Title: How To Secure VNC with stunnel
Objective: Protect VNC traffic with strong encryption over an untrusted network
Test platforms:
Server: Dell Precision T3400n, Fedora 8
Clients:Dell Precision 360, Red Hat Linux 9
Dell Inspiron E1705, Fedora 7
Dell Precision 370, Windows 2000 SP2
Notes:
1. If you need file transfers, stunnel is not what you want. Instead try port forwarding with ssh.
Code:
ssh -2 -L 15900:localhost:5900 user@192.168.1.100
-or- If you don't want the whole X display, just X apps
Code:
ssh -2Y user@192.168.1.100
2. I assume you already have vnc (viewer), vnc-server, and vnc-libs or Windows equivalent packages installed along with their dependencies. VNC configuration is beyond the scope of this topic. I'll write a HowTo for that if there's interest.
3. This stunnel configation is based on protecting VNC services configured to run from xinetd (2 geometries) and the remote native (:0.0) display (1 geometry), so 3 ports altogether.
The following are entries I've added to /etc/services for the vnc services run from xinetd. I put them here only as a reference since we use these port numbers in the stunnel config. The remote native display automatically uses port 5900 for display ":0.0".
Code:
vnc1024x768x24 5972/tcp # VNC Service 1024x768, 24-bit color depth
vnc1280x1024x24 5973/tcp # VNC Service 1280x1024, 24-bit color depth
4. Installation and configuration below must be done as "root" or using "sudo" except the actual testing of stunnel with vncviewer.
5. Please correct me if any of this seems wrong or I've omitted anything.
Install stunnel on:Fedora 7: stunnel-4.20-2 (Fedora 7 Repo)
Fedora 8: stunnel-4.20-4 (Fedora 8 Repo)
Code:
yum install stunnel stunnel-debuginfo
Edit the appropriate sample config file at the end of this HowTo and save to:
Code:
/etc/stunnel/stunnel.conf
Create the sample startup script provided at the end of this HowTo, edit it, and copy to "/etc/init.d/". Then make it writable.
(no startup script comes with the Fedora packages)
Code:
vi /etc/init.d/stunnel
chmod 755 /etc/init.d/stunnel
Configure the machine (instructions below) then setup and start the service:
Code:
chkconfig stunnel on
service stunnel start
Notes:
1. Linux packages may require some additional dependencies, depending on your system. Yum should resolve and offer to install these, though. If you build rpms from source you may have to locate, download, and install any dependencies.
2. No startup script comes with the Fedora packages
3. You'll need to change the chroot paths in samples to match your system
Install stunnel on RHL9: stunnel-4.22-1 (built from stunnel.org source)
From wherever you downloaded the source tar-ball, as root:
Code:
cp stunnel-4.22.tar.gz /usr/src/redhat/SOURCES/
cd /usr/src/redhat
rpmbuild -ta SOURCES/stunnel-4.22.tar.gz
-------------------------------------------
Wrote: /usr/src/redhat/SRPMS/stunnel-4.22-1.src.rpm
Wrote: /usr/src/redhat/RPMS/i386/stunnel-4.22-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/stunnel-debuginfo-4.22-1.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.60189
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd stunnel-4.22
+ /bin/rm -rf /var/tmp/stunnel-4.22-root
+ exit 0
-------------------------------------------
rpm -Uv RPMS/i386/stunnel-*
Edit the appropriate sample config file at the end of this HowTo and save to:
Code:
/etc/stunnel/stunnel.conf
Create the sample startup script provided at the end of this HowTo, edit it, and copy to "/etc/init.d/". Then make it writable.
(no startup script comes with the Fedora packages)
Code:
vi /etc/init.d/stunnel
chmod 755 /etc/init.d/stunnel
Configure the machine (instructions below) then setup and start the service:
Code:
chkconfig stunnel on
service stunnel start
Notes:
1. The source tar-ball comes with a basic startup script but the paths are wrong. Also, it does not conform to convention making it unusable with "chkconfig".
2. You'll need to change the chroot paths of this sample to match your system
Install stunnel on Windows: stunnel-4.22-1 (downloaded from stunnel.org)
While logged into an account with "administrator" access rights:
1. Double-click the executable "stunnel-4.22-installer.exe".
2. Follow prompts and take default options.
3. Open a new file in Notepad and copy this exact text into it:
Code:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4]
"AllowLoopback"="REG_DWORD:0x1"
4. Save the file as "StunnelRealVNC.reg".
5. Double-click the file and accept the pop-up confirmation.
6. Edit the appropriate sample stunnel.conf file using the example at the end of this HowTo and save to:
Code:
C:\Program Files\stunnel\stunnel.conf
7. Select menu item:
[Start]->[Programs]->[stunnel]->[Service Install]
(example is Win2K, XP and others may be different)
Server (F8) Configuration:
Generate and stage the stunnel server certificate:
Code:
cd /etc/pki/tls/certs
make stunnel.pem
cp -p stunnel.pem /etc/stunnel/
cp -p stunnel.pem /etc/stunnel/stunnel.crt
Setup chroot environment:
Code:
mkdir -p /chroot/{bin,certs,crls,dev,etc,lib,lib64,sbin,usr,var}
mkdir /chroot/var/{log,run}
cd /chroot/usr
ln -s ../lib64 lib64
ln -s ../lib lib
ln -s ../sbin sbin
ldd /usr/sbin/stunnel
Sample ldd output
linux-vdso.so.1 => (0x00007fff64bfd000)
libz.so.1 => /lib64/libz.so.1 (0x00002aaaaaee9000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab0fd000)
libutil.so.1 => /lib64/libutil.so.1 (0x00002aaaab301000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00002aaaab505000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaab720000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaab969000)
libwrap.so.0 => /lib64/libwrap.so.0 (0x00002aaaabcb2000)
libc.so.6 => /lib64/libc.so.6 (0x00002aaaabebb000)
/lib64/ld-linux-x86-64.so.2 (0x00002aaaaaccd000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaac212000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaac441000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaac6d3000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaac8d5000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002aaaacafb000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaacd13000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaacf1b000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaad11e000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaad333000)
Notes:
1. Last command above will give you a list of dependent libraries. Copy these libraries to the chroot lib directories and set ownership, permissions, and SELinux context for them as I've done below. Your list may be different.
2. If your machine is not 64-bit, ignore "lib64" lines
3. Your chroot directory may be in a different location. Mine is at /chroot because we had previously installed "rssh" with this chroot dir. Fedora packages suggest "/var/run/stunnel", while those built from source suggest "/usr/var/lib/stunnel". Take your pick. As long as stunnel can live there and the SELinux context, ownership, and permissions are set right, you can put it anywhere. If your system has multiple filesystems, it's better, in terms of general security, to put the chroot jail in a separate filesystem from system binaries.
4. You may not need all these directories and files. I did this because it's what you usually do to setup a chroot jail... copy the binaries and its dependent libraries. When I used "find /chroot -anewer reference_file.txt" it only came up with "/chroot/var/run/stunnel.pid. This would seem to indicate that this is all we need in the chroot jail. You may need more if you're using login keys, but we don't use them.
Copy and edit output of "ldd":
Code:
cp /lib64/libz.so.1 \
/lib64/libdl.so.2 \
/lib64/libutil.so.1 \
/lib64/libpthread.so.0 \
/lib64/libssl.so.6 \
/lib64/libcrypto.so.6 \
/lib64/libwrap.so.0 \
/lib64/libc.so.6 \
/lib64/ld-linux-x86-64.so.2 \
/lib64/libcom_err.so.2 \
/lib64/libnsl.so.1 \
/lib64/libkeyutils.so.1 \
/lib64/libresolv.so.2 \
/lib64/libselinux.so.1 \
/chroot/lib64/
cp /usr/lib64/libgssapi_krb5.so.2 \
/usr/lib64/libkrb5.so.3 \
/usr/lib64/libk5crypto.so.3 \
/usr/lib64/libkrb5support.so.0 \
/chroot/usr/lib64/
Copy stunnel binaries:
Code:
cp /usr/sbin/stunnel* /chroot/usr/sbin/
Change SELinux context of binaries and libraries in chroot dir:
Code:
chcon --reference=/usr/sbin/stunnel /chroot/usr/sbin/stunnel
chcon --reference=/usr/sbin/stunnel3 /chroot/usr/sbin/stunnel3
chcon --reference=/lib64/libpthread.so.0 /chroot/lib64/*
Change group and permissions of /chroot/var/run
(stunnel raises errors without this)
Code:
chgrp nobody /chroot/var/run
chmod g+w /chroot/var/run
Add firewall rules to /etc/sysconfig/iptables just before "REJECT" rule
Code:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 17700 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 17772 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 17773 -j ACCEPT
Notes:
1. Clients are coming in on eth0 ports 17700 17772 and 17773
2. Do not add iptables rules on the fly! They will be added after the "catch all" REJECT rule and will NOT work.
3. "--dport" matches "accept" port(s) in stunnel.conf.
Due to 10000 character limit, this HowTo is continued in next post.
Linear Mode
