stunnel to the rescue

What stunnel is, basically is an application/utility that provides SSL/TLS-based tunnels. It allows us to specify what traffic we want to be tunneled over these SSL/TLS-based tunnels. This is the perfect solution for our needs. stunnel does involve setup on both sides to work, so let me show you how to configure both sides of the stunnel tunnel.

Setting up stunnel can be a little complicated the first time you go through it due to the mix of ports and IPs. You may need to diagram it out just to make sure that you have the correct port and IPs in the right location. Let me start with the C&C server, which will be our stunnel server. I am assuming stunnel is already installed, just not configured.

1. First, I need to set up the certificates for the encryption between the client and server. We will use openssl to generate the certificates and then combine them into a single .PEM file:

1. Next, we will make sure that we enable stunnel:

1. Configuring the stunnel configuration file is probably the hardest task in this entire step. There is not a whole lot of configuration we need to put in there; however, what we do put in there is some minimal requirements.
2. Within the configuration file, I need to make sure that stunnel knows this is the server and not the client. This is accomplished with the following parameter::

client = no

1. I also need to let stunnel know where the certificate resides within the cert parameter:

 cert = /PATH/TO/CERT

1. Telling stunnel what server and port to listen on is very important. This needs to be set using the Accept parameter. In my case, this will be port 443 and the IP address of the interface we plan to use:

Accept = 192.168.33.27:443

1. Finally, the use of the Connect parameter will tell stunnel where to send the traffic:

Connect = 127.0.0.1:22

That is all the configuration that needs to be performed on the server side. Once the client side gets set up, we can test the whole process. Make sure that you restart the stunnel service on the C&C server to take the new settings:

service stunnel4 restart