ubuntu | Kilvalrikan's Blog

What should be done:

Install Dante server and PAM library
Edit Dante configuration file “/etc/danted.conf”
Add PAM configuration file
Create user accounts
Start the server and check settings
Troubleshoot

1. Install Dante server and PAM library

I wanted to restrict access to my SOCKS server but didn’t want to add local users and authenticate against them. Also IP based restriction was out of the question as our users IP is dynamic. A PAM (Pluggable Authentication Module) library would be ideal for that regard. To install, run the following command:

1	sudo apt–getinstall dante–server libpam–pwdfile

2. Edit Dante configuration file

Back up the original configuration file

1	sudo mv/etc/danted.conf/etc/danted.conf.bak

Open vim or your favorite text editor

1	sudo vim/etc/danted.conf

Copy and paste following lines. Its very simple configuration that allows every client with an account to access the server so you may want to edit this so it fits your needs.

## general configuration

internal:eth0 port=443

external:eth0

method:pam

user.privileged:root

user.notprivileged:nobody

user.libwrap:nobody

logoutput:stderr

## client access rules

clientpass{from:0.0.0.0/0to:0.0.0.0/0}

## server operation access rules

# allow the rest

pass{

from:0.0.0.0/0to:0.0.0.0/0

method:pam

}

You can read more about Dante server configuration here.

3. Add PAM configuration file

When I installed Dante, it didn’t create any file in “/etc/pam.d” folder but if there is any, we need to make a back up.

1	sudo mv/etc/pam.d/sockd/etc/pam.d/sockd.bak

and create a new file

1	sudo vim/etc/pam.d/sockd

Copy and paste following lines and save the file

1 2	auth required pam_pwdfile.sopwdfile/etc/danted/socks.passwd account required pam_permit.so

4. Create user accounts

I used htpasswd to register users so I assumed that you have apache2 installed on your server. We have to create a folder to put our virtual accounts database there.

1	sudo mkdir/etc/danted

then use following command to register users

if cannot find htpasswd command user this command “sudo apt-get install apache2-utils“

1	sudo htpasswd cd/etc/danted/socks.passwd auser

The command will ask you for a password. Minor problem with htpasswd command is that your passwords can not be larger than 8 characters.

-c argument will make new file and -d will force MD5. For creating additional users you only need to use -d argument.

5. Starting server

To start the server enter following command

1	/etc/init.d/danted start

To stop the server

1	/etc/init.d/danted stop

If you’re lucky enough your server will start without any problems. If not please refer to troubleshooting step.

To test your server you need a SOCKS 5 client that could handle authentication. I don’t know about linux but you can use Proxifier if you’re using windows.

6. Troubleshooting

The only problem I encountered while setting up the server was getting following error after started the server:

1	symbolfunction():compiletime configuration error?Failed toopen“libc.so”:/usr/lib/x86_64–linux–gnu/

After a bit of digging I found out that this is a bug exist in Ubuntu 12.04. Anyway you can solve the problem with below command

1 2	cd/lib/x86_64–linux–gnu sudo ln–slibc.so.6libc.so

Hope this helps some people who had trouble setting up Dante server.

Source http://devmash.net/setup-dante-server-with-virtual-user-accounts-on-ubuntu/
and http://www.linuxquestions.org/questions/linux-networking-3/unable-to-find-htpasswd-command-932076/

How to install dante socks server on debian (ubuntu is similar):

apt-get install dante-server

This installs dante onto your debian server. By default it will not start (it will try to start – but will fail saying “no internal interfaces are configured etc…”).

To configure Dante socks server:

vi /etc/danted.conf

By default – most required lines will be uncommented. The following lines need to be inserted/ uncommented in danted.conf

#logoutput: stderr
logoutput: syslog
#the above line will send any logs to /var/log/syslog instead to a terminal

internal: eth0 port = 1080
internal: 127.0.0.1 port = 1080

external: eth0

method: username none
#the above puts no username or password. Access will instead be controlled via client ip address/range.
#if there is no username or password - then danted socks server needs to run as nobody, i.e.

#method: pam
# if you choose to use pam instead - a valid username&password as required for sshing to the socks server is required.
#Note: not sure if proxy login details are sent in clear text.

#user.privileged: proxy
user.notprivileged: nobody

client pass {
        from: 136.201.251.21/0 port 1-65535 to: 0.0.0.0/0
        # 136.201.251.21/0 = specific ip address.
} 

client pass {
        from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

#Finally block other traffic
block {
  from: 0.0.0.0/0 to: 127.0.0.0/8
  log: connect error
}

pass {
  from: 136.201.251.21/0 to: 0.0.0.0/0
  protocol: tcp udp
}

pass {
  from: 127.0.0.0/8 to: 0.0.0.0/0
  protocol: tcp udp
}

block {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  log: connect error
}

Once the config is complete. Start/Restart dante socks server:

/etc/init.d/danted start

If there is a problem with the config – it will tell you immediately on trying to start the danted daemon.

Test Dante Socks Server

netstat -n -a
#check to see if server is listening on 1080

Make sure the firewall is open. Add appropriate rule as on Iptables_Firewall. Test also with winscp or putty.

Other SOCKS Servers

Note that putty itself can provide a SOCKS 5 server!! (But putty needs to be able to connect to an external server/computer firstly!)

To configure socks to act as a socks v5 server:

Open Putty, Go to CONNECTION -> SSH -> TUNNELS
In the Source Port - put 1080
In the Destination Port - put 1080
Click on the Dynamic radio button for "Dynamic Port Forwarding"

Connect to an server with external access. Telnet localhost 1080 and it should connect.

Also note – SOCKS v5 can be setup using ssh on the command line.

ssh [email protected] -D 1080
# -D is for Dynamic Port Forwarding.

Copy มาจาก http://wiki.kartbuilding.net/index.php/Dante_Socks_Server#Test_Dante_Socks_Server

ส่วนวิธีการทำให้ authen ได้

Overview

The username authentication method uses the system password file to verify a username and password combination supplied by a user as part of the SOCKS version 5 authentication process. Note that the password is transmitted in cleartext with this authentication method.

Environment setup

The standard system password authentication functions are used to verify the password, and the machine running the SOCKS server needs to have all users and passwords in a password file or similar database. It might, depending on the platform, be possible to run the server in a chroot() environment with a password file independent of the rest of the system.

Server privileges

#server identities (not needed on solaris)
user.privileged    : root
user.notprivileged : socks

For the server to be able to access the system password file, it will typically have to be started with root privileges. In this case, the user.privileged anduser.notprivileged keywords should be set to ensure that the server will run as an unprivileged user when it does not need root privileges.

Example clientmethod usage

This authentication method cannot be used as a clientmethod.

Example method usage

#authentication methods
method: username

#generic pass statement - bind/outgoing traffic
pass {  
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
        method: username
}

The authentication configuration template can be used directly for outgoing traffic, it is only necessary to specify the method name.

The username method cannot be used for incoming traffic (bindreply, udpreply).

Copy มาจาก http://www.inet.no/dante/doc/1.3.x/config/auth_username.html

Kilvalrikan's Blog

แค่คนทำงานไอทีคนหนึ่ง

คลังเก็บป้ายกำกับ: ubuntu

Socks5 แบบใช้ PAM (Debain 7 & ubuntu 12.04)