Telnet connection using stunnel protection | Linux China

Disclaimer: This article is a blogger original article, shall not be reproduced without the bloggers allowed. https://blog.csdn.net/F8qG7f9YD02Pe/article/details/91079399

stunnel is designed to use an unsecured connection protocol procedures increased SSL encryption. This will be an example to describe how to use telnet it. - Curt Warfield

Telnet is a client - server protocol to connect to a remote server through TCP port 23. Telnet does not encrypt the data, so it is considered to be unsafe, because the data is sent in clear text, so the password can easily be sniffed. However, there is still the old system needs to use it. This is used  stunnel  place.

stunnel is designed to use an unsecured connection protocol procedures increased SSL encryption. This will be an example to describe how to use telnet it.

Server installation

Use sudo  install stunnel and telnet services and client:

1. sudo dnf -y install stunnel telnet-server telnet

Add firewall rules, enter your password when prompted:

1. firewall-cmd --add-service=telnet --perm
2. firewall-cmd --reload

Next, generate an RSA private key and SSL certificate:

1. openssl genrsa 2048 > stunnel.key
2. openssl req -new -key stunnel.key -x509 -days 90 -out stunnel.crt

The system will first prompt you to enter the following information. When asked  Common Name , you must enter the correct host name or IP address, but you can press Enter to skip everything else.

1. You are about to be asked to enter information that will be
2. incorporated into your certificate request.
3. What you are about to enter is what is called a Distinguished Name or a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. Country Name (2 letter code) [XX]:
9. State or Province Name (full name) []:
10. Locality Name (eg, city) [Default City]:
11. Organization Name (eg, company) [Default Company Ltd]:
12. Organizational Unit Name (eg, section) []:
13. Common Name (eg, your name or your server's hostname) []:
14. Email Address []

The RSA key and SSL certificates into a single  .pem file, and copy it to SSL certificate directory:

1. cat stunnel.crt stunnel.key > stunnel.pem
2. sudo cp stunnel.pem /etc/pki/tls/certs/

You can now define the services and ports for the encrypted connection. Select the port unused. This example uses port 450 tunneled telnet. Edit or create  /etc/stunnel/telnet.conf:

1. cert = /etc/pki/tls/certs/stunnel.pem
2. sslVersion = TLSv1
3. chroot = /var/run/stunnel
4. setuid = nobody
5. setgid = nobody
6. pid = /stunnel.pid
7. socket = l:TCP_NODELAY=1
8. socket = r:TCP_NODELAY=1
9. [telnet]
10. accept = 450
11. connect = 23

accept Option is the interface telnet server will listen for incoming requests. connect Option is an internal interface to monitor telnet server.

Next, create a copy of a systemd unit files to overwrite the original version:

1. sudo cp /usr/lib/systemd/system/stunnel.service /etc/systemd/system

Edit  /etc/systemd/system/stunnel.service to add two lines. Create a chroot jail to serve these rows start.

1. [Unit]
2. Description=TLS tunnel for network daemons
3. After=syslog.target network.target
5. [Service]
6. ExecStart=/usr/bin/stunnel
7. Type=forking
8. PrivateTmp=true
9. ExecStartPre=-/usr/bin/mkdir /var/run/stunnel
10. ExecStartPre=/usr/bin/chown -R nobody:nobody /var/run/stunnel
12. [Install]
13. WantedBy=multi-user.target

Next, configure SELinux telnet to listen in on you just specify the new port:

1. sudo semanage port -a -t telnetd_port_t -p tcp 450

Finally, add a new firewall rule:

1. firewall-cmd --add-port=450/tcp --perm
2. firewall-cmd --reload

Now you can enable and start telnet and stunnel.

1. systemctl enable telnet.socket stunnel@telnet.service --now

To note  systemctl command is in order. systemd and stunnel package provides additional default template file unit . This template allows you to stunnel configuration file into multiple  /etc/stunnel , and use the file name to start the service. For example, if you have a  foobar.conf file that you can use  systemctl start [email protected] to start the stunnel instance, without writing any unit files themselves.

If necessary, this service stunnel template is set to start at boot time:

1. systemctl enable stunnel@telnet.service

Client Installation

This part of the article assumes that you are on the client system as a normal user ( have sudo privileges ) Log. Install stunnel and telnet client:

1. dnf -y install stunnel telnet

The  stunnel.pem copy from a remote server to the client  /etc/pki/tls/certs directory. In this example, IP addresses of the remote telnet server  192.168.1.143.

1. sudo scp myuser@192.168.1.143:/etc/pki/tls/certs/stunnel.pem
2. /etc/pki/tls/certs/

Created  /etc/stunnel/telnet.conf:

1. cert = /etc/pki/tls/certs/stunnel.pem
2. client=yes
3. [telnet]
4. accept=450
5. connect=192.168.1.143:450

accept Option is the port for the telnet session. connect Option is the IP address of your server and the remote port is listening.

Next, enable and start stunnel:

1. systemctl enable stunnel@telnet.service --now

Test your connection. Because there is a connection has been established, you will be  telnet to  localhost instead of the remote telnet server host name or IP address.

1. [user@client ~]$ telnet localhost 450
2. Trying ::1...
3. telnet: connect to address ::1: Connection refused
4. Trying 127.0.0.1...
5. Connected to localhost.
6. Escape character is '^]'.
8. Kernel 5.0.9-301.fc30.x86_64 on an x86_64 (0)
9. server login: myuser
10. Password: XXXXXXX
11. Last login: Sun May 5 14:28:22 from localhost
12. [myuser@server ~]$

---

via: https://fedoramagazine.org/securing-telnet-connections-with-stunnel/

Author: Curt Warfield  topics: lujun9972  Translator: geekpi  proofread: wxy

This article from the  LCTT  original compiler, Linux China  is proud