Using Secure Protocols - How to setup SSL wrapped POP

posted onSeptember 18, 2001
by hitbsecnews

By: madirish

Securing your Linux server should *always* include a substitution of standard protocols in order to make your machine more resistant to sniffing attacks. Sniffing attacks are the most difficult to prevent and usually are the most damaging attacks to a server. The essential problem with line sniffing is that servers on your network for which you are not responsible could potentially be used to compromise your security. Upstream servers (at the ISP level) are also susceptible to compromise and could be used to sniff your traffic. In the event that users are transmitting data over telnet or ftp your security is in jeopardy every time they connect, in the event of POP3 where connections occur much more frequently, the risk is even greater.

To minimize the risk of these attacks, using encrypted protocols in place of the clear text ones is your best option. SSH (Secure Shell) and SSL (Secure Socket Layer) provide your a wide array of possible secure configurations for data transfer. This article will attempt to outline the steps I used to secure my Mandrake 8.0 server and implement secure protocols. Because of its unique architecture and packaging format (rpm) these steps may only serve as a rough guideline for anyone using a distribution other than Mandrake.

The first step in implementing any new daemon services is to figure out if they're being offered through standard inetd. With Mandrake 8.0 this is not the case. Mandrake 8.0 uses a newer protocol xinetd, which bears little resemblance to inetd. For more information check out xinetd.org or the appropriate section on Mandrake User. Xinetd is controlled in the etc/xinetd.d directory. You can check out its basic configuration in the file etc/xinetd.conf. On a default installation this file contains very little information:

---begin snip---

#
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/

defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
}

includedir /etc/xinetd.d

---end snip---

Notice the 'includedir' however. This points to the etc/xinetd.d directory which contains scripts for the startup of services using xinetd. This will be very important later for SSL wrapping of POP3.

The easiest step in implementing encrypted protocols on Mandrake is the install of SSH. In fact, your server may already have SSH up and running. Check to see if you've got it by running:

ps -aux|grep ssh

if you see a process 'sshd' running then you're set. If its not running check to see if its installed using:

rpm -q openssh

If the package isn't installed you'll see what package is available. You can use the Package Manager on your desktop or simply use:

rpm --install openssh.versionnumber

where versionnumber is whatever .rpm version you need. Once this is done you'll need to reboot and start the daemon in server mode (I already had the SSH installed so I'm not sure if you need extra steps to set up the server to listen for connections on port 22).

SSH should go without a hitch. For more info see the SSH website. You can also download windows clients for SSH from there so you can use a windows machine and secure shell to connect to your server.

SECURING POP3

Securing POP3 is a much more involved process (read *it was a bitch for me*) but is no means impossible. In order to protect POP3 what you're going to need to do is use stunnel to wrap connections to port 995 (pop3s). Using this method incoming connections are re-routed from port 995, through stunnel (which uses SSL encryption libraries) to be encrypted/decrypted, on to port 110 and your regular pop3 server. This is a rather round about method, but I haven't found any easy way to do this.

The first step to securing you POP3 is to check and make sure SSL is installed. I recommend using OpenSSL. Use:

rpm -q openssl

to check and see if its installed. If not you'll have to grab the rpm's from the 'Core System' cd and install them, or use the GUI package manager.

It is important that next you install the openssl-devel package! This package contains the static libraries needed by stunnel to encrypt your connections using SSL technology. If you don't install this package your stunnel installation won't work. You may first want to check if the package is installed using the same method as before. Install the openssl-devel package and you're set for the next step.

Once OpenSSL and OpenSSL-devel are installed you need to install stunnel. Unfortunately there aren't any recent rpm's available for stunnel so you'll have to download and compile the binaries the old fashioned way. Download the latest stable version from stunnel.org. Once these are downloaded go ahead and install them using:

gzip -dc stunnel-VERSION.tar.gz | tar -xvf -
cd stunnel-VERSION
./configure
make
make install

At this point (if you don't encounter any errors) your stunnel will be installed. The next step is to make a certificate (which creates keys for the encryptions). Simply type:

make cert

answer the questions and take note of where the 'stunnel.pem' file is written to (it should be your current directory). Make sure you write this directory down as we're going to need it for the next step. Now stunnel is all set up.

The only step that remains is to modify xinetd so that it will allow the pop3s connection to be passed by stunnel to ipop3d - your POP3 server. Go to etc/xinetd.d and type:

ls -l

If you don't see a pop3s entry in the directory go ahead and create one using:

touch pop3s

Type the ls -l again to make sure the file was created. Once created (or if it is already there) edit the file using your favorite editor, I use:

pico pop3s

but pico isn't installed on Mandrake 8.0 by default (it is part of the pine rpm if you want to install it) so you may be using another editor. Once the file is open edit it to look like this:

# default: off
# description: The POP3S service allows remote users to access their mail
# using an POP3 client with SSL support such as fetchmail.
service pop3s
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/stunnel
server_args = -p /usr/local/sbin/stunnel.pem -l /usr/sbin/ipop3d -- ipop3d
log_on_success += USERID
log_on_failure += USERID
}

The server_args line is fairly important and may be different on your machine. This line specifies the flags to use when launching stunnel from /usr/local/sbin/stunnel. The -p flag indicates the location of the stunnel.pem file (remember you wrote it down just a bit ago). Go ahead and change this section of the line so that it reflects the location of your stunnel.pem file (for instance, if your .pem is in home/joe change the line to read '-p /home/joe/stunnel.pem'). Leave the -l flag and everything that follows just as it appears. Make sure that your 'disable =' is set to 'no' so that the service will work. Also make sure there aren't any line breaks in your file (pico will sometimes insert them). Once you're done save the file.

Now you need to restart xinetd. To do this you must first find out the pid (or process id) of xinetd. To do this issue:

ps -aux|grep xinetd

Write down or remember the pid (it's probably 1027). Then issue:

kill -USR1

where '' is the process number of xinetd. You should be done at this point. The easiest way I know to check if your connection works is to telnet to localhost 995 using

telnet 127.0.0.1 995

If your connection is accepted and hangs you should be ok. Check your log files in var/log/daemons, especially var/log/daemons/errors to make sure that there are no errors. If your connection is refused check and see if you have any firewalling rules (ipchains, iptables, bastille) running that might be killing your connection. Edit these so that they allow port 995 through.

Once POP3s is set up Outlook clients can connect by altering their tools->accounts - selecting the appropriate account then hitting the 'properties' button and the 'advanced' tab to make sure the 'use secure connection (SSL)' checkbox is checked.

1.) Using Secure Protocols - How to setup SSL wrapped POP - madirish
2.) Intranet Security 101 - orange
3.) Revelation 7:11 - biatch0
4.) A Guide to OpenBSD Custom Kernel Compilation - deekayen
5.) streamyx - You want it, but you can't have it, cause we can't do it - L33tdawg
6.) Ogg Vorbis - A brief Look - Yeah

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes