Telnet is a client - server protocol to connect to a remote server through TCP port 23. Telnet does not encrypt the data, so it is considered to be unsafe, because the data is sent in clear text, so the password can easily be sniffed. However, there is still the old system needs to use it. This is used stunnel place.
stunnel is designed to use an unsecured connection protocol procedures increased SSL encryption. This will be an example to describe how to use telnet it.
Server installation
Use sudo install stunnel and telnet services and client:
sudo dnf -y install stunnel telnet-server telnet
Add firewall rules, enter your password when prompted:
firewall-cmd --add-service=telnet --perm
firewall-cmd --reload
Next, generate an RSA private key and SSL certificate:
openssl genrsa 2048 > stunnel.key
openssl req -new -key stunnel.key -x509 -days 90 -out stunnel.crt
The system will first prompt you to enter the following information. When asked Common Name
, you must enter the correct host name or IP address, but you can press Enter to skip everything else.
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []
The RSA key and SSL certificates into a single .pem
file, and copy it to SSL certificate directory:
cat stunnel.crt stunnel.key > stunnel.pem
sudo cp stunnel.pem /etc/pki/tls/certs/
You can now define the services and ports for the encrypted connection. Select the port unused. This example uses port 450 tunneled telnet. Edit or create /etc/stunnel/telnet.conf
:
cert = /etc/pki/tls/certs/stunnel.pem
sslVersion = TLSv1
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[telnet]
accept = 450
connect = 23
accept
Option is the interface telnet server will listen for incoming requests. connect
Option is an internal interface to monitor telnet server.
Next, create a copy of a systemd unit files to overwrite the original version:
sudo cp /usr/lib/systemd/system/stunnel.service /etc/systemd/system
Edit /etc/systemd/system/stunnel.service
to add two lines. Create a chroot jail to serve these rows start.
[Unit]
Description=TLS tunnel for network daemons
After=syslog.target network.target
[Service]
ExecStart=/usr/bin/stunnel
Type=forking
PrivateTmp=true
ExecStartPre=-/usr/bin/mkdir /var/run/stunnel
ExecStartPre=/usr/bin/chown -R nobody:nobody /var/run/stunnel
[Install]
WantedBy=multi-user.target
Next, configure SELinux telnet to listen in on you just specify the new port:
sudo semanage port -a -t telnetd_port_t -p tcp 450
Finally, add a new firewall rule:
firewall-cmd --add-port=450/tcp --perm
firewall-cmd --reload
Now you can enable and start telnet and stunnel.
systemctl enable telnet.socket stunnel@telnet.service --now
To note systemctl
command is in order. systemd and stunnel package provides additional default template file unit . This template allows you to stunnel configuration file into multiple /etc/stunnel
, and use the file name to start the service. For example, if you have a foobar.conf
file that you can use systemctl start [email protected]
to start the stunnel instance, without writing any unit files themselves.
If necessary, this service stunnel template is set to start at boot time:
systemctl enable stunnel@telnet.service
Client Installation
This part of the article assumes that you are on the client system as a normal user ( have sudo privileges ) Log. Install stunnel and telnet client:
dnf -y install stunnel telnet
The stunnel.pem
copy from a remote server to the client /etc/pki/tls/certs
directory. In this example, IP addresses of the remote telnet server 192.168.1.143
.
sudo scp myuser@192.168.1.143:/etc/pki/tls/certs/stunnel.pem
/etc/pki/tls/certs/
Created /etc/stunnel/telnet.conf
:
cert = /etc/pki/tls/certs/stunnel.pem
client=yes
[telnet]
accept=450
connect=192.168.1.143:450
accept
Option is the port for the telnet session. connect
Option is the IP address of your server and the remote port is listening.
Next, enable and start stunnel:
systemctl enable stunnel@telnet.service --now
Test your connection. Because there is a connection has been established, you will be telnet
to localhost
instead of the remote telnet server host name or IP address.
[user@client ~]$ telnet localhost 450
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Kernel 5.0.9-301.fc30.x86_64 on an x86_64 (0)
server login: myuser
Password: XXXXXXX
Last login: Sun May 5 14:28:22 from localhost
[myuser@server ~]$
via: https://fedoramagazine.org/securing-telnet-connections-with-stunnel/
Author: Curt Warfield topics: lujun9972 Translator: geekpi proofread: wxy
This article from the LCTT original compiler, Linux China is proud