Wednesday, September 12, 2007

Safeguard your streams

If you wish to secure a connection from 1 service to another, what would you use?
a.) Why would I want to do that?
b.) Set up VPN.
c.) SSH tunneling.
d.) Stunnel.

a.) There is no such thing as being too paranoid.
b.) Ever heard the phrase "using a nuke to kill an ant"?
c.) Same as above by replace nuke with high explosive.
d.) BINGO!!

Stunnel is an application which wraps your normal connection over SSL/TLS to make sure no one can eavesdrop on your connection. This is particularly useful when you wish to secure your mail (SMTP, POP3) or securing your SVN server (heh, its what I am using it for:P). Its main benefits is that its extremely easy to set up (within 5 minutes) and it
only establishes a connection when needed, and not
maintain its secure tunnel perpetually, which eats up
your bandwidth unnecessarily.

This is my instruction on setting it up (for Ubuntu) on the server (svn as an example). Feel free to change the location and/or configuration to suit your needs.

  • sudo apt-get install stunnel
  • mkdir -p /home/shinning/secure_services/pid
  • mkdir -p /home/shinning/secure_services/service
  • cd /home/shinning/secure_services/
  • [create server cert] - openssl req -new -days 365 -nodes -out newreq.pem -keyout stunnel.pem
  • vi /home/shinning/secure_services/service/
  • stunnel -P /home/shinning/secure -p /home/shinning/secure_services/stunnel.pem -d 4000 -r localhost:3690

And that it. Your SVN server is now running securely on top of SSL/TLS making it hard for anyone to sniff your traffic. You can also make your client authenticate itself against your server if you want to by following this guide. There are also tonnes of other examples here. Happy securing ;)


kesmit said...

I was wondering about how to set up svn with stunnel and I found your article about it. I already knew how to set up the tunnel, I'm just not sure how to get svn to use the SSL tunnel rather than the standard unencrypted svnserver port. How are you doing that?

Lightstar said...

Hi kesmit,
You have to install stunnel on both the server and client side.

This is how I run my server
stunnel -P /var/run/svn -p "/var/cert/svn.pem" -d 9360 -r

For the client, make sure your /etc/stunnel.conf contains client=yes. Then you can add a rule like this
accept = 3690
connect = [svn server ip]:9360

Start stunnel on the client side and now everytime you run a svn command, it will automatically connect to the standard port (3690) and forward it the server securely.

Hope it answers your question :)