Difference between revisions of "User:Regid/stunnel"

From ArchWiki
Jump to navigation Jump to search
(editing, saving frequently ...)
(keep edit and save)
Line 1: Line 1:
:[https://www.stunnel.org stunnel] (“Secure Tunnel”) is a multi-platform application used to provide a universal TLS/SSL tunneling service.
+
:[https://www.stunnel.org stunnel] (“Secure Tunnel”) is a multi-platform application used to provide a universal TLS/SSL tunneling service. It is sort of proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. It is designed for security, portability, and scalability (including load-balancing), making it suitable for large deployments. It uses [[openssl]], and distributed under GNU GPL version 2 or later with OpenSSL exception.
https://www.stunnel.org Stunnel is a multi-platform proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. It is designed for security, portability, and scalability (including load-balancing), making it suitable for large deployments. It uses [[openssl]], and distributed under GNU GPL version 2 or later with OpenSSL exception.
+
Can tunnel only TCP packets. Its [https://www.stunnel.org/faq.html FAQ] has some work around for UDP.
Can tunnel only TCP packets. [https://www.stunnel.org/faq.html FAQ] has some work arounds.
+
 
 
Authentication can be used by the server to allow access only to approved clients.
 
Authentication can be used by the server to allow access only to approved clients.
is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
 
 
{{Warning|Invoking network scan techniques on systems, hosts or network ranges other than those under the own responsibility is illegal in quite a few jurisdictions. Double-check you scan your own hosts only (see [[#List scan]]), or re-confirm the approval of the respective owner, before executing a scan!}}
 
 
 
== Installation ==
 
== Installation ==
  
[[Install]] {{Pkg|nmap}} from [[official repositories]].
+
[[Install]] {{Pkg|stunnel}} from [[official repositories]].
 
 
Nmap package comes with a GUI called {{ic|zenmap}}, but this article will cover only command-line usage.
 
 
 
== Usage ==
 
 
 
See {{man|1|nmap}}.
 
 
 
=== Specifying the target ===
 
 
 
{{Tip|To print every packet that Nmap sends and receives, use the {{ic|--packet-trace}} option.}}
 
 
 
There are a number of ways to tell Nmap the list of IP addresses to scan.  The simplest form is to just pass the address or domain name:
 
 
 
$ nmap scanme.nmap.org
 
$ nmap 74.207.244.221
 
 
 
==== Specifying multiple targets ====
 
 
 
Using [[wikipedia:CIDR|CIDR]] notation, for example to scan all 256 addresses beginning with {{ic|10.1.1}}:
 
 
 
$ nmap 10.1.1.0/24
 
 
 
{{Note|The ending {{ic|0}} in the above example does not have an effect: {{ic|nmap 10.1.1.0/24}} and for example {{ic|nmap 10.1.1.134/24}} commands are the same.}}
 
 
 
Using the dash, for example to scan {{ic|10.1.50.1}}, {{ic|10.1.51.1}} and {{ic|10.1.52.1}}:
 
 
 
$ nmap 10.1.50-52.1
 
 
 
Using commas (does what you expect):
 
 
 
$ nmap 10.1.50,51,52,57,59.1
 
 
 
All combined:
 
 
 
$ nmap 10.1,2.50-52.1/30 10.1.1.1 10.1.1.2
 
 
 
=== List scan ===
 
 
 
The list scan option ({{ic|-sL}}) is useful for making sure that correct addresses are specified before doing the real scan:
 
 
 
$ nmap -sL 10.1,2.50-52.1/30 10.1.1.1 10.1.1.2
 
 
 
List scan simply prints the specified addresses without sending a single packet to the target.
 
 
 
=== Default options ===
 
 
 
If you specify only an IP address or domain name and no other options:
 
 
 
$ nmap 74.207.244.221
 
 
 
Nmap will do the following:
 
 
 
# The IP address is reverse-DNS resolved to domain name, or vice-versa in case a domain name is specified (to disable, pass {{ic|-n}})
 
# Ping scanning using TCP ACK:80 and ICMP.  This is equivalent to {{ic|-PA -PE}} (to disable, pass {{ic|-PN}})
 
# Scans the host(s)'s top 1000 most popular ports.  When running as root, SYN stealth scan is used.  When running as user, connect scan is used.
 
 
 
== Ping scan ==
 
 
 
Ping scanning (host discovery) is a technique for determining whether the specified computers are up and running.  Nmap performs ping scan by default before port scan to avoid wasting time on hosts that are not even connected.  To instruct Nmap to '''only''' perform ping scan:
 
 
 
$ nmap -sn 10.1.1.1/8
 
 
 
This will cause Nmap to ping every one of the specified addresses and then report the list of hosts which did respond to the ping.
 
 
 
Nmap uses different kinds of ping packets when run with user or root privileges and when scanning the same or different subnets:
 
 
 
{| class="wikitable"
 
!
 
! External IP
 
! Local IP
 
|-
 
! User privileges
 
| TCP SYN at ports 80 & 443
 
| TCP SYN at ports 80 & 443 and ARP
 
|-
 
! Root privileges
 
| TCP SYN at ports 80 & 443 and IGMP
 
| ARP
 
|}
 
 
 
=== Ping scan types ===
 
 
 
{| class="wikitable"
 
! Option    || Ping scan type
 
|-
 
| {{ic|-Pn}} || Disable ping scan entirely
 
|-
 
| {{ic|-PS}} || TCP '''S'''YN (default at port 80)
 
|-
 
| {{ic|-PA}} || TCP '''A'''CK (default at port 80)
 
|-
 
| {{ic|-PU}} || '''U'''DP
 
|-
 
| {{ic|-PY}} || SCTP INIT
 
|-
 
| {{ic|-PE}} || ICMP '''E'''cho
 
|-
 
| {{ic|-PP}} || ICMP timestam'''p'''
 
|-
 
| {{ic|-PM}} || ICMP address '''m'''ask
 
|-
 
| {{ic|-PO}} || '''O'''ther IP protocol
 
|-
 
| {{ic|-PR}} || [[Wikipedia:Address Resolution Protocol|ARP]] scan
 
|}
 
 
 
{{ic|-Pn}} is useful when the machine is heavily firewalled, TCP 80 and 443 ports and IGMP requests are blocked, but the IP address might still have a machine listening on other less common ports.
 
 
 
== Port scan ==
 
 
 
There are 3 main states a port can be in:
 
 
 
* {{ic|open}} - there is a program listening and responding to requests on this port
 
* {{ic|closed}} - the host replies with an "error: no program listening on this port" reply to requests to this port
 
* {{ic|filtered}} - the host doesn't reply at all.  This can be due to restrictive firewall rules, which "drop" a packet without sending a reply
 
 
 
In addition to these there are 3 more states that Nmap can classify a port.  These are used when Nmap cannot reliably determine the state but suspects two of the three possible states:
 
 
 
* {{ic|open<nowiki>|</nowiki>closed}} ({{ic|unfiltered}}) - the port is either open or closed
 
* {{ic|closed<nowiki>|</nowiki>filtered}} - the port is either closed or filtered
 
* {{ic|open<nowiki>|</nowiki>filtered}} - the port is either open or filtered
 
 
 
By default Nmap scans the 1000 most popular ports found in {{ic|/etc/nmap/nmap-services}}.  To specify a different number of common ports:
 
 
 
$ nmap --top-ports 10.1.1.1
 
 
 
To specify custom port numbers, use {{ic|-p}}:
 
 
 
$ nmap -p -25,135-137 10.1.1.1
 
 
 
Dashes and commas work just like in [[#Specifying the target]]. In addition, it is possible to specify all ports before/after given one by skipping the starting/ending port when using a dash.  For example to scan all possible 65535 ports (except [[#Scan port number 0|port number 0]]):
 
  
$ nmap -p -
+
Depending on your usage, you might also [[Systemd#Editing_provided_units]] to better [[Systemd#Handling_dependencies]]. In order for the stunnel to start up automatically at system boot you must [[enable]] it.
  
=== Scan types ===
+
== setup ==
 +
The main configuration file is read from /etc/stunnel/stunnel.conf.
  
{| class="wikitable"
+
A client is one to accept non TLS encrypted data. It TLS encrypts the data and connects to the server. The server accepts TLS encrypted data and extracts it. It then connects to where the data should be send to.
! Option    || Port scan type
 
|-
 
| {{ic|-sP}} || [[#Ping scan|Ping scan]] only
 
|-
 
| {{ic|-sS}} || TCP SYN (stealth) (Default as root)
 
|-
 
| {{ic|-sT}} || TCP connect (Default as user)
 
|-
 
| {{ic|-sA}} || TCP ACK
 
|-
 
| {{ic|-sF}} || TCP FIN
 
|-
 
| {{ic|-sX}} || TCP FIN, SYN, ACK
 
|-
 
| {{ic|-sW}} || TCP window
 
|-
 
| {{ic|-sM}} || TCP Miamon
 
|-
 
| {{ic|-sU}} || UDP scan
 
|-
 
| {{ic|-sI}} || Idle scan
 
|-
 
| {{ic|-b}}  || FTP bounce scan
 
|-
 
| {{ic|-sO}} || Other IP protocol
 
|}
 
  
== Anti-scanning techniques ==
+
=== Byte order mark (BOM) ===
  
=== iptables PSD module ===
+
The configuration file expects a UTF-8 [https://en.wikipedia.org/wiki/Byte_order_mark byte order mark (BOM)], at the beginning of the file. A BOM is the unicode character U+FEFF. Its UTF-8 representation is the (hexadecimal) byte sequence 0xEF,0xBB,0xBF. Inserting those bytes into the beginning of a file can be done by
  
[http://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_psd.c PSD] is an extension module of [[iptables]]. It is used on some linux-based commercial routers as well.
+
# echo -e '\xEF\xBB\xBF' > /etc/stunnel/stunnel.conf
  
It has 4 parameters:
+
To test if those bytes appear, one can use
  
* {{ic|--psd-weight-threshold ''threshold''}}, default value: {{ic|21}}
+
# od –-address-radix=n -–format=x1c --read-bytes=4 /etc/stunnel/stunnel.conf
: Total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence.
+
  ef  bb    bf  0a
* {{ic|--psd-delay-threshold ''delay''}}, default value: {{ic|300}} (3 seconds)
+
357 273 277    \n
: Delay (in hundredths of second) for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence.
 
* {{ic|--psd-lo-ports-weight ''weight''}}, default value: {{ic|3}}
 
: Weight of the packet with privileged (<=1024) destination port.
 
* {{ic|--psd-hi-ports-weight ''weight''}}, default value: {{ic|1}}
 
: Weight of the packet with non-priviliged (>1024) destination port.
 
  
The principle behind PSD is simple. If requests from a single IP have gained a value more than ''threshold'' in ''delay'' seconds, then the IP is classified as a port scanner. In a math expression:
+
Note that when printing the file to the screen, such as with cat, or when [[edit]]ing the file with a text editor, the BOM bytes are usually  not displayed. They should be there, though. Which is why you might want to verify that they are still there after editing is completed with the above OD, or similar, command.
  
''lo_ports_weight'' * '''REQUESTS_LOW''' + ''hi_ports_weight'' * '''REQUESTS_HIGH''' >= ''threshold''
+
=== Authentication ===
  
where
+
At least one of the client and the server, and optionally both, should be authenticated. Either a pre-shared secret, or a key and certificate pair, can be used for authentication. A pre-shared secret has to be transfred to all the involved machines apriory by other means, such as [[scp]]. When such transfer is acceptable, pre-shared key is the fastest method. Its speed might help defending attacks. A simple configuration for a server with a single client that are using a pre-shared secret is:
 +
client:/etc/stunnel/stunnel.conf
 +
server:/etc/stunnel/stunnel.conf
  
'''REQUESTS_LOW''' = number of requests to priviliged (0 to 1024) ports within last ''delay'' seconds
+
where /etc/stunnel/psk could be created on one machine by
'''REQUESTS_HI''' = number of requests to privileged (1024 to 65535) ports within last ''delay'' seconds
 
  
Here are some examples:
+
# openssl rand -base64 -out /etc/stunnel/psk 40
  
* With default parameters, if at least 7 priviliged ports are hit within 3 seconds, it is classified as a port scan.
+
and copied to the other machine by secure means before starting stunnel. The files [[permissions]] for each psk file should be set appropriately.
* With default parameters, if at least 21 non-privilged ports are hit withing 3 seconds, it is classified as a port scan.
 
* With default parameters, if 4 privileged ports and 9 non-priviliged ports are hit within 3 seconds, it is classified as a port scan, because {{ic|1=4*3 + 9*1 >= 21}}.
 
 
 
=== Avoiding detection ===
 
 
 
One of the simplest ways to avoid PSD is to simply [[#Limiting scan speed|scan slowly]]. For default values this parameter would suffice:
 
 
 
$ nmap --scan-delay 3.1 192.168.56.1
 
 
 
Another interesing fact about PSD is that it does not detect a request as a port scan when the {{ic|ack}} or {{ic|rst}} flags are set (See the function {{ic|is_portscan}} in [http://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_psd.c xt_psd.c])
 
 
 
Also, if you are port scanning a host and the latter has an HTTP(S) service running on it, nmap will use {{ic|Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)}} as default user agent. Your action will thus be easily detected, especially if an administrator or a robot are taking measures if such an user agent appears in the logs. Hopefully, nmap allows us to change that string easily: just pass {{ic|1=-script-args http.useragent="''user agent you want''"}}. [http://www.kroosec.com/2012/02/making-nmap-scripting-engine-stealthier.html Source]
 
  
 
== Tips and Tricks ==
 
== Tips and Tricks ==
  
=== Limiting scan speed ===
+
=== DNS over TLS ===
 
 
Nmap scans are ''fast''. While this is often a desirable feature, it can be counter-productive as well. For example when you want to test your system's firewall without disabling any activated flood detection rules, or when you want to run a long-term test for a specific port/service. The following options specify how fast Nmap sends packets.
 
 
 
To send a packet at most every 3.333 seconds:
 
 
 
$ nmap --max-rate 0.3 192.168.56.1
 
 
 
Alternatively, to send a packet every 3.1 seconds:
 
 
 
$ nmap --scan-delay 3.1 192.168.56.1
 
 
 
For other timing and parallelization options, see {{man|1|nmap}}.
 
 
 
=== Specify targets input from a list file ===
 
 
 
Often it is necessary to scan a large number of non-adjacent addresses.  Passing them on the command line is usually not convenient.  For this reason Nmap supports '''i'''nput from a '''l'''ist file ({{ic|-iL}}):
 
 
 
{{hc|addresses.txt|
 
10.1.1.1 10.1.1.2 10.1.1-10.3
 
10.3.1.3 10.3.1.50 10.3.2.55
 
10.1.1.100
 
...
 
}}
 
 
 
$ nmap -iL addresses.txt
 
 
 
Addresses in the file must be separated with a whitespace.
 
 
 
Alternatively, Nmap can read the list from standard input (the {{ic|-}} means standard input in many command-line programs):
 
 
 
$ echo "10.1.1.1 10.1.1.2 10.1.1-10.3" | nmap -iL -
 
 
 
=== Specify targets to exclude from scan ===
 
 
 
$ nmap 10.1.1.1-10 --exclude 10.1.1.5,7
 
 
 
The same from a file:
 
 
 
$ nmap 10.1.1.1-10 --excludefile excludeaddr.txt
 
 
 
=== Spoofing ===
 
 
 
To spoof source IP:
 
 
 
$ nmap -S 192.168.56.35 -e vboxnet0 192.168.56.11
 
 
 
To spoof the source MAC address:
 
 
 
$ nmap --spoof-mac 192.168.56.11
 
 
 
To spoof source port:
 
 
 
$ nmap --source-port 22 192.168.56.11
 
 
 
=== Speeding up the scan ===
 
 
 
By default, Nmap performs DNS/reverse-DNS resolution on targets.  To tell Nmap '''n'''ever do any DNS resolution, pass the {{ic|-n}} option:
 
 
 
$ nmap -n 192.168.56.0/24
 
 
 
This will speed the scan about 2 times.
 
 
 
=== Scan port number 0 ===
 
 
 
By default port 0 is skipped from scans, even if {{ic|-p -}} is specified.  To scan it, it must be explicitly specified.  For example to scan every possible port:
 
 
 
$ nmap -p 0-65535
 
 
 
Remember that this port number is invalid in RFC standards.  However it can be used by malware and the like to avoid more naive port scanners.
 
 
 
=== File output formats ===
 
 
 
Nmap has built-in support for for file output alongside with terminal output:
 
 
 
* {{ic|-oN ''filename''}}
 
: Normal output, same as the terminal output
 
* {{ic|-oX ''filename''}}
 
: XML output, contains very detailed information about the scan, easy to parse with software
 
* {{ic|-oG ''filename''}}
 
: Grepable output, deprecated
 
* {{ic|-oA}}
 
: All of the above combined. Creates files called {{ic|''sitename''.nmap}}, {{ic|''sitename''.xml}} and {{ic|''sitename''.gnmap}} if no filename is specified
 
  
For example to output to the terminal, to file and to XML file:
+
[[bind]] does not offer builtin facilities for encryption of queries and answers. Bind knowledge base suggests using stunnel. See https://kb.isc.org/docs/aa-01386. The link mentions [[unbound]] at the bottom of the page. A user that have only shell accounts on both the client and the server can still tunnel only his DNS traffic even when both the resolver and the NS support DNS over TLS.
  
$ nmap -oN output.txt -oX output.xml scanme.nmap.org
+
=== Encrypting NFSv4 with Stunnel TLS ===
 +
See [https://www.linuxjournal.com/content/encrypting-nfsv4-stunnel-tls Encrypting NFSv4 with Stunnel TLS]
  
 
== See also ==
 
== See also ==
  
* [[Wikipedia:Nmap]]
+
* [[Wikipedia:stunnel]]
* [http://nmap.org/ Official website]
+
* [https://wiki.debian.org/Pan?highlight=%28stunnel%29#SSL_encryption SSL encryption for Pan]
* [http://nmap.org/book/ Nmap Network Scanning book]
+
* [https://www.linuxjournal.com/article/7628 Paranoid Penguin - Rehabilitating Clear-Text Network Applications with Stunnel]

Revision as of 21:00, 19 June 2019

stunnel (“Secure Tunnel”) is a multi-platform application used to provide a universal TLS/SSL tunneling service. It is sort of proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. It is designed for security, portability, and scalability (including load-balancing), making it suitable for large deployments. It uses openssl, and distributed under GNU GPL version 2 or later with OpenSSL exception.

Can tunnel only TCP packets. Its FAQ has some work around for UDP.

Authentication can be used by the server to allow access only to approved clients.

Installation

Install stunnel from official repositories.

Depending on your usage, you might also Systemd#Editing_provided_units to better Systemd#Handling_dependencies. In order for the stunnel to start up automatically at system boot you must enable it.

setup

The main configuration file is read from /etc/stunnel/stunnel.conf.

A client is one to accept non TLS encrypted data. It TLS encrypts the data and connects to the server. The server accepts TLS encrypted data and extracts it. It then connects to where the data should be send to.

Byte order mark (BOM)

The configuration file expects a UTF-8 byte order mark (BOM), at the beginning of the file. A BOM is the unicode character U+FEFF. Its UTF-8 representation is the (hexadecimal) byte sequence 0xEF,0xBB,0xBF. Inserting those bytes into the beginning of a file can be done by

# echo -e '\xEF\xBB\xBF' > /etc/stunnel/stunnel.conf

To test if those bytes appear, one can use

# od –-address-radix=n -–format=x1c --read-bytes=4 /etc/stunnel/stunnel.conf
  ef   bb    bf   0a

357 273 277 \n

Note that when printing the file to the screen, such as with cat, or when editing the file with a text editor, the BOM bytes are usually not displayed. They should be there, though. Which is why you might want to verify that they are still there after editing is completed with the above OD, or similar, command.

Authentication

At least one of the client and the server, and optionally both, should be authenticated. Either a pre-shared secret, or a key and certificate pair, can be used for authentication. A pre-shared secret has to be transfred to all the involved machines apriory by other means, such as scp. When such transfer is acceptable, pre-shared key is the fastest method. Its speed might help defending attacks. A simple configuration for a server with a single client that are using a pre-shared secret is: client:/etc/stunnel/stunnel.conf server:/etc/stunnel/stunnel.conf

where /etc/stunnel/psk could be created on one machine by

# openssl rand -base64 -out /etc/stunnel/psk 40

and copied to the other machine by secure means before starting stunnel. The files permissions for each psk file should be set appropriately.

Tips and Tricks

DNS over TLS

bind does not offer builtin facilities for encryption of queries and answers. Bind knowledge base suggests using stunnel. See https://kb.isc.org/docs/aa-01386. The link mentions unbound at the bottom of the page. A user that have only shell accounts on both the client and the server can still tunnel only his DNS traffic even when both the resolver and the NS support DNS over TLS.

Encrypting NFSv4 with Stunnel TLS

See Encrypting NFSv4 with Stunnel TLS

See also