https://Hazegard.github.io/Goauld-doc/03-server/Recent content in Server features on GoauldHugoenhttps://Hazegard.github.io/Goauld-doc/03-server/01-services/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/01-services/<p>To allow agents to tunnel SSH connection over different transports, the server must expose the corresponding service, then decapsulate the traffic and forward it to the SSHD server.</p> <div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>For all listeners, the listen address flag has the following format: <code>[IP]:[PORT]</code></p> <p>If no IP address is provided, the service will listen on all interfaces. However, the <code>:</code> is still required before the port</p> </div> </div> <h2 id="ssh">SSH<a class="td-heading-self-link" href="#ssh" aria-label="Heading self-link"></a></h2> <p>No encapsulation, directly exposed.</p>https://Hazegard.github.io/Goauld-doc/03-server/02-deployment/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/02-deployment/<div class="td-alert td-alert--md alert alert-warning" role="alert"><div class="td-alert-heading alert-heading" role="heading">Warning</div> <div class="td-alert-body"> <p>Goauld is currently not designed to run behind a reverse proxy. In particular, the whitelisting feature will not work behind a reverse proxy.</p> </div> </div> <h2 id="docker-compose-example">Docker compose example<a class="td-heading-self-link" href="#docker-compose-example" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">goauld_server</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span><span class="l">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">args</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">COMPRESS=1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># platform: linux/amd64</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">goauld_server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:53:53/tcp&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:53:53/udp&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:80:80&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:443:443&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;X.X.X.X:22222:22222&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./certmagic:/root/.local/share/certmagic</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./Goauld.db:/app/Goauld.db</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./server_config.yaml:/app/server_config.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./binaries:/app/binaries</span><span class="w"> </span></span></span></code></pre></div><h2 id="configuration-file-example">configuration file example<a class="td-heading-self-link" href="#configuration-file-example" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c">#Age private key used by the server.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">age-privkey</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domains used to serve HTTP and WebSocket traffic.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">http-domain</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">www.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domains used to serve raw TLS traffic (SSH over TLS).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-domain</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">app.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domain used to serve DNS-based traffic (SSH over DNS).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-domain</span><span class="p">:</span><span class="w"> </span><span class="l">t.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Domain used to serve DNS-based traffic (SSH over DNS-ALT).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-domain-alt</span><span class="p">:</span><span class="w"> </span><span class="l">s.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for HTTP connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">http-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for HTTPS connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">https-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for SSH connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">ssh-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">2222</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for DNS connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Address and port to bind for QUIC connections (port 0 = random).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">quic-listen-addr</span><span class="p">:</span><span class="w"> </span><span class="p">:</span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable TLS support.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path to the TLS private key file.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path to the TLS certificate file.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">tls-cert</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Email used when generating Let&#39;s Encrypt certificates.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">letsencrypt-mail</span><span class="p">:</span><span class="w"> </span><span class="l">mail@example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable QUIC protocol support.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">quic</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Enable DNS server for SSH-over-DNS connections.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">dns</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Disable database usage.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">db</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Path or filename of the database to use.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">db-file-name</span><span class="p">:</span><span class="w"> </span><span class="l">Goauld.db</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># List of IP addresses allowed to access the /manage/ endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">allowed-ips</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="m">127.0.0.1</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="m">0.0.0.0</span><span class="l">/32</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Access token required for the /manage/ API endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">access-token</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">TODO_TOKEN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Admin token required for the /admin/ API endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">admin-token</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="l">TODO_TOKEN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># HTTP Basic Auth credentials required to access the binaries endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">binaries-basic-auth</span><span class="p">:</span><span class="w"> </span><span class="l">username:password</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Filesystem path where agent binaries are stored.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">binaries-path-location</span><span class="p">:</span><span class="w"> </span><span class="l">./binaries</span><span class="w"> </span></span></span></code></pre></div><h2 id="dns-configuration">DNS configuration<a class="td-heading-self-link" href="#dns-configuration" aria-label="Heading self-link"></a></h2> <p>Three DNS records are required:</p>https://Hazegard.github.io/Goauld-doc/03-server/03-access_control/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/03-access_control/<p>Certain components should be accessible only by authorized users.</p> <ul> <li>Admin endpoints</li> <li>Management endpoints</li> <li>SSH access from the client</li> </ul> <h2 id="ip-allowlisting">IP allowlisting<a class="td-heading-self-link" href="#ip-allowlisting" aria-label="Heading self-link"></a></h2> <p>The server accepts a list of authorized IPs to restrict the access of</p> <ul> <li>The <code>/admin/</code> endpoints</li> <li>The <code>/manage/</code> endpoints</li> <li>SSH access from the client (using password authentication)</li> </ul> <div class="td-alert td-alert--md alert alert-warning" role="alert"><div class="td-alert-heading alert-heading" role="heading">Warning</div> <div class="td-alert-body"> <p>IF the server runs in a docker environment, the deployment should ensure that the remote IP address is correctly forwarded to the server</p>https://Hazegard.github.io/Goauld-doc/03-server/04-healthcheck/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/04-healthcheck/<p>To ensure tunnels are functioning correctly, some healthcheck scripts/tools are provided.</p> <div class="td-alert td-alert--md alert alert-warning" role="alert"><div class="td-alert-heading alert-heading" role="heading">Warning</div> <div class="td-alert-body"> <p>The provided healthchecks only verify that the SSHD server is reachable through the tunnel by checking the SSHD banner.</p> </div> </div> <h2 id="ssh-over-tls">SSH over TLS<a class="td-heading-self-link" href="#ssh-over-tls" aria-label="Heading self-link"></a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;00000000000000000000000000000000\n&#34;</span> <span class="p">|</span> timeout <span class="m">1</span> openssl s_client -quiet -connect <span class="nv">$TLS_DOMAIN</span>$:<span class="nv">$TLS_PORT</span>$ 2&gt;/dev/null <span class="p">|</span> grep -q <span class="s2">&#34;SSH-2.0-&#34;</span> </span></span></code></pre></div><h2 id="ssh-over-websocket">SSH over WebSocket<a class="td-heading-self-link" href="#ssh-over-websocket" aria-label="Heading self-link"></a></h2> <h3 id="building">Building<a class="td-heading-self-link" href="#building" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go build -o ws-healthcheck ./healthcheck/websocket </span></span></code></pre></div><h3 id="running">Running<a class="td-heading-self-link" href="#running" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">{</span> <span class="nb">echo</span> <span class="s2">&#34;&#34;</span> <span class="p">;</span> sleep 1<span class="p">;</span> <span class="o">}</span> <span class="p">|</span> ws-healthcheck <span class="s2">&#34;wss://</span><span class="nv">$WS_DOMAIN</span><span class="s2">/wssh/00000000000000000000000000000000&#34;</span> 2&gt;/dev/null </span></span></code></pre></div><h2 id="ssh-over-dns">SSH over DNS<a class="td-heading-self-link" href="#ssh-over-dns" aria-label="Heading self-link"></a></h2> <h3 id="building-1">Building<a class="td-heading-self-link" href="#building-1" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go build -o dns-healthcheck ./healthcheck/dns/dnstt-client </span></span></code></pre></div><h3 id="running-1">Running<a class="td-heading-self-link" href="#running-1" aria-label="Heading self-link"></a></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">{</span> <span class="nb">echo</span> <span class="s2">&#34;00000000000000000000000000000000S&#34;</span> <span class="p">;</span> sleep 1<span class="p">;</span> <span class="o">}</span> <span class="p">|</span> dns-healthcheck -udp <span class="s2">&#34;</span><span class="nv">$DNS_SERVER</span><span class="s2">:</span><span class="nv">$DNS_SERVER_PORT</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$DNS_DOMAIN</span><span class="s2">&#34;</span> 2&gt;/dev/null <span class="p">|</span> grep -q <span class="s2">&#34;SSH-2.0-&#34;</span> </span></span></code></pre></div><div class="td-alert td-alert--md alert alert-note" role="alert"><div class="td-alert-heading alert-heading" role="heading">Note</div> <div class="td-alert-body"> <p>The &ldquo;S&rdquo; is required at the end of the echo</p>https://Hazegard.github.io/Goauld-doc/03-server/05-agent_downloading/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/05-agent_downloading/<p>In order to drop precompiled agents, a basicauth protected dirlisting is available through https://[SERVER]/binaries/.</p> <p>To access this dirlisting, a custom password should be configured.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># HTTP Basic Auth credentials required to access the binaries endpoint.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">binaries-basic-auth</span><span class="p">:</span><span class="w"> </span><span class="l">user:password</span><span class="w"> </span></span></span></code></pre></div>https://Hazegard.github.io/Goauld-doc/03-server/06-database/Mon, 01 Jan 0001 00:00:00 +0000https://Hazegard.github.io/Goauld-doc/03-server/06-database/<p>The server uses an SQLite database to store information regarding previously connected agents.</p> <p>Given that agents perform a full connection flow at each start, the data stored in the database isn&rsquo;t required.</p> <h2 id="flag">Flag:<a class="td-heading-self-link" href="#flag" aria-label="Heading self-link"></a></h2> <ul> <li><code>--no-db</code> Disable the database on disk.</li> <li><code>--db-file-name</code> Path or filename of the SQLite file .</li> </ul>