Securing all ports

Posted on

I’ve finished securing all opened TCP ports

on my servers with SSL today. While inspecting some servers’ logs, however, I spotted interesting behaviors. Looked like a few applications are still trying to play tricks by doing upnp and forwarding random ports to the local server.

The best tools for the job

I did some research and it seemed there are currently many programs can “add SSL/TLS to TCP connections”, namely reverse proxying.
Out of them, I picked nginx and stunnel.

Stunnel is preferred when

you are simply adding SSL without doing anything else, very handy when your program doesn’t support SSL at all. The tricky part is you need to concatenate intermediate cert to your own server cert, otherwise some browsers(Chrome for Android for example) may not do certificate chain lookup and decide not to trust your certificate.

Nginx is preferred when

you’re adding SSL to HTTP services. For example sites powered by Node.js. Since Nginx can do caching, http headers forwarding and a few other tricks it can be really handy in this case, besides when you renew your SSL certificate you won’t need to update every site, otherwise it can be a nightmare.
Notice: default Nginx cipher suite might be obsoleted, put in your own config, for example:

The recommended cipher suite for backwards compatibility (IE6/WinXP):

1
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

Both can

do multithread and proxy multiple services at the same time. They both support SNI, which allow you to use different certificates serving requests to different domains on the same port.

Fully encrypted networking still have a long way to go

I noticed one of the third party applications on my server implemented raw socket connection just to talk to server in plain text, the TCP port it is using can nit be easily secured as the client do not support SSL. It is possible such application exist on your computer, tablet or phone as well.

Things can still go wrong

Even though connections are fully encrypted, what if your service provider carelessly misplaced its login database, allowing anyone, including those with malicious intentions to login to your social network? That had happened before. And may happen in the future over and over again.

Protect yourself

There is an interesting tale saying that if you go explore the jungle with your friend, and unfortunately you run into hungry wild animals, you don’t necessarily need to run faster than them.
You just need to run faster than your friend.
Don’t make yourself looked like a sitting duck, protect yourself with the best measurements you can think of.