Debian Tutorials

Debian Tutorials


Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

September 2021
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
27282930  

Categories


Securing unencrypted traffic with stunnel

Ástþór IPÁstþór IP

Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. In this tutorial we’ll secure Samba connection but you could use this for other services like SMTP, IMAP, POP3 etc.

If you are securing a service where the client supports encrypting like SMTP, IMAP and POP3 you can skip the client step.

Server

1. Install stunnel

apt-get install stunnel

2. Configure Samba to only listen on localhost only (pico /etc/samba/smb.conf)

interfaces = 127.0.0.0/8
bind interfaces only = yes

3. Restart Samba

/etc/init.d/samba restart

4. Create SSL certificate and a key

openssl req -new -nodes -x509 -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem

5. Configure stunnel to listen for secure connections on port 8139 and forward to port 139 on localhost (pico /etc/stunnel/stunnel.conf)

cert = /etc/stunnel/stunnel.pem
 
[smb]
accept = 8139
connect = 139

6. Enable stunnel (pico /etc/default/stunnel4)

ENABLED=1

7. Start stunnel

/etc/init.d/stunnel4 restart

Client

1. Install stunnel and smbclient

apt-get install smbclient stunnel

2. Configure stunnel to listen for connections on localhost:139 and forward to the server on port 8139 using a secure connection (pico /etc/stunnel/stunnel.conf)

client = yes
 
[smb]
accept = localhost:139
connect = {ip}:8139

Replace {ip} with the IP address of your server previously configured

3. Enable stunnel (pico /etc/default/stunnel4)

ENABLED=1

4. Start stunnel

/etc/init.d/stunnel4 restart

5. Test the connection using smbclient

smbclient -U user1 //localhost/sambashare

Comments 2
  • Jimothy
    Posted on

    Jimothy Jimothy

    Author

    Is the keyout parameter correct (it has the same value as -out), or should it be -keyout /etc/stunnel/stunnel.key?


  • aip
    Posted on

    aip aip

    Author

    @Jimothy: The parameters need to be the same filename. The certificate and private key will be combined into a single .pem file.