BY ADAM THORNTON A Thumbnail Guide to System Security for Linux: Part III — SSL-Wrapping Services: A Working Example ith the aid of a little Linux wizardry, the author demonstrates how to convert a useful but Winsecure service to an equally useful, but far more secure service. By simply inserting a transparent SSL proxy into the data stream of the connection, you can encrypt a service without requiring any modification to the application providing that service. month, I examined in general terms how to harden multiple folders and allows users to create their own sub- LAST a Linux server; most of folders. Its current revision level is my advice came down to two basic IMAP4rev1. precepts: Do not run services you do POP and IMAP are two Most mail client programs can use not need and avoid protocols (where common mail access either POP or IMAP; traditionally possible) that exchange authentication IMAP is more convenient for the user, information in cleartext. I also briefly services. Each service takes because of its greater flexibility. addressed how to tighten file permis- a set of mail messages and However, due to its complexity, IMAP sions with SuSE’s permissions tool has been regarded as less secure, and controlled from /etc/rc.config. presents that set to a user’s an IMAP server will require more This month, I will examine two mail client program. The resources than a POP server. common Web-based services, IMAP However, in their basic forms, both and POP3, as well as illustrate how to Post Office Protocol (POP) POP and IMAP transmit passwords in use a wrapper program to enable was designed to download cleartext. Although this may be these services to perform their trans- acceptable for use on a trusted LAN, actions over a Secure Sockets Layer mail from a central server it is clearly inappropriate for remote (SSL) channel. to a client machine; the users or in an environment where you cannot know the trustworthiness of all POP AND IMAP revision currently in use is machines on the network (i.e., some known as POP3. university settings where students can POP and IMAP are two common attach their own computers to the mail access services. Each service The Internet Message campus network). takes a set of mail messages and Access Protocol (IMAP) presents that set to a user’s mail client SSL program. The Post Office Protocol is somewhat more (POP) was designed to download mail sophisticated, and really Enter SSL. SSL provides a mecha- from a central server to a client nism for transport-layer encryption. machine; POP3 is the revision cur- represents a protocol for That is, a connection negotiates a key rently in use. The Internet Message working with remote files. exchange, and then all further traffic Access Protocol (IMAP) is somewhat over that connection is encrypted and more sophisticated, and really repre- thus protected from snooping. SSL is sents a protocol for working with remote files: It supports designed to be a drop-in replacement for traditional network TECHNICAL SUPPORT • MARCH 2002 ©2002 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. FIGURE 1: DIAGRAM OF SSL PROXY PORT SETUP FIGURE 2: UNPACKING THE STUNNEL SOURCE PACKAGE cd /usr/local/src tar xvfz ~/stunnel-3.22.tar.gz cd stunnel-3.22 FIGURE 3: COMMANDS TO COMPILE AND INSTALL STUNNEL ./configure make make install There are two commonly available tools under Linux to do this, although, sadly enough, neither tool is available as a base package under SuSE 7.0 GA. This means that you will have to grab one or the other of them and build it from source. The two packages are called stunnel and sslwrap. Of the two, stunnel is a better choice for new installations, as it is actively maintained. It also supports SMTP STARTTLS as a special case, which is a nice bonus. You can download the file from www.stunnel.org/download/ source.html; as of this writing, the current release is 3.22. Please note that it requires an installed OpenSSL library to compile; how- ever, you should have already downloaded the OpenSSL and OpenSSH RPM archives from suse.com. (If you have not downloaded these, you really have not been paying attention to the previous arti- cles in the series, and you should download and install those packages immediately.) connections; that is, you can tunnel any protocol over SSL without Unpack the file into an appropriate directory and change to that changing the protocol’s definition. directory. I use /usr/local/src, and I downloaded the file into root’s This has a huge advantage, as non-SSL-aware applications do not home directory, so the command looks similar to what appears in need to be made SSL-aware, as long as an SSL stage can be placed Figure 2. Next, perform the familiar compilation and installation in front of them. ritual using the commands shown in Figure 3. This presumes that Some protocols provide built-in support for other authentication /usr/local is a reasonable place for the stunnel stuff to reside on mechanisms. For this reason, it can be difficult to use SSL to your system; if not, you can use /configure -prefix=wherever-you- tunnel them. For instance, SMTP supports STARTTLS extensions, want-stunnel-to-go. which allow it to choose whether or not to use SSL encryption in Note that one of the stunnel steps actually creates an x.509 cer- its communication. If you were to attempt to simply put an SSL tificate for the service (see Part I, Technical Support, January tunnel wrapper around SMTP, you would either have to pick a 2002 for more about x.509 certificates). You will be asked ques- non-standard port to do it on, or put a wrapper around port 25. In tions about your site. It is important for you to correctly answer the the former case, unless you set up the mail transport system your- Fully-Qualified Domain Name of your host (FQDN). This is just self, it would not know how to talk to you (thus, precluding anyone what it sounds like: Assuming that your server is correctly config- else’s mail system from sending you mail), and in the latter, no ured, you should enter the output of the “hostname -f” command. unencrypted mail could use your SMTP service. If your site already has a certificate signed by a recognized SSL-wrapping works best when there are defined, distinct ports Certificate Authority (CA), you will want to use that certificate to for the cleartext and encrypted protocols. Therefore, POP and sign stunnel’s certificate. Otherwise, your users will get warning IMAP are good choices: POP3 listens on port 110 and IMAP on messages that the certificate they are using does not have a chain 143, but POP3S and IMAPS, the secure versions, listen on ports of trust terminating in a known CA. What this means is that no rec- 995 and 993, respectively. ognized CA has signed your encryption certificate; therefore, any- one trusting your service is doing so purely on your affirmation INSTALLING AN SSL PROXY that it is what it purports to be. The theory behind CAs is that they will exercise due diligence so that you can be reasonably confident You will need to define a listener to a particular port that provides that a key signed by a recognized CA belongs to the organization the SSL encryption and decryption functions, and then internally that claims to own it. forwards the decrypted stream to the cleartext service. Since the cleartext stream never leaves the machine, it is much safer from SYSTEM CONFIGURATION prying eyes than a simple cleartext service would be. Therefore, your SSL wrapper has to function as a proxy server, whose only job Now you must make a decision about the configuration. It is pos- is to remove encryption on incoming streams and add it on outgo- sible to start stunnel from inetd, but this is not recommended, as ing streams. See Figure 1. you will have to initialize SSL with every connection, and there is ©2002 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. TECHNICAL SUPPORT • MARCH 2002 no saved session state. Thus, it is generally FIGURE 4: COMMANDS LINES TO START STUNNEL IN DAEMON MODE better to start stunnel as a daemon on its own. You will want to do this at boot time stunnel -N imaps -d imaps 993 -l /usr/sbin/imapd imapd stunnel -N pop3s -d pop3s -l /usr/sbin/popper — popper -s by adding the lines in Figure 4 to /etc/rc.d/boot.local. These two lines start FIGURE 5: /ETC/INETD.CONF ENTRIES FOR POP AND IMAP stunnel in daemon mode and connect the local endpoint to the appropriate daemon. pop3 stream tcp nowait root /usr/sbin/tcpd /u sr/sbin/popper -s The -N option allows you to explicitly specify imap stream tcp nowait root /usr/sbin/tcpd imapd a service name, and you can use that feature to differentiate between the cleartext proto- FIGURE 6: ENTRIES IN /ETC/HOSTS.ALLOW TO RESTRICT ACCESS cols and the encrypted protocols in TO UNENCRYPTED POP AND IMAP TO LOCAL NETWORK /etc/hosts.allow. For the -d option to work with service names, rather than port num- ALL: [email protected]/255.0.0.0 popper : [email protected]/255.255.0.0 bers, IMAPS and POP3S must be present in imapd: [email protected]/255.255.0.0 /etc/services, which they are under SuSE pop3s: ALL@ALL 7.0 GA.