Flexion.Org
Bad grammar and typos for total strangers
Wiki › Quickn Dirty SOCKSServer
Wiki Index All Recent Edit Bottom

Quick 'n Dirty SOCKS Server

1.   Introduction
1.1   Installing Dante
1.2   Configuring Dante
1.3   Creating the SSH Tunnel
1.4   Log Rotation

Introduction

Some organisations have very restrictive firewall policies which prevent me from accessing IM, IRC and e-mail, therefore I run a Dante SOCKS server to ensure I can access what I require when I require it :-) I access this SOCKS server via an SSH tunnel so the communications between myself and my server is encrypted and SSH can be used as the authentication mechanism.

Therefore the rules I have defined for Dante below are not secure if you were to expose the SOCKS server publicly! An added benefit of not requiring authentication at the SOCKS server is that some applications, Firefox and Thunderbird for example, do not support a SOCKS username and password.

Installing Dante

 sudo apt-get install dante-server

Configuring Dante

 sudo vi /etc/danted.conf

Make the changes are shown below... 

 # the server will log both via syslog, to stdout and to /var/log/lotsoflogs
 logoutput: /var/log/dante.log
 
 # The server will bind to the address 10.1.1.1, port 1080 and will only
 # accept connections going to that address.
 # Alternatively, the interface name can be used instead of the address.
 internal: 127.0.0.1 port = 1080
 
 # all outgoing connections from the server will use the IP address
 # 195.168.1.1
 external: eth0
 
 # list over acceptable methods, order of preference.
 # A method not set here will never be selected.
 #
 # If the method field is not set in a rule, the global
 # method is filled in for that rule.
 #
 
 # methods for socks-rules.
 method: username none 
 
 # methods for client-rules.
 clientmethod: none
 
 #
 # An important section, pay attention.
 #
 
 # when doing something that can require privilege, it will use the
 # userid:
 #user.privileged: proxy
 
 # when running as usual, it will use the unprivileged userid of:
 user.notprivileged: nobody
 
 # If you compiled with libwrap support, what userid should it use
 # when executing your libwrap commands?  "libwrap".
 user.libwrap: nobody
 
 #
 # some options to help clients with compatibility:
 #
 
 # when a client connection comes in the socksserver will try to use
 # the same port as the client is using, when the socksserver
 # goes out on the clients behalf (external: IP address).
 # If this option is set, Dante will try to do it for reserved ports aswell.
 # This will usually require user.privileged to be set to "root".
 #compatibility: sameport
 
 # If you are using the bind extension and have trouble running servers
 # via the server, you might try setting this.  The consequences of it
 # are unknown.
 #compatibility: reuseaddr
 
 #
 # The Dante server supports some extensions to the socks protocol.
 # These require that the socks client implements the same extension and
 # can be enabled using the "extension" keyword.
 #
 # enable the bind extension.
 #extension: bind
 
 #
 # misc options.
 #
 
 # how many seconds can pass from when a client connects til it has
 # sent us it's request?  Adjust according to your network performance
 # and methods supported.
 connecttimeout: 30   # on a lan, this should be enough if method is "none".
 
 # how many seconds can the client and it's peer idle without sending
 # any data before we dump it?  Unless you disable tcp keep-alive for
 # some reason, it's probably best to set this to 0, which is
 # "forever".
 iotimeout: 86400 # or perhaps 86400, for a day.
 
 # do you want to accept connections from addresses without
 # dns info?  what about addresses having a mismatch in dnsinfo?
 #srchost: nounknown nomismatch
 
 client pass {
         from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0
         log: connect error
 }
 
 pass {
         from: 0.0.0.0/0 to: 0.0.0.0/0
         protocol: udp tcp
         log: connect error
         method: none
 }

Thats it, Dante is ready for action. Just run... 

 /etc/init.d/dante restart

...to bring it up. Dante will also start at boot time automatically from now on.

Creating the SSH Tunnel

Using OpenSSH, you can securely tunnel your SOCKS connection to the server running Dante, preventing anyone in between your client and your server from intercepting your session. Assuming you have OpenSSH installed and configured on both the client and the server running Dante, the following should do the trick. 

 ssh -L 1080:localhost:1080 username@yourserver

If you do not have Dante listening on 127.0.0.1, you will need to substitute 'localhost' for the address or hostname that it is listening on. The last argument (yourserver) is the actual machine running OpenSSH you're connecting to. It need not be the machine running Dante, but it likely will be.

Log Rotation

To rotate the dante logs and help prevent '/var' from filling do the following... 

 sudo vi /etc/logrotate.d/dante

Sample 

 /var/log/dante.log {
     rotate 14
     daily
     compress
     missingok
     postrotate
         /etc/init.d/danted restart > /dev/null
     endscript
 }

References

$Id: QuicknDirtySOCKSServer,v 1.4 2008/01/07 12:06:01 martin Exp $

Wiki Index All Recent Edit Top

Menu

 
© 2008 Flexion.Org. Design by Arcsin
 
Valid XHTML Valid CSS Hacker