reducing exposure while preserving your normal SSH workflow.