Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use stunnel to protect telnet connection", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to use stunnel to protect telnet connection" this article.

Telnet is a client-server protocol that connects to a remote server through port 23 of TCP. Telnet does not encrypt data, so it is considered insecure because the data is sent in clear text, so passwords are easily sniffed. However, there are still old systems that need to use it. This is where stunnel is used.

Stunnel is designed to add SSL encryption to programs that use insecure connection protocols.

Server installation

Use sudo to install the server and client of stunnel and telnet:

Sudo dnf-y install stunnel telnet-server telnet

Add firewall rules and enter your password when prompted:

Firewall-cmd-add-service=telnet-permfirewall-cmd-reload

Next, generate the RSA private key and SSL certificate:

Openssl genrsa 2048 > stunnel.keyopenssl req-new-key stunnel.key-x509-days 90-out stunnel.crt

The system will prompt you to enter the following information at once. When asking for Common Name, you must enter the correct host name or IP address, but you can press enter to skip everything else.

You are about to be asked to enter information that will beincorporated into your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg) Section) []: Common Name (eg, your name or your server's hostname) []: Email Address []

Merge the RSA key and SSL certificate into a single .pem file and copy them to the SSL certificate directory:

Cat stunnel.crt stunnel.key > stunnel.pemsudo cp stunnel.pem / etc/pki/tls/certs/

You can now define the service and the port used for encrypted connections. Select a port that is not yet in use. This example uses port 450 to tunnel telnet. Edit or create / etc/stunnel/telnet.conf:

Cert = / etc/pki/tls/certs/stunnel.pemsslVersion = TLSv1chroot = / var/run/stunnelsetuid = nobodysetgid = nobodypid = / stunnel.pidsocket = l:TCP_NODELAY=1socket = RRV TCPP = NODELAY = 1 [telnet] accept = 450connect = 23

The accept option is the interface on which the server will listen for incoming telnet requests. The connect option is the internal listening interface of the telnet server.

Next, create a copy of the systemd unit file to overwrite the original version:

Sudo cp / usr/lib/systemd/system/stunnel.service / etc/systemd/system

Edit / etc/systemd/system/stunnel.service to add two lines. These lines create a chroot prison for the service at startup.

[Unit] Description=TLS tunnel for network daemonsAfter=syslog.target network.target [Service] ExecStart=/usr/bin/stunnelType=forkingPrivateTmp=trueExecStartPre=-/usr/bin/mkdir / var/run/stunnelExecStartPre=/usr/bin/chown-R nobody:nobody / var/run/stunnel [Install] WantedBy=multi-user.target

Next, configure SELinux to listen for telnet on the new port you just specified:

Sudo semanage port-a-t telnetd_port_t-p tcp 450

*, add new firewall rules:

Firewall-cmd-add-port=450/tcp-permfirewall-cmd-reload

Now you can enable and start telnet and stunnel.

Systemctl enable telnet.socket stunnel@telnet.service-now

Note that the systemctl commands are ordered. The systemd and stunnel packages provide additional template unit files by default. This template allows you to put multiple configuration files for stunnel in / etc/stunnel and start the service with a file name. For example, if you have a foobar.conf file, you can start the stunnel instance using systemctl start stunnel@foobar.service without having to write any unit files yourself.

If desired, you can set this stunnel template service to start at startup:

Systemctl enable stunnel@telnet.service client installation

This part of this article assumes that you are logged in as a normal user with sudo privileges on the client system. Install the stunnel and telnet clients:

Dnf-y install stunnel telnet

Copy stunnel.pem from the remote server to the client's / etc/pki/tls/certs directory. In this example, the IP address of the remote telnet server is 192.168.1.143.

Sudo scp myuser@192.168.1.143:/etc/pki/tls/certs/stunnel.pem/etc/pki/tls/certs/

Create / etc/stunnel/telnet.conf:

Cert = / etc/pki/tls/certs/stunnel.pemclient= ys [telnet] accept=450connect=192.168.1.143:450

The accept option is the port used for telnet sessions. The connect option is the IP address of your remote server and the port you are listening on.

Next, enable and start stunnel:

Systemctl enable stunnel@telnet.service-now

Test your connection. Because you have an established connection, you will telnet to localhost instead of the hostname or IP address of the remote telnet server.

[user@client ~] $telnet localhost 450Trying:: 1...telnet: connect to address:: 1: Connection refusedTrying 127.0.0.1...Connected to localhost.Escape character is'^]'. Kernel 5.0.9-301.fc30.x86_64 on an x86 connections 64 (0) server login: myuserPassword: XXXXXXXLast login: Sun May 5 14:28:22 from localhost [myuser@server ~] $above is all the content of this article "how to use stunnel to protect telnet connections". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.