Baixar ZIP

spipe-ssh.md · 6.6 KiB · Markdown Bruto

# Protecting sshd with spiped This repository shows how to place **spiped** in front of your SSH daemon (`sshd`) in order to add an extra layer of symmetric-key protection and drastically reduce your exposed attack surface. --- ## What is spiped? `spiped` is a lightweight daemon designed to create symmetrically encrypted and authenticated “pipes” between socket addresses. It binds a local TCP port and forwards traffic to another socket—typically on the same machine—**while encrypting and verifying** all data in transit. It resembles the port-forwarding feature of SSH (`ssh -L`), but uses a pre-shared symmetric key rather than SSH’s full session model, making it simpler and more focused on **secure tunneling**. --- ## Why protect your SSH daemon with spiped? Running `sshd` behind a `spiped` tunnel adds a strong additional security layer that prevents nearly all unauthorized SSH access attempts before they even reach your server. Because `spiped` only accepts connections encrypted with a pre-shared key, any unauthenticated traffic is dropped immediately—long before it can trigger password guessing, exploit attempts, or even banner visibility. ### Key advantages - **Eliminates SSH port scanning & brute-force noise** Scanners and bots see nothing: your SSH port becomes completely inaccessible unless the client first establishes a valid `spiped` session. - **Adds symmetric-key access control before SSH** Only clients that already possess the shared `spiped` key can even *reach* `sshd`. SSH authentication remains in place, but protected by an extra security layer. - **Prevents protocol fingerprinting** Attackers cannot detect that SSH is running at all, reducing exposure to targeted SSH vulnerabilities. - **Simple, low-overhead protection** `spiped` uses fast symmetric cryptography and introduces minimal latency. - **Defense in depth** Attackers must bypass both the spiped key AND SSH authentication. --- ## How it works `spiped` runs as a secure encrypted conduit between a *source address* (a public port) and a *target address* (typically `127.0.0.1:22`). All traffic is encrypted, authenticated, and verified before reaching `sshd`. ### Flow: 1. **Client initiates a spiped session** using the shared key. 2. **Key exchange** occurs (Diffie-Hellman + HMAC-SHA256). 3. **Traffic is encrypted** with AES-256-CTR + HMAC-SHA256. 4. **Verified traffic** is forwarded to `sshd`. 5. SSH authentication happens normally afterward. ### ASCII Diagram ```text ┌────────────────────────────────────────┐ │ CLIENT │ │ │ │ ssh → spiped (client-side) │ └───────────────┬────────────────────────┘ │ │ Encrypted + Authenticated │ (AES-256-CTR + HMAC-SHA256) ▼ ┌────────────────────┐ │ NETWORK / WAN │ └───────────┬────────┘ │ ▼ ┌────────────────────────────────────────┐ │ SERVER │ │ │ │ spiped (server-side) → sshd │ │ │ decrypt + verify │ │ │ └──────────────────────┘ │ └────────────────────────────────────────┘ ``` --- ## Installation & setup (systemd) This example uses: - spiped listening on **0.0.0.0:8022** - sshd listening on **127.0.0.1:22** - key stored at **/etc/ssh/spiped-secret** ### 1. Generate the shared key ```bash sudo dd if=/dev/urandom bs=32 count=1 of=/etc/ssh/spiped-secret sudo chmod 600 /etc/ssh/spiped-secret sudo chown root:root /etc/ssh/spiped-secret ``` ### 2. Create the systemd service Place this at: `/etc/systemd/system/spiped-ssh.service` ```ini [Unit] Description=Spiped for SSH After=network.target [Service] Type=simple ExecStart=/usr/bin/spiped -F -d -s '[0.0.0.0]:8022' -t '[127.0.0.1]:22' -k /etc/ssh/spiped-secret Restart=always [Install] WantedBy=multi-user.target ``` Reload systemd: ```bash sudo systemctl daemon-reload ``` ### 3. Enable at boot ```bash sudo systemctl enable spiped-ssh.service ``` ### 4. Start the service ```bash sudo systemctl start spiped-ssh.service ``` ### 5. Stop / restart / disable ```bash sudo systemctl stop spiped-ssh.service sudo systemctl restart spiped-ssh.service sudo systemctl disable spiped-ssh.service ``` --- ## Connecting to a spiped-protected SSH server (client setup via ProxyCommand) You can configure SSH to automatically launch `spiped` using the `ProxyCommand` directive. SSH starts spiped when connecting, pipes traffic through it, and closes it afterward. ### 1. Install spiped on the client ```bash # Debian/Ubuntu sudo apt install spiped # Fedora/RHEL sudo dnf install spiped # macOS brew install spiped ``` ### 2. Copy the shared key to the client Store it safely: ``` ~/.config/spiped/ssh-secret ``` Fix permissions: ```bash chmod 600 ~/.config/spiped/ssh-secret ``` ### 3. Add SSH config entry Edit `~/.ssh/config`: ``` Host my-spiped-server HostName 127.0.0.1 User USERNAME Port 22 ProxyCommand spiped -e -t '[SERVER_PUBLIC_IP]:8022' -k ~/.config/spiped/ssh-secret -F -o 2>/dev/null ``` ### What this does - SSH launches spiped automatically. - spiped connects to the server’s encrypted spiped listener. - SSH traffic flows through the secure tunnel. - spiped terminates when the SSH session closes. ### 4. Connect normally ```bash ssh my-spiped-server ``` ### Optional: shorter alias ``` Host prod HostName 127.0.0.1 User USERNAME ProxyCommand spiped -e -t '[SERVER_PUBLIC_IP]:8022' -k ~/.config/spiped/ssh-secret -F -o 2>/dev/null ``` Then: ```bash ssh prod ``` --- With this setup, your SSH daemon is fully shielded behind spiped, dramatically reducing exposure while preserving your normal SSH workflow.

Protecting sshd with spiped

This repository shows how to place spiped in front of your SSH daemon (sshd) in order to add an extra layer of symmetric-key protection and drastically reduce your exposed attack surface.

What is spiped?

spiped is a lightweight daemon designed to create symmetrically encrypted and authenticated “pipes” between socket addresses. It binds a local TCP port and forwards traffic to another socket—typically on the same machine—while encrypting and verifying all data in transit.

It resembles the port-forwarding feature of SSH (ssh -L), but uses a pre-shared symmetric key rather than SSH’s full session model, making it simpler and more focused on secure tunneling.

Why protect your SSH daemon with spiped?

Running sshd behind a spiped tunnel adds a strong additional security layer that prevents nearly all unauthorized SSH access attempts before they even reach your server.

Because spiped only accepts connections encrypted with a pre-shared key, any unauthenticated traffic is dropped immediately—long before it can trigger password guessing, exploit attempts, or even banner visibility.

Key advantages

Eliminates SSH port scanning & brute-force noise
Scanners and bots see nothing: your SSH port becomes completely inaccessible unless the client first establishes a valid spiped session.
Adds symmetric-key access control before SSH
Only clients that already possess the shared spiped key can even reach sshd. SSH authentication remains in place, but protected by an extra security layer.
Prevents protocol fingerprinting
Attackers cannot detect that SSH is running at all, reducing exposure to targeted SSH vulnerabilities.
Simple, low-overhead protection
spiped uses fast symmetric cryptography and introduces minimal latency.
Defense in depth
Attackers must bypass both the spiped key AND SSH authentication.

How it works

spiped runs as a secure encrypted conduit between a source address (a public port) and a target address (typically 127.0.0.1:22). All traffic is encrypted, authenticated, and verified before reaching sshd.

Flow:

Client initiates a spiped session using the shared key.
Key exchange occurs (Diffie-Hellman + HMAC-SHA256).
Traffic is encrypted with AES-256-CTR + HMAC-SHA256.
Verified traffic is forwarded to sshd.
SSH authentication happens normally afterward.

ASCII Diagram

                ┌────────────────────────────────────────┐
                │               CLIENT                   │
                │                                        │
                │   ssh → spiped (client-side)           │
                └───────────────┬────────────────────────┘
                                │
                                │  Encrypted + Authenticated
                                │  (AES-256-CTR + HMAC-SHA256)
                                ▼
                     ┌────────────────────┐
                     │   NETWORK / WAN    │
                     └───────────┬────────┘
                                 │
                                 ▼
                ┌────────────────────────────────────────┐
                │               SERVER                   │
                │                                        │
                │  spiped (server-side)  →  sshd         │
                │     │ decrypt + verify     │           │
                │     └──────────────────────┘           │
                └────────────────────────────────────────┘

Installation & setup (systemd)

This example uses:

spiped listening on 0.0.0.0:8022
sshd listening on 127.0.0.1:22
key stored at /etc/ssh/spiped-secret

1. Generate the shared key

sudo dd if=/dev/urandom bs=32 count=1 of=/etc/ssh/spiped-secret
sudo chmod 600 /etc/ssh/spiped-secret
sudo chown root:root /etc/ssh/spiped-secret

2. Create the systemd service

Place this at: /etc/systemd/system/spiped-ssh.service

[Unit]
Description=Spiped for SSH
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/spiped -F -d -s '[0.0.0.0]:8022' -t '[127.0.0.1]:22' -k /etc/ssh/spiped-secret
Restart=always

[Install]
WantedBy=multi-user.target

Reload systemd:

sudo systemctl daemon-reload

3. Enable at boot

sudo systemctl enable spiped-ssh.service

4. Start the service

sudo systemctl start spiped-ssh.service

5. Stop / restart / disable

sudo systemctl stop spiped-ssh.service
sudo systemctl restart spiped-ssh.service
sudo systemctl disable spiped-ssh.service

Connecting to a spiped-protected SSH server (client setup via ProxyCommand)

You can configure SSH to automatically launch spiped using the ProxyCommand directive. SSH starts spiped when connecting, pipes traffic through it, and closes it afterward.

1. Install spiped on the client

# Debian/Ubuntu
sudo apt install spiped

# Fedora/RHEL
sudo dnf install spiped

# macOS
brew install spiped

2. Copy the shared key to the client

Store it safely:

~/.config/spiped/ssh-secret

Fix permissions:

chmod 600 ~/.config/spiped/ssh-secret

3. Add SSH config entry

Edit ~/.ssh/config:

Host my-spiped-server
    HostName 127.0.0.1
    User USERNAME
    Port 22
    ProxyCommand spiped -e -t '[SERVER_PUBLIC_IP]:8022' -k ~/.config/spiped/ssh-secret -F -o 2>/dev/null

What this does

SSH launches spiped automatically.
spiped connects to the server’s encrypted spiped listener.
SSH traffic flows through the secure tunnel.
spiped terminates when the SSH session closes.

4. Connect normally

ssh my-spiped-server

Optional: shorter alias

Host prod
    HostName 127.0.0.1
    User USERNAME
    ProxyCommand spiped -e -t '[SERVER_PUBLIC_IP]:8022' -k ~/.config/spiped/ssh-secret -F -o 2>/dev/null

Then:

ssh prod

With this setup, your SSH daemon is fully shielded behind spiped, dramatically reducing exposure while preserving your normal SSH workflow.