RaspberryPi/Old Reverse SSH Stunnel: Difference between revisions
From charlesreid1
| (13 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
See also [[RaspberryPi/Reverse SSH]] | See also [[RaspberryPi/Reverse SSH]] | ||
Our stunnel setup will be as follows | Our stunnel setup will be as follows | ||
| Line 15: | Line 13: | ||
The stunnel client will be our command and control server. | The stunnel client will be our command and control server. | ||
=Stunnel on Raspberry Pi Client= | |||
==Installing== | |||
First, install stunnel | First, install stunnel | ||
| Line 31: | Line 23: | ||
</pre> | </pre> | ||
==Edit Configuration File== | |||
On the Raspberry Pi, edit the stunnel configuration file: | On the Raspberry Pi, edit the stunnel configuration file: | ||
| Line 57: | Line 49: | ||
Note that it is pointing to a certificate file in <code>/etc/stunnel/stunnel.pem</code>, so our next step will be to create this certificate file. | Note that it is pointing to a certificate file in <code>/etc/stunnel/stunnel.pem</code>, so our next step will be to create this certificate file. | ||
==Generate Private Keys/Certificates for SSL== | |||
Now you need to generate private keys, so that stunnel has private keys to use when encrypting using SSL. | Now you need to generate private keys, so that stunnel has private keys to use when encrypting using SSL. | ||
| Line 67: | Line 59: | ||
</pre> | </pre> | ||
===Generate Private Key=== | |||
Use the openssl library to generate a 2048-bit private RSA key: | Use the openssl library to generate a 2048-bit private RSA key: | ||
| Line 80: | Line 72: | ||
</pre> | </pre> | ||
===Generate a Self-Signed Certificate=== | |||
To do SSL, an stunnel server must have an SSL certificate, which requires a private key and a signature. We already generated a private key, so now we generate a certificate, and use our own key to sign it. Do this by running the following: | To do SSL, an stunnel server must have an SSL certificate, which requires a private key and a signature. We already generated a private key, so now we generate a certificate, and use our own key to sign it. Do this by running the following: | ||
| Line 104: | Line 96: | ||
</pre> | </pre> | ||
===Key and Certificate=== | |||
Now you have your private key in <code>key.pem</code> and your server's certificate in <code>cert.pem</code>. | Now you have your private key in <code>key.pem</code> and your server's certificate in <code>cert.pem</code>. | ||
| Line 122: | Line 114: | ||
</pre> | </pre> | ||
==Configure stunnel to Start on Boot== | |||
Now configure stunnel by editing the default stunnel file: | Now configure stunnel by editing the default stunnel file: | ||
| Line 132: | Line 124: | ||
change <code>enable = 0</code> to <code>enable = 1</code> | change <code>enable = 0</code> to <code>enable = 1</code> | ||
==Restart stunnel== | |||
you can restart the stunnel service now, | you can restart the stunnel service now, | ||
| Line 146: | Line 138: | ||
===Configure Stunnel=== | ===Configure Stunnel=== | ||
We will re-edit the <code>/etc/stunnel/stunnel.conf</code> to add more information. The file should now look like this: | |||
<pre> | <pre> | ||
$ cat /etc/stunnel/stunnel.conf | |||
output = /var/log/stunnel4/stunnel.log | |||
cert = /etc/stunnel/stunnel.pem | |||
key = /etc/stunnel/stunnel.pem | |||
sslVersion = all | |||
options = NO_SSLv2 | |||
pid = /var/run/stunnel4/stunnel.pid | |||
[squid] | [squid] | ||
accept = 8888 | client = no | ||
accept = 8888 | |||
connect = 127.0.0.1:3128 | connect = 127.0.0.1:3128 | ||
[openvpn] | |||
client = no | |||
accept = 993 | |||
connect = 34567 | |||
</pre> | </pre> | ||
===Open Firewall=== | ===Open Firewall=== | ||
Now add | Now add a firewall setting on the Raspbery Pi to allow SSL packets through the firewal by creating a simple firewall script <code>firewall.sh</code>: | ||
<pre> | <pre> | ||
iptables -A INPUT -p tcp --dport | #!/bin/sh | ||
iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |||
</pre> | </pre> | ||
===Install Squid=== | ===Install Squid=== | ||
| Line 187: | Line 183: | ||
<pre> | <pre> | ||
$ /etc/init.d/stunnel4 restart | $ /etc/init.d/stunnel4 restart | ||
Restarting SSL tunnels: | |||
[Started: /etc/stunnel/stunnel.conf] stunnel. | |||
</pre> | |||
=Stunnel on Command and Control Server= | |||
Now we can install an stunnel client on our command and control server. | |||
http://www.bsdnow.tv/tutorials/stunnel | |||
They pose the scenario that you're on an untrusted network and you want to tunnel all your traffic through a secure shell to your trusted server. But the only ports that are open are ports 80 and 443, and there is deep packet inspection to check what kind of traffic is going through. | |||
In this case, you'd need to wrap your SSH traffic in an SSL layer to get past the firewall that is in place. | |||
==Install== | |||
Install stunnel on our command and control server in the usual manner, and install squid, too: | |||
stunnel | |||
<pre> | |||
$ apt-get install -y stunnel4 | |||
</pre> | </pre> | ||
==Private Key== | |||
Next, we'll copy the private key <code>stunnel.pem</code>, which is the security certificate we created on the Raspberry Pi and will be using to encrypt the SSL traffic, onto our command and control server. This file is IMPORTANT! Without it, you can't decrypt stunnel traffic. | |||
<pre> | <pre> | ||
scp root@10.0.0.243:/etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem | |||
stunnel.pem 100% 2774 2.7KB/s 00:00 | |||
/ | |||
</pre> | </pre> | ||
== | ==Edit Configuration== | ||
=Alt Setup= | |||
via comments section of https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu | |||
(on the server) | |||
<pre> | |||
openssl genrsa -out server.key 2048 | |||
openssl req -new -x509 -nodes -days 365 -key server.key -out server.crt | |||
</pre> | |||
(on the client) | |||
<pre> | <pre> | ||
openssl genrsa -out client.key 2048 | |||
openssl req -new -x509 -nodes -days 365 -key client.key -out client.crt | |||
</pre> | </pre> | ||
= | From there I copy the public cert from the client to the server and vice versa. Then I set verify = 3, which causes both the client and server to validate against one another. | ||
Example Server config: | |||
=== | <pre> | ||
client = no | |||
pid = /var/run/stunnel.pid | |||
[squid] | |||
accept = 8888 | |||
connect = 127.0.0.1:3128 | |||
cert = /etc/stunnel/server.crt | |||
key = /etc/stunnel/server.key | |||
CAfile = /etc/stunnel/client.crt | |||
verify = 3 | |||
</pre> | |||
Example Client config: | |||
<pre> | |||
client = yes | |||
pid = /var/run/stunnel.pid | |||
[squid] | |||
accept = 127.0.0.1:8080 | |||
connect = [server ip]:8888 | |||
cert = /etc/stunnel/client.crt | |||
key = /etc/stunnel/client.key | |||
CAfile = /etc/stunnel/server.crt | |||
verify = 3 | |||
</pre> | |||
Latest revision as of 06:18, 25 August 2016
What is stunnel
Nominally, stunnel provides SSL encryption and decryption, which provides services not capable of SSL to communicate securely using SSL. (Example: if a mail server listens for unencrypted mail traffic on port 25, and clients send encrypted mail traffic on port 465, stunnel listens on port 465, passes traffic through stunnel to decrypt it, and then passes it to local port 25.
But this can also be used to wrap arbitrary traffic in SSL. In the case of reverse SSH, this provides a way to "wrap" SSH connections in an SSL layer, to make it through the firewall and past intrusion detection systems.
See also RaspberryPi/Reverse SSH
Our stunnel setup will be as follows
The stunnel server will be our Raspberry Pi.
The stunnel client will be our command and control server.
Stunnel on Raspberry Pi Client
Installing
First, install stunnel
apt-get install -y stunnel4
Edit Configuration File
On the Raspberry Pi, edit the stunnel configuration file:
$ vim /etc/stunnel/stunnel.conf
Add the following information, which will point stunnel to your private key stunnel.pem (we'll cover how to create this next).
More information on this process is here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu
/etc/stunnel/stunnel.conf
client = no [squid] accept = 8888 connect = 127.0.0.1:3128 cert = /etc/stunnel/stunnel.pem
Basically, this accepts incoming connections on port 8888. This then reroutes those incoming connections to 127.0.0.1 (localhost) and port 3128, which is where squid runs by default (localhost:3128). So, we're forwarding everything from port 8888 to port 3128.
Note that it is pointing to a certificate file in /etc/stunnel/stunnel.pem, so our next step will be to create this certificate file.
Generate Private Keys/Certificates for SSL
Now you need to generate private keys, so that stunnel has private keys to use when encrypting using SSL.
First, go to the directory where stunnel keeps all of its files:
$ cd /etc/stunnel/
Generate Private Key
Use the openssl library to generate a 2048-bit private RSA key:
$ openssl genrsa -out key.pem 2048 Generating RSA private key, 2048 bit long modulus .....+++ ..+++ e is 65537 (0x10001)
Generate a Self-Signed Certificate
To do SSL, an stunnel server must have an SSL certificate, which requires a private key and a signature. We already generated a private key, so now we generate a certificate, and use our own key to sign it. Do this by running the following:
$ openssl req -new -x509 -key key.pem -out cert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []: 10.0.0.243 Email Address []:.
Key and Certificate
Now you have your private key in key.pem and your server's certificate in cert.pem.
$ ls -lh total 16K -rw-r--r-- 1 root root 615 Apr 22 2013 README -rw-r--r-- 1 root root 1.7K Aug 4 18:06 key.pem -rw-r--r-- 1 root root 964 Aug 4 18:08 cert.pem
put those both into the certificate file that we pointed to above, with our Squid proxy:
$ cat key.pem cert.pem >> /etc/stunnel/stunnel.pem
Configure stunnel to Start on Boot
Now configure stunnel by editing the default stunnel file:
$ vim /etc/default/stunnel4
change enable = 0 to enable = 1
Restart stunnel
you can restart the stunnel service now,
$ /etc/init.d/stunnel4 restart
Squid + Stunnel on Raspberry Pi
Now that we've got stunnel set up, let's get it working with Squid, the proxy server that we referenced earlier in the configuration file.
Configure Stunnel
We will re-edit the /etc/stunnel/stunnel.conf to add more information. The file should now look like this:
$ cat /etc/stunnel/stunnel.conf output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem sslVersion = all options = NO_SSLv2 pid = /var/run/stunnel4/stunnel.pid [squid] client = no accept = 8888 connect = 127.0.0.1:3128 [openvpn] client = no accept = 993 connect = 34567
Open Firewall
Now add a firewall setting on the Raspbery Pi to allow SSL packets through the firewal by creating a simple firewall script firewall.sh:
#!/bin/sh iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Install Squid
Install the Squid proxy server on the Raspberry Pi:
apt-get install -y squid3
Restart Stunnel
Restart the stunnel services:
$ /etc/init.d/stunnel4 restart Restarting SSL tunnels: [Started: /etc/stunnel/stunnel.conf] stunnel.
Stunnel on Command and Control Server
Now we can install an stunnel client on our command and control server.
http://www.bsdnow.tv/tutorials/stunnel
They pose the scenario that you're on an untrusted network and you want to tunnel all your traffic through a secure shell to your trusted server. But the only ports that are open are ports 80 and 443, and there is deep packet inspection to check what kind of traffic is going through.
In this case, you'd need to wrap your SSH traffic in an SSL layer to get past the firewall that is in place.
Install
Install stunnel on our command and control server in the usual manner, and install squid, too:
$ apt-get install -y stunnel4
Private Key
Next, we'll copy the private key stunnel.pem, which is the security certificate we created on the Raspberry Pi and will be using to encrypt the SSL traffic, onto our command and control server. This file is IMPORTANT! Without it, you can't decrypt stunnel traffic.
scp root@10.0.0.243:/etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem stunnel.pem 100% 2774 2.7KB/s 00:00
Edit Configuration
Alt Setup
via comments section of https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu
(on the server)
openssl genrsa -out server.key 2048 openssl req -new -x509 -nodes -days 365 -key server.key -out server.crt
(on the client)
openssl genrsa -out client.key 2048 openssl req -new -x509 -nodes -days 365 -key client.key -out client.crt
From there I copy the public cert from the client to the server and vice versa. Then I set verify = 3, which causes both the client and server to validate against one another.
Example Server config:
client = no pid = /var/run/stunnel.pid [squid] accept = 8888 connect = 127.0.0.1:3128 cert = /etc/stunnel/server.crt key = /etc/stunnel/server.key CAfile = /etc/stunnel/client.crt verify = 3
Example Client config:
client = yes pid = /var/run/stunnel.pid [squid] accept = 127.0.0.1:8080 connect = [server ip]:8888 cert = /etc/stunnel/client.crt key = /etc/stunnel/client.key CAfile = /etc/stunnel/server.crt verify = 3