RaspberryPi/Old Reverse SSH Stunnel

From charlesreid1

What is stunnel

Nominally, stunnel provides SSL encryption and decryption, which provides services not capable of SSL to communicate securely using SSL. (Example: if a mail server listens for unencrypted mail traffic on port 25, and clients send encrypted mail traffic on port 465, stunnel listens on port 465, passes traffic through stunnel to decrypt it, and then passes it to local port 25.

But this can also be used to wrap arbitrary traffic in SSL. In the case of reverse SSH, this provides a way to "wrap" SSH connections in an SSL layer, to make it through the firewall and past intrusion detection systems.

See also RaspberryPi/Reverse SSH

The Setup

Our stunnel setup will be as follows

The stunnel server will be our Raspberry Pi.

The stunnel client will be our command and control server.




Stunnel on Raspberry Pi

Installing

First, install stunnel 

apt-get install -y stunnel4

Edit Configuration File

On the Raspberry Pi, edit the stunnel configuration file: 

$ vim /etc/stunnel/stunnel.conf

Add the following information, which will point stunnel to your private key stunnel.pem (we'll cover how to create this next).

More information on this process is here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu

/etc/stunnel/stunnel.conf 

client = no
[squid]
accept = 8888
connect = 127.0.0.1:3128
cert = /etc/stunnel/stunnel.pem

Basically, this accepts incoming connections on port 8888. This then reroutes those incoming connections to 127.0.0.1 (localhost) and port 3128, which is where squid runs by default (localhost:3128). So, we're forwarding everything from port 8888 to port 3128.

Note that it is pointing to a certificate file in /etc/stunnel/stunnel.pem, so our next step will be to create this certificate file.

Generate Private Keys/Certificates for SSL

Now you need to generate private keys, so that stunnel has private keys to use when encrypting using SSL.

First, go to the directory where stunnel keeps all of its files: 

$ cd /etc/stunnel/

Generate Private Key

Use the openssl library to generate a 2048-bit private RSA key: 

$ openssl genrsa -out key.pem 2048

Generating RSA private key, 2048 bit long modulus
.....+++
..+++
e is 65537 (0x10001)

Generate a Self-Signed Certificate

To do SSL, an stunnel server must have an SSL certificate, which requires a private key and a signature. We already generated a private key, so now we generate a certificate, and use our own key to sign it. Do this by running the following: 

$ openssl req -new -x509 -key key.pem -out cert.pem -days 365

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []: 10.0.0.243
Email Address []:.

Key and Certificate

Now you have your private key in key.pem and your server's certificate in cert.pem. 

$ ls -lh
total 16K
-rw-r--r-- 1 root root  615 Apr 22  2013 README
-rw-r--r-- 1 root root 1.7K Aug  4 18:06 key.pem
-rw-r--r-- 1 root root  964 Aug  4 18:08 cert.pem

put those both into the certificate file that we pointed to above, with our Squid proxy: 

$ cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

Configure stunnel to Start on Boot

Now configure stunnel by editing the default stunnel file: 

$ vim /etc/default/stunnel4

change enable = 0 to enable = 1

Restart stunnel

you can restart the stunnel service now, 

$ /etc/init.d/stunnel4 restart

Squid + Stunnel on Raspberry Pi

Now that we've got stunnel set up, let's get it working with Squid, the proxy server that we referenced earlier in the configuration file.

Configure Stunnel

Now open /etc/stunnel/stunnel.conf and add the following configuration: 

sslVersion = all
options = NO_SSLv2
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
[openvpn]
client = no
accept = 993
connect = 34567

I dunno. No idea.

Open Firewall

Now add a firewall a firewall setting on the Raspbery Pi by creating a file firewall.sh: 

iptables -A INPUT -p tcp --dport 993 -j ACCEPT


Install Squid

Install the Squid proxy server on the Raspberry Pi: 

apt-get install -y squid3


Restart Stunnel

Restart the stunnel services: 

$ /etc/init.d/stunnel4 restart

Restarting SSL tunnels: 
Clients allowed=500
stunnel 4.53 on arm-unknown-linux-gnueabi platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from file /etc/stunnel/stunnel.conf
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Line 10: "pid = /var/run/stunnel.pid": Specified option name is not valid here
str_stats: 8 block(s), 836 data byte(s), 336 control byte(s)
[Failed: /etc/stunnel/stunnel.conf]
You should check that you have specified the pid= in you configuration file

uh.... ok. Try entering squid: 

/etc/init.d/stunnel4 restart
Restarting SSL tunnels: squid
Clients allowed=500
stunnel 4.53 on arm-unknown-linux-gnueabi platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from file /etc/stunnel/stunnel.conf
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service section [squid]
Insecure file permissions on /etc/stunnel/stunnel.pem
Certificate: /etc/stunnel/stunnel.pem
Certificate loaded
Key file: /etc/stunnel/stunnel.pem
Private key loaded
Could not load DH parameters from /etc/stunnel/stunnel.pem
Using hardcoded DH parameters
DH initialized with 2048-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Initializing service section [openvpn]
/etc/stunnel/server.pem: No such file or directory (2)
str_stats: 14 block(s), 1620 data byte(s), 588 control byte(s)
[Failed: /etc/stunnel/stunnel.conf]
You should check that you have specified the pid= in you configuration file

Stunnel on Command and Control Server

Now we can install an stunnel client on our command and control server.

Install

Install stunnel on our command and control server in the usual manner: 

apt-get install -y stunnel4

Private Key

Next, we'll copy the file stunnel.pem, which is the security certificate we created on the Raspberry Pi and will be using to encrypt the SSL traffic, onto our command and control server. This file is IMPORTANT! Without it, you can't decrypt stunnel traffic.

Edit Configuration

Retrieved from "https://charlesreid1.com/w/index.php?title=RaspberryPi/Old_Reverse_SSH_Stunnel&oldid=7653"