Hello list.
After a few tries, my stunnel configuration is working well. I am using it to tunnel my vnc connections to my winXP box.
Now I have a question about how the software is working.
In the past, when I was using VNC at port 5900 and I did a telnet to that box with port 5900, VNC was answering with something like 003005 which was the VNC protocol version the server was able to communicate.
Now because of the tunneling effect, my vnc server still listens at 127.0.0.1:5900 but is expecting ssled connections at xxx.xxx.xxx.xxx:9999.
When I do a telnet at xxx.xxx.xxx.xxx at port 9999 my box is answering something like: Connected to xxx.xxx.xxx.xxx Escape character is ...
Now if enter something like "test" the telnet window shows me that the connection is closed by foreign host (means: my xp box).
Lets assume, someone is trying to hack my computer and doing a port scan. She/he will find out for sure, that my port 9999 is opened. Usually the server listening behind the port is sending something the attacker could use to point to the software running behind the port. In this case, as far as I can see nothing is sent to give a hint that stunnel is waiting there to route my connection attempt to 127.0.0.1:5900.
Is it right, that this is the magic - for sure besides encryption and all the algorithms necessary to do the port forwarding - stunnel provides? I mean as long as an attacker doesnt know what is hiding behind the port he/she also doesnt know how to attack or how to get through. Is that conclusion right?
Please tell me, if my conclusions are wrong or if I got something wrong.
Stefan
Hello,
If I remember correctly the VNC server will listen for connections on _all_ available interfaces on the server. You might want to make sure that port 5900 is not accessible from the internet, and maybe use the "Loopback Only" connections options on the VNC server to ensure that no connections are going directly without the tunnel.
You might want to take a look at this document for the nmap documentation http://insecure.org/nmap/vscan/vscan-post-processors.html It describes how nmap tries to identify services that use SSL as well.
Other user metioned before of the use of certificates for client-server authentication... You should consider this option. Basically, the server and client will check if the connection should be allowed based on the certificate presented by each peer. In this way, the only way people can connect is to have an authorized certificate.
:)
--- fuzzy_4711 fuzzy_4711@gmx.de wrote:
Hello list.
After a few tries, my stunnel configuration is working well. I am using it to tunnel my vnc connections to my winXP box.
Now I have a question about how the software is working.
In the past, when I was using VNC at port 5900 and I did a telnet to that box with port 5900, VNC was answering with something like 003005 which was the VNC protocol version the server was able to communicate.
Now because of the tunneling effect, my vnc server still listens at 127.0.0.1:5900 but is expecting ssled connections at xxx.xxx.xxx.xxx:9999.
When I do a telnet at xxx.xxx.xxx.xxx at port 9999 my box is answering something like: Connected to xxx.xxx.xxx.xxx Escape character is ...
Now if enter something like "test" the telnet window shows me that the connection is closed by foreign host (means: my xp box).
Lets assume, someone is trying to hack my computer and doing a port scan. She/he will find out for sure, that my port 9999 is opened. Usually the server listening behind the port is sending something the attacker could use to point to the software running behind the port. In this case, as far as I can see nothing is sent to give a hint that stunnel is waiting there to route my connection attempt to 127.0.0.1:5900.
Is it right, that this is the magic - for sure besides encryption and all the algorithms necessary to do the port forwarding - stunnel provides? I mean as long as an attacker doesnt know what is hiding behind the port he/she also doesnt know how to attack or how to get through. Is that conclusion right?
Please tell me, if my conclusions are wrong or if I got something wrong.
Stefan
stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Algol has explained it quite nicely for you.
I would like to add that Stunnel will hide the service running behind the stunnel port if you use the certificate for authentication in the verify 3 mode (verify = 3) as stunnel verifies the certificate before allowing the remote host to connect. If the certificate is invalid, stunnel will drop the connection before any further information is revealed.
So if you want the connection as secure as possible, use mode 3.
From the manual:
verify = level verify peer certificate
level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate default - no verify
My 2 ped :)
Cheers
Craig
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users- bounces@mirt.net] On Behalf Of Algol Tradent Sent: 06 November 2007 04:29 AM To: stunnel-users@mirt.net Subject: Re: [stunnel-users] How is it working?
Hello,
If I remember correctly the VNC server will listen for connections on _all_ available interfaces on the server. You might want to make sure that port 5900 is not accessible from the internet, and maybe use the "Loopback Only" connections options on the VNC server to ensure that no connections are going directly without the tunnel.
You might want to take a look at this document for the nmap documentation http://insecure.org/nmap/vscan/vscan-post-processors.html It describes how nmap tries to identify services that use SSL as well.
Other user metioned before of the use of certificates for client-server authentication... You should consider this option. Basically, the server and client will check if the connection should be allowed based on the certificate presented by each peer. In this way, the only way people can connect is to have an authorized certificate.
:)
--- fuzzy_4711 fuzzy_4711@gmx.de wrote:
Hello list.
After a few tries, my stunnel configuration is working well. I am using it to tunnel my vnc connections to my winXP box.
Now I have a question about how the software is working.
In the past, when I was using VNC at port 5900 and I did a telnet to that box with port 5900, VNC was answering with something like 003005 which was the VNC protocol version the server was able to communicate.
Now because of the tunneling effect, my vnc server still listens at 127.0.0.1:5900 but is expecting ssled connections at xxx.xxx.xxx.xxx:9999.
When I do a telnet at xxx.xxx.xxx.xxx at port 9999 my box is answering something like: Connected to xxx.xxx.xxx.xxx Escape character is ...
Now if enter something like "test" the telnet window shows me that the connection is closed by foreign host (means: my xp box).
Lets assume, someone is trying to hack my computer and doing a port scan. She/he will find out for sure, that my port 9999 is opened. Usually the server listening behind the port is sending something the attacker could use to point to the software running behind the port. In this case, as far as I can see nothing is sent to give a hint that stunnel is waiting there to route my connection attempt to 127.0.0.1:5900.
Is it right, that this is the magic - for sure besides encryption and all the algorithms necessary to do the port forwarding - stunnel provides? I mean as long as an attacker doesnt know what is hiding behind the port he/she also doesnt know how to attack or how to get through. Is that conclusion right?
Please tell me, if my conclusions are wrong or if I got something wrong.
Stefan
stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Algol Tradent -
Craig Retief -
fuzzy_4711