Open source software security

Using Secure Protocols - How to set up SSH and POP3s (or SSL wrapped POP)

30 November -0001
Updated: 5/25/05
Securing your Linux server should *always* include a substitution of standard protocols in order to make your machine more resistant to sniffing attacks. Sniffing attacks are the most difficult to prevent and usually are the most damaging attacks to a server. The essential problem with line sniffing is that servers on your network for which you are not responsible could potentially be used to compromise your security. Upstream servers (at the ISP level) are also susceptible to compromise and could be used to sniff your traffic. In the event that users are transmitting data over telnet or ftp your security is in jeopardy every time they connect, in the event of POP3 where connections occur much more frequently, the risk is even greater.

To minimize the risk of these attacks, using encrypted protocols in place of the clear text ones is your best option. SSH (Secure Shell) and SSL (Secure Socket Layer) provide your a wide array of possible secure configurations for data transfer. This article will attempt to outline the steps I used to secure my Mandriva server and implement secure protocols. Because of its unique architecture and packaging format (rpm) these steps may only serve as a rough guideline for anyone using a distribution other than Mandriva (or Red Hat).

The first step in implementing any new daemon services is to figure out if they're being offered through standard inetd. With Mandrake 8.0 (and prior) this is not the case. Mandrake 8.0 and above use a newer protocol xinetd, which bears little resemblance to inetd. For more information check out xinetd.org or the appropriate section on Mandriva Club. Xinetd is controlled in the etc/xinetd.d directory. You can check out its basic configuration in the file etc/xinetd.conf. On a default installation this file contains very little information:
#
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/

defaults
{
        instances               = 60
        log_type                = SYSLOG authpriv
        log_on_success          = HOST PID
        log_on_failure          = HOST
}

includedir /etc/xinetd.d

Notice the 'includedir' however. This points to the etc/xinetd.d directory which contains scripts for the startup of services using xinetd. This will be very important later for SSL wrapping of POP3.

The easiest step in implementing encrypted protocols on Mandrake is the install of SSH. In fact, your server may already have SSH up and running. Check to see if you've got it by running:
# ps -aux|grep ssh

if you see a process 'sshd' running then you're set. If its not running check to see if its installed using:
# rpm -q openssh

If the package isn't installed you'll see what package is available. You can use the Package Manager on your desktop or simply use:
# rpm --install openssh.versionnumber

where versionnumber is whatever .rpm version you need. Or, if you'd like to try using URPMI you can use:
# Urpmi openssh

Once this is done you'll need to reboot and start the daemon in server. You can use the native init scripts to accomplish this task. As root try:
# /etc/rc.d/init.d/sshd restart

SSH should go without a hitch. For more info see the SSH website. You can also download windows clients for SSH from there so you can use a windows machine and secure shell to connect to your server.

SECURING POP3

Securing POP3 can a much more involved process (read *it was a bitch for me*) but is no means impossible. With older versions of Mandrake you may need to stunnel to wrap connections to port 995 (pop3s). Using this method incoming connections are re-routed from port 995, through stunnel (which uses SSL encryption libraries) to be encrypted/decrypted, on to port 110 and your regular pop3 server. This is a rather round about method, but I haven't found any easy way to do this.

The first step to securing you POP3 is to check and make sure SSL is installed. I recommend using OpenSSL. Use:
# rpm -q openssl

to check and see if its installed. If not you'll have to grab the rpm's from the 'Core System' cd and install them, or use the GUI package manager. Once you've located the package from your installation CD's or from an online source (like rpmfind.net) you can install them with:
# rpm -ivh openssl-versionnumber

Or with:
# Urpmi openssl 

You'll probably want to build your own POP3s certificate. In newer versions of Mandriva this certificate is in /etc/ssl/imap/ipop3sd.pem. You can build a new one to replace the default using:
# openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/imap/ipop3sd.pem -keyout /etc/ssl/imap/ipop3sd.pem

It is important that next you install the openssl-devel package if you're using stunnel! This package contains the static libraries needed by stunnel to encrypt your connections using SSL technology. If you don't install this package your stunnel installation won't work. You may first want to check if the package is installed using the same method as before. Install the openssl-devel package and you're set for the next step.

Before you try the stunnel wrapper you may want to check if you can use the packages already installed. On later versions of Mandriva this is quite simple. First check and see if you've got the imap package installed (which handles POP3 and POP3s connections):
# rpm -q imap

If you've got imap already installed you can try updating xinetd to enable POP3s support. Check the pop3s xinetd file in /etc/xinetd.d/. The file (/etc/xinetd.d/pop3s) should look something like:
# default: off
# description: The POP3S service allows remote users to access their mail \
#              using an POP3 client with SSL support such as fetchmail.
service pop3s
{
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/ipop3sd
        log_on_success          += USERID
        log_on_failure          += USERID
}

Make sure that if there is a line that reads "disable" that you set the option to no. Once you've updated the file you can restart xinetd with:
# /etc/rc.d/init.d/xinetd restart

If everything works you may want to test you connection. Use the following command to connect to the POP3 server using ssl:
# openssl s_client -connect localhost:995

Be sure you've allowed port 995 through whatever local firewalling you might have enabled (shorewall is the common one in Mandriva, controlled via the file in /etc/shorewall/rules - note that if you modify this file you have to restart shorewall by issuing '/etc/rc.d/init.d/shorewall restart' as root).

If you're on an older installation or wish to use stunnel to handle the POP3s connections read on.

Once OpenSSL and OpenSSL-devel are installed you need to install stunnel. You can probably find the rpm for stunnel on rpmfind.net. If you can't find the rpm for your distribution you'll have to download and compile the binaries the old fashioned way. Download the latest stable version from stunnel.org. Once these are downloaded go ahead and install them using:
	gzip -dc stunnel-VERSION.tar.gz | tar -xvf -
	cd stunnel-VERSION
	./configure
	make
	make install

At this point (if you don't encounter any errors) your stunnel will be installed. The next step is to make a certificate (which creates keys for the encryptions). Simply type:
# make cert 

answer the questions and take note of where the 'stunnel.pem' file is written to (it should be your current directory). Make sure you write this directory down as we're going to need it for the next step. Now stunnel is all set up.

The only step that remains is to modify xinetd so that it will allow the pop3s connection to be passed by stunnel to ipop3d - your POP3 server. Go to etc/xinetd.d and type:
# ls -l

If you don't see a pop3s entry in the directory go ahead and create one using:
# touch pop3s

Type the ls -l again to make sure the file was created. Once created (or if it is already there) edit the file using your favorite editor, I use:
# vi pop3s 

Once the file is open edit it to look like this:
# default: off
# description: The POP3S service allows remote users to access their mail \
#              using an POP3 client with SSL support such as fetchmail.
service pop3s
{
        disable                 = no
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/local/sbin/stunnel
        server_args             = -p /usr/local/sbin/stunnel.pem -l /usr/sbin/ipop3d -- ipop3d
        log_on_success          += USERID
        log_on_failure          += USERID
}

The server_args line is fairly important and may be different on your machine. This line specifies the flags to use when launching stunnel from /usr/local/sbin/stunnel. The -p flag indicates the location of the stunnel.pem file (remember you wrote it down just a bit ago). Go ahead and change this section of the line so that it reflects the location of your stunnel.pem file (for instance, if your .pem is in home/joe change the line to read '-p /home/joe/stunnel.pem'). Leave the -l flag and everything that follows just as it appears. Make sure that your 'disable =' is set to 'no' so that the service will work. Also make sure there aren't any line breaks in your file. Once you're done save the file.

Now you need to restart xinetd. To do this you must first find out the pid (or process id) of xinetd. To do this issue:
# ps -aux|grep xinetd

Write down or remember the pid (it's probably 1027). Then issue:
# kill -USR1 

where '' is the process number of xinetd. You should be done at this point. The easiest way I know to check if your connection works is to telnet to localhost 995 using
# telnet 127.0.0.1 995

If your connection is accepted and hangs you should be ok. Check your log files in var/log/daemons, especially var/log/daemons/errors to make sure that there are no errors. If your connection is refused check and see if you have any firewalling rules (ipchains, iptables, bastille) running that might be killing your connection. Edit these so that they allow port 995 through.

Once POP3s is set up Outlook clients can connect by altering their tools->accounts - selecting the appropriate account then hitting the 'properties' button and the 'advanced' tab to make sure the 'use secure connection (SSL)' checkbox is checked.