rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: bmartino1 on November 17, 2013, 07:47:51 PM

Title: stunnel and HFS (securing your hfs)
Post by: bmartino1 on November 17, 2013, 07:47:51 PM

Hello there, i've been using HFS for about 5-9 years and when i started i didn't read any of the docs. I was fascinated with the potential and ease of this program and it web capabilities.

Which is why i'm posting my information on setting up hfs with stunnel.

Most information for doing this has already been done and setup many thanks to these people, but (for me) even flowing there instruction i ran in to problems, it is my hope that these issues can be fixed in this topic, either by helping each other or sharing our findings.

the link is here: http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server
( this page is the base of my setup )
although, i had to edit my stunel config a bit more to make it work the way i wanted...

Following this(the link provided and the instruction here latter) will most likely get you a https access... as it will be prety much straight forward.

Although, in my setup i ran in to fips errors and other setup issues, so i will be posting my finds here shortly (along with zip files of stunnel and openssh (you will have to recrate you security keys, and the key uploaded are no longer available for access to my server for security purposes...

so first let us get are tools:
For this tutorail i asume you will have a folder in the root of c:

path: C:/webroot/Hfs.exe
You will need to create a folder in that path and call it stunnel (this will be you install path for the program)
You will need to create a folder in that path and call it  openssh (this will be you install path for the program)


You will need:
HFS -  latest stable version 2.2f info http://www.rejetto.com/hfs/?f=dl ( http://www.rejetto.com/hfs/download )
Openssh - info http://slproweb.com/products/Win32OpenSSL.html ( http://slproweb.com/download/Win32OpenSSL-1_0_1g.exe )
Stunnel -  ( ftp://stunnel.mirt.net/stunnel/stunnel-4.56-installer.exe )
Ccleaner - info/donwload ( http://www.filehippo.com/download_ccleaner/ )
---------------------------------------------
You will need to install openssh first!
see info as open ssh requires other "updates" installs such as (Visual C++ 2008 Redistributables)...
once it is installed go to the directory and zip it in a compressed zip folder and put it some where safe like the desktop! we will be using it later

Now install stunnel
You wil be prompted to create security keys, from a batch, that is fine put what ever you like, but your computer name must be in the very last line asked
"commonName = Common Name (FQDN of your server) "
once it is installed go to the directory and zip it in a compressed zip folder and put it some where safe like the desktop! we will be using it later

-----------------------------------
You should now have 2 compressed zip files one open ssh and the other stunnel...  make sure you have them ready as we will need them for the portable versions...

Now open ccleaner and uninstall stunnel and openssh (only do this if you are making it portable)
If you uninstalled the programs
run ccleaners registry cleaner (we do this to remove stunnel and open ssh registry files to prevent issues later down the road...) other wise you can skip this
then restart the machine

the point form these installs is getting particular files and eventual making it portable as once we get the files, you will need to uninstall openssh and stunnel as the zip files house portable excutions...

---------ignore this if you don't want the portable as you will hve to edit stunel config to work with hfs...----------
open you web path: c:/webroot/hfs.exe
( delete stunnel and openssh folders) as they may still be left from the install

create a folder called stunnel and put the ziped files in this folder

to clarify you should have you path: c:/webroot
inside this folder should be hfs.exe and another folder stunnel
inside stunnel should be the 2 zip folders created earlier
 we will now extract the files so you should have a structure like this:
using cmd dir comand(these are the files you should have extracted, the zips contain maore, but htis is all that we will need:

create_pem.bat (which will be created latter by us )

OpenSSL-Win32.zip
stunnel.zip

libeay32.dll
libssl32.dll
openssl.exe
pem.conf
stunnel.conf
stunnel.exe
stunnel.html
stunnel.log
stunnel.pem
zlib1.dll

-----
if you wan to take the easy way out i have made a zip file of my webroot with stunnel and its configs...
----
----------------------
create a batch file named create_pem.bat (in open save as with all file types...)
batch contains:
openssl.exe req -new -x509 -days 3650 -nodes -config pem.conf -out stunnel.pem -keyout stunnel.pem

-------------------------
run the batch files, this will change you key, by asking the same question you had when you installed stunnel
(this is how stunnel generates you certificate...

congrats, all we have left to do is edit th stunnel config:

open the stunnel config: and delete everything in it and replace it with this:
-----------

; Lines preceded with a “;” are comments
; Empty lines are ignored
; For more options and details: see the manual (stunnel.html)

; i had issues with fips mode and my keys, in which to make it wok i need to disable fips
;https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation
fips = no

; File with certificate and private key
cert = stunnel.pem
key = stunnel.pem

; Log (1= minimal, 5=recommended, 7=all) and log file)
; Preceed with a “;” to disable logging
debug = 5
output = stunnel.log

; Some performance tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Data compression algorithm: zlib or rle
compression = zlib

; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2

; Service-level configuration
; Stunnel listens to port 443 (HTTPS) to any IP (443 need to be port forwarded)
; and connects to port 4430 (HFS) on machine ip adress(which should be static)
[https]
accept = 0.0.0.0:443
connect = 192.168.1.254:4430
TIMEOUTclose = 0


-------
that it, with a little fudging, hfs should be available through https

here is the download:
Google has deleted it from my drive??? unknown why - can't seem to fin it...just isn't there...
i would have you go to Silent plz post to get file and/or use taht version of hfs with stunnel!...
http://www.rejetto.com/forum/hfs-~-http-file-server/for-testing-purpose-hfs-beta-279-including-ssl-tools/
Title: Re: stunnel and HFS (securing your hfs)
Post by: rejetto on November 17, 2013, 11:38:07 PM
welcome, and thank you for sharing
Title: Re: stunnel and HFS (securing your hfs)
Post by: bmartino1 on May 01, 2014, 02:34:34 AM
IMPORTANT   There is a security flaw with Openssl 1.0.1 a - f.

Do not use OPENSSL verions 1.0.1a-f (i have updated my posts with links to the protected version!

Sorry for the inconvenience.

-------------
the complete download link contained openssh version 1.0.1e and was vulnerable to attack!
i have fixed this i have reupolad the files!
* I have reuplaoded the files and the version of openssl is 1.0.1g

----------
Need to know how to tell what version of hfs you are running?
double click openssl.exe in the dos batch windows type version,
if it says 1.0.1#
(# could be any of these: a,b,c,d,e,f) it is vulnariable to the heartblead virus going around!)

I understand that this is an issue and I don't claim responsiblity of thoses using it (as this is a tutorai on how to set it up not give you the files!) the new version is 1.0.1g or 1.0.2-beta2...
https://www.openssl.org/
Title: Re: stunnel and HFS (securing your hfs)
Post by: bmartino1 on May 01, 2014, 03:30:44 AM
instead of fixing the link, if you chose to do so, go here to download the patched version:
http://opendec.wordpress.com/tag/openssl/
downlaod: http://indy.fulgan.com/SSL/openssl-1.0.1g-i386-win32.zip

copy the 2 dll files and the openssl.exe file to the place where openssl is located and tada, you are no longer vulnerable...