Shulou(Shulou.com)06/01 Report--

Transport channel encryption Stunnel configuration

Let's continue with the OSSIM encrypted transmission channel in the previous section. Here we choose the open source tool Stunnel, which is used to provide global TLS/SSL services. The key configurations are as follows:

The port 443 stunnel4 of Acl safe_port port 443 # https to access the original server is used to establish a ssl channel for encrypted transmission. In the default OSSIM4.3 system, stunnel is turned off. When stunnel is configured, email clients such as foxmail or outlook can use encrypted channels to access the mailbox.

Note: versions of Ossim after 4.15 cancel the stunnel package.

The realization idea: use Stunnel to encrypt Squid, use Stunnel encryption, so only allow local access to traditional POP3, SMTP, Samba, Syslog and other services, which are non-encrypted protocols, so the transmission is not secure. Through Stunnel, the data accessing these services can be transmitted through an encrypted pipeline, which is more secure.

Figure uses Stunel encryption process

1. Enable Stunnel

# vi / etc/default/stunnel4

Change enabled=0 to enabled=1

Then, save the exit.

two。 Configure SSL

# cd / etc/ssl

# openssl req-new-x509-days 365-nodes-config openssl.cnf-out stunnel.pem-keyout stunnel.pem

# cp stunnel.pem / etc/ssl/certs/

# / etc/init.d/stunnel4 start

The Stunnel service mode requires a certificate file. Create a server certificate through openssl.exe.

This will create a certificate that you will sign for yourself. The meaning of the parameter:

-days 365 makes this certificate valid for one year, after which it will no longer be usable.

-new creates a new certificate

-x509 create an X509 certificate (self-signed)

-nodes this certificate does not have a password

-config openssl.cnf

The configuration file used by OpenSSL (the section of [CA_default] and [req_distinguished_name] may need to be modified).

-where does out stunnel.pem write the SSL certificate?

-keyout stunnel.pem puts the SSL certificate in this file. This command will ask the following questions:

Country name PL, UK, US, CA

State or Province name Illinois, Ontario

Locality Chicago, Toronto

Organization Name Bill's Meats, Acme Anvils

Organizational Unit Name Ecommerce Division

Common Name (FQDN) www.example.com

Note: Common Name (FQDN) should be the hostname of the machine running stunnel. If the machine can be accessed through a different hostname, some SSL customers will warn that there is a problem with the host's certificate, so it is best to match it to the hostname accessed by the user.

Openssl gendh 512 > > stunnel.pem

This generates the Diffie-Hellman section, which is appended to the pem file. This is required only if you specify stunnel to use DH, but it is not used by default.

In addition to using stunnel encryption, you can also use rsyslog-gnutls to encrypt syslog connections.

# apt-get install rsyslog-gnutls

You can refer to the encrypting syslog traffic with TLS documentation for specific settings. If you want to know more about the complete OSSIM technology, please continue to follow the book "Open Source Security Operation and maintenance platform OSSIM Best practices" published in November 2015, which reveals more underlying OSSIM technologies that have never appeared in my blog.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.