Zebedee - Encrypted tunneling made simple
Pete Fritchman
There are many protocols that were not designed with security in mind, thus they communicate potentially private data in clear text. This is a very Bad Thing(tm) - this data can be sniffed. Using a tunnel, you can encrypt the data sent to a remote server that would normally be in plain text.
The FreeBSD Ports Collection (see http://www.FreeBSD.org/ports/) includes
zebedee in /usr/ports/security/zebedee. To install, simply type:
# cd /usr/ports/security/zebedee
# make install
(Note - at the time of writing this article an older version of zebedee is in ports -- make sure you have at least version 2.2.0. If you do not, apply the patch located at http://hex.databits.net/~petef/diffs/zebedee.diff).
From now on, all the commands you type should be as a regular user for two reasons: (1) zebedee does not need to use any priveleged (<1024) ports, and (2) if there ever is some sort of security problem in zebedee, you'd rather not have your root account compromised - this is the reason why most daemons (named, httpd, etc) do not run as root.
Zebedee implements a fairly simple idea of a tunnel (you may be familiar with the `datapipe' program - same idea). Except that instead of a tunnel that just forwards data, the client-side zebedee process encrypts and compresses the data, and the server-side zebedee process decrypts and compresses the data.
Now for some sample server-side and client-side configuration files. I usually put these configuration files in ~/etc. You'll obviously have to change 'MY.SERVER' to the hostname or IP address of your server :)
--- start client-side config file named client.zdb --
# zebedee sample configuration (client) # Pete Fritchman <petef@databits.net # # we are a client, not a server. server false
# only allow connections from the local machine to access the # forwarded port localsource true
# handle multiple connection requests & establish a new tunnel # for each one. multiuse true
# set the hostname of the server serverhost MY.SERVER
# tunnel telnet to localhost port 5523 tunnel 5523:MY.SERVER:23
# tunnel web to localhost port 5580 tunnel 5580:MY.SERVER:80
# tunnel pop3 to localhost port 55110 tunnel 55110:MY.SERVER:110
# highest compression compression zlib:9
# highest encryption strength keygenlevel 2
# send the zebedee process into the background detached true
# specify the server port serverport 5555
--- end config file --
--- start server-side config file named server.zdb --
# zebedee sample configuration (server) # Pete Fritchman <petef@databits.net # # we are the server server true
# we'll only tunnel these specific ports redirect 23 # telnet redirect 80 # web redirect 110 # pop3
# highest compression compression zlib:9
# highest encryption strength keygenlevel 2
# send the zebedee process into the background detached true
# specify the server port; make sure this isn't in use. serverport 5555
--- end config file --
Now to actually create the tunnels, you'll need to run zebedee with the "-f" option, pointing to your config file (obviously, the server-side config file when you run zebedee on the server, and the client-side config file when you run zebedee on the client). You need to start the server zebedee process first, otherwise the client will not be able to connect.
user@myserver% zebedee -f ~/etc/server.zdb user@myserver%
You can check to make sure the zebedee process started ok: user@myserver% ps x | grep zebedee 37601 ?? Is 0:00.00 zebedee -f etc/server.zbd user@myserver%
Now, start the client: user@client% zebedee -f ~/etc/client.zdb zebedee(792/0): Listening on local port 5523 zebedee(792/0): Listening on local port 5580 zebedee(792/0): Listening on local port 55110 user@client%
Once the zebedee server and client processes are running, you can start making connections:
To establish a POP3 connection, you would set your mail server to "localhost", and set the port to 55110 (in this example).
To establish a telnet connection:
user@client% telnet localhost 5523 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
FreeBSD/i386 (hex.databits.net) (ttyp3)
login:
(note that hex.databits.net is the remote host running zebedee, it is *not* localhost - you are telnetting to zedebee essentially, which is creating an encrypted and compressed pipe to the remote server).
And because we've specified `multiuse true', you can open as many connections to localhost:5523 as you want (notice that a seperate zebedee process is spawned on the server and client to handle each tunnel).
There's really no need to use ssh, since zebedee handles the encryption and compression aspect for you.
There are plenty of other options with zebedee, this document is merely a quick start guide. You should read the man page for zebedee, and visit the official website, http://www.winton.org.uk/zebedee/ .
Pete Fritchman
|