(That means, we have to run the ssh command like ssh -p 443) Now edit your stunnel configuration file to resemble the following: $ scp 10.0.0.19:/etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem But we're just testing this out.įrom the Raspberry Pi, we copy the stunnel private key and certificate from the command and control server at 10.0.0.19: One option, if you want to hack it (this is an insecure option), is to copy the private key from your command and control server to your Raspberry Pi.Ī better way to do it would be to generate private keys on both the server and client, and use a level 3 verification in stunnel, whereby both client and server check each others identities. Iptables -A INPUT -p tcp -dport 443 -j ACCEPT Restart stunnel $ /etc/init.d/stunnel4 startĪssuming SSH over SSL connections will be coming in through port 443, we should open this on our firewall on our command and control server. This will allow incoming SSL connections to the command and control server on port 443, and will route them to localhost port 22. Where 10.0.0.19 is the ip of the command and control server. Now edit the stunnel configuration file on the command and control server, which is located in /etc/stunnel/nf: $ cat key.pem cert.pem > /etc/stunnel/stunnel.pem Put those both into the certificate file that we will point to in our stunnel configuration file (next section): rw- 1 root root 2.8K Aug 4 12:32 stunnel.pem Now you have your private key in key.pem and your server's certificate in cert.pem. If you enter '.', the field will be left blank. There are quite a few fields but you can leave some blankįor some fields there will be a default value, What you are about to enter is what is called a Distinguished Name or a DN. You are about to be asked to enter information that will be incorporated $ openssl req -new -x509 -key key.pem -out cert.pem -days 365 We already generated a private key, so now we generate a certificate, and use our own key to sign it. To do SSL, an stunnel server must have an SSL certificate, which requires a private key and a signature. Generating RSA private key, 2048 bit long modulus Use the openssl library to generate a 2048-bit private RSA key: Now you need to generate private keys, so that stunnel has private keys to use when encrypting using SSL.įirst, go to the directory where stunnel keeps all of its files: Generate Private Keys and Certificates for SSL Stunnel Server: Command and Control Server Installing The stunnel server will be our command and control server. The stunnel client will be our Raspberry Pi. In the case of reverse SSH, this provides a way to "wrap" SSH connections in an SSL layer, to make it through the firewall and past intrusion detection systems. (Example: if a mail server listens for unencrypted mail traffic on port 25, and clients send encrypted mail traffic on port 465, stunnel listens on port 465, passes traffic through stunnel to decrypt it, and then passes it to local port 25.īut this can also be used to wrap arbitrary traffic in SSL. Nominally, stunnel provides SSL encryption and decryption, which provides services not capable of SSL to communicate securely using SSL. 2.2.2 Generate a Self-Signed Certificate.2.2 Generate Private Keys and Certificates for SSL.2 stunnel Server: Command and Control Server.I suspect a VPN would be easier to make work reliably, and would require less scripting, essentially. You would also need to create one forwarded connection per port, if you ever needed more than one. Most likely, you would want to have a dedicated user to create this forwarding (since your Pi would need to be able to authenticate to your server, which almost certainly means you would need a passwordless private key). 127.0.0.1:9999), and would configure your webserver to use that listener as an upstream. The NAT here is irrelevant, because the tunnel would be directly between your public host and Pi - on your host, you would in effect have a listener (e.g. You would just need something on your Pi to initiate the connection, and re-start it if it fails. Whenever a connection is made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or local_socket, from the local machine. This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the given host and port, or Unix socket, on the local side. You can absolutely use SSH, with the -R switch: openVPN or an IPSEC solution like strongswan) might work better.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |