Can check ssh connection failed in frps log?

[MikoyChinese]

Hi,

These days I found a lot of ssh connection in my frp client, but I just obtain 127.0.0.1 connection log in my ssh log file, and I check my frp server which only can show the real ip connect but no checking it failed or not.

Here is frp server log:

[ssh] get a user connection [138.197.161.253:33026]

Can I check if this ip try to brute-force attack my client, and use the fail2ban tool to forbiden it? If you can add the failed message in the frps log file, or show the real ip in the client log file, I think it will work well.

Thanks.

[fatedier]

frp do not parse traffic content between your ssh server and client. So it can't judge if the connection is failed or normal closed.

[MikoyChinese]

Or can add a flag to tell server or client, if use this module it will send the real ip for proxy, and it will show in the ssh client log, not show from 127.0.0.1, port xxx.

[fatedier]

https://github.com/fatedier/frp#proxy-protocol

[MikoyChinese]

For ssh, Does that mean I should add proxy_protocol_version = v2 for obtaining the real ip from frp service?

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 10001
# This is for real ip?
proxy_protocol_version = v2

[fatedier]

Yes, you should write your own service before ssh server to parse Proxy Protocol to get real ip.

[MikoyChinese]

Ok, I will try nginx or python to analyzethe Proxy Protocol.

[MikoyChinese]

Hi, bro

I found the Proxy Protocol in sshd log file such like 1xx.6.xx.xx 10.0.12.11 40398 32255, what is the meaning?
And I found nginx document have some variables $proxy_protocol_addr, $proxy_protocol_port, $remote_addr, $remote_port.

So,
1xx.6.xx.xx ==> remote_addr
40398 ==> remote_port
32255 ==> proxy_protocol_port
10.0.12.11 ==> proxy_protocol_addr
, am I right?

[MikoyChinese]

I try to use nginx or other python proxy-protocol to handle the tcp connect from server to ssh client. But I only can send data to ssh port which will occur the error msg: client sent invalid protocol identifier. For nginx it will show client sent invalid protocol identifier "PROXY TCP4 127.0.0.1 127.0.0.1 59632 10001, for proxy-protocol, it will show client sent invalid protocol identifier "".

So how can I send tcp data to sshd? Can you show me some tips, I am going crazy.

[MikoyChinese]

Hi, @fatedier

I have found the solution to obtain the real ip from frp by using Proxy Protocol and go-mmproxy. It's now working for linux and I have no other OS system to try.

Here are steps:

1. Frpc with proxy protocol:

In this step, you can add proxy_protocol_version to turn on Proxy Protocol, and prepare a local port which using in go-mmproxy, not your real forward port.
For example, I want to proxy my ssh 22 port with frp with proxy protocol, you need a other port such as 54000, so:

FRPC config:

[common]
server_addr = x.x.x.x
server_port = 12345
authentication_method = token
token = xxxxxx

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 54000
remote_port = 30000
proxy_protocol_version = v2

2. Set up for go-mmproxy:

You can build it from go-mmproxy github main page or download the x86_64 binary which I build on my Ubuntu 20.04 with go version go1.16.5 linux/amd64 from the following url: go-mmproxy.zip, and move it to somepath where you want. For me, I move it to /usr/local/bin.

3. Start frp and mmproxy from systemd service:

You need to create two service file to start frp and go-mmproxy from systemd control service.

go-mmproxy.service: note: /usr/local/bin/go-mmproxy is the path of go-mmproxy, you can change it to yours, -4 127.0.0.1:22 is the ipv4 address and port you want to real forward, now it's ssh common port. -l 0.0.0.0:54000 is the frpc port.

[Unit]
Description=go-mmproxy
After=network.target

[Service]
Type=simple
LimitNOFILE=65535
ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123
ExecStart=/usr/local/bin/go-mmproxy -4 127.0.0.1:22 -l 0.0.0.0:54000
ExecStopPost=/sbin/ip rule del from 127.0.0.1/8 iif lo table 123
ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 123
Restart=on-failure
RestartSec=10s

[Install]
WantedBy=multi-user.target

frpc.service

[Unit]
Description=Frp Server Daemon with go-mmproxy
Requires=go-mmproxy.service
After=syslog.target network.target go-mmproxy.service
Wants=network.target

[Service]
type=simple
ExecStart=/usr/local/bin/frp/frpc -c /usr/local/bin/frp/frpc.ini
ExecStop=/bin/kill $MAINPID
RestartSec=1min
KillMode=control-group
Restart=always

[Install]
WantedBy=multi-user.target

4. Start service:

# First enable start service when boot:
sudo systemctl enable frpc.service

# Now start frpc service
sudo service frpc start

Now try you own real ip frp proxy!

ssh -p 30000 [email protected]

# See the log:
cat /var/log/auth.log

[github-actions]

Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

[whosphp]

@MikoyChinese Thank you, it work for me.