- 论坛徽章:
- 0
|
哈哈!真高兴!snort+acid终于搞定了!
2005.8.9.使用Stunnel增加MYSQL隧道加密明文会话
SSL协议(安全套接字协议)是为了弥补一些已被广泛应用的明文协议(如www)的安全缺陷而设计的加密通讯协议,它可以用服务器的安全证书对通讯内容进行加密,以防止黑客中途截听通讯内容。
加密软体:Stunnel
官方网站:www.stunnel.org
官方介绍:
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code. The Stunnel source code is not a complete product -- you still require a functioning SSL library such as OpenSSL or SSLeay in order to compile stunnel. This means that stunnel can support whatever (and only) that which your SSL library can, without making any changes in the Stunnel code.
译:Stunnel是一个允许你对任意的TCP连接会话进行加密的自由软体,可以用到Unix和Windows系统上。Stunnel可以允许你通过Stunnel提供的自带加密功能保护POP, IMAP, LDAP等协议进程,并且不需要改变进程的编码。Stunnel开源代码是一个不完整的产品 ——你仍然需要一个类似OpenSSL or SSLeay加密功能的软体,以便编译stunnel。这就意味着在没有改变Stunnel源码的同时,Stunnel可以支持你能提供的任何SSL二进制软体。
软体:①stunnel-4.10.tar.gz
http://www.stunnel.org/download/stunnel/src/stunnel-4.10.tar.gz
# cp stunnel*.* /usr/local/src/
# tar zxvf stunnel-4.10.tar.gz
# cd stunnel-4.10
# ./configure --prefix=/usr/local/stunnel
# make
# make install(这里会生成证书,具体如图:)
# cd /usr/local/stunnel/etc/stunnel
# cp stunnel.conf-sample stunnel.conf
# vi stunnel.conf
- cert = /usr/local/stunnel/etc/stunnel/mail.pem
复制代码
# 改成/usr/local/stunnel/etc/stunnel/stunnel.pem
# 去掉前面的#号。
- [mysql]
- accept = 3307
- connect = 127.0.0.1:3306
复制代码
# 保存退出。
# groupadd stunnel
# useradd stunnel -d /home/stunnel -g stunnel -s /bin/nologin
# chown stunnel:stunnel /usr/local/stunnel/etc/stunnel/stunnel.pem
# mkdir /var/tmp/stunnel
# chown stunnel:stunnel /var/tmp/stunnel
客户机设置
- [mysql]
- accept = 127.0.0.1:3306
- connect = 服务器IP:3307
复制代码
主辅机均启动stunnel,客户机连接3307端口会自动转向服务器上的3306端口。
[/code] |
-
1.jpg
(53.63 KB, 下载次数: 68)
|