Securing unencrypted traffic with stunnel

aip — Wed, 14 Oct 2009 20:54:44 +0000

Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. In this tutorial we'll secure Samba connection but you could use this for other services like SMTP, IMAP, POP3 etc.

If you are securing a service where the client supports encrypting like SMTP, IMAP and POP3 you can skip the client step.

Server

1. Install stunnel

apt-get install stunnel

2. Configure Samba to only listen on localhost only (pico /etc/samba/smb.conf)

interfaces = 127.0.0.0/8 bind interfaces only = yes

3. Restart Samba

/etc/init.d/samba restart

4. Create SSL certificate and a key

openssl req -new -nodes -x509 -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem

5. Configure stunnel to listen for secure connections on port 8139 and forward to port 139 on localhost (pico /etc/stunnel/stunnel.conf)

cert = /etc/stunnel/stunnel.pem [smb] accept = 8139 connect = 139

6. Enable stunnel (pico /etc/default/stunnel4)

ENABLED=1

7. Start stunnel

/etc/init.d/stunnel4 restart

Client

1. Install stunnel and smbclient

apt-get install smbclient stunnel

2. Configure stunnel to listen for connections on localhost:139 and forward to the server on port 8139 using a secure connection (pico /etc/stunnel/stunnel.conf)

client = yes [smb] accept = localhost:139 connect = {ip}:8139

Replace {ip} with the IP address of your server previously configured

3. Enable stunnel (pico /etc/default/stunnel4)

ENABLED=1

4. Start stunnel

/etc/init.d/stunnel4 restart

5. Test the connection using smbclient

smbclient -U user1 //localhost/sambashare

Debian Tutorials » ssl

Securing unencrypted traffic with stunnel