Setup a SOCKS5 Proxy Server Using SS5 on CentOS 7

 

In this post we are going to set up a Socks5 Proxy server using SS5 on CentOS 7. The two most common types of proxies are HTTP (Hyper Text Transfer Protocol) and SOCKS5 (Secure Sockets 5). The SOCKS4 and SOCKS4a protocols do not support UDP or authentication. The current SOCKS5 and HTTP proxies differ in the following ways:

  • In general terms, the HTTP proxies can only proxy HTTP (TCP) traffic whereas a SOCKS5 proxy can handle any type of traffic using either TCP or UDP.
  • A SOCKS5 proxy does not interpret the traffic sent through it in any way whereas an HTTP proxy typically does. This means that a SOCKS5 proxy is more universal and can be used with more applications.
  • An HTTP proxy can only be used with HTTP clients such as a web browser, but since it is aware of the HTTP content, it can do clever things such as caching or rewriting headers in addition to the proxying service. For the purpose of anonymity and privacy, a SOCKS5 proxy is a better choice since it can be put to more general use..

Prerequisites

There are many proxy server software which can provide both SOCKS4 proxy and SOCKS5 proxy, but here we are going to setup using SS5 for Linux CentOS 7. Connect to your system using sudo privileged user or root credentials.

# ssh [email protected]

Run the commands below to install the latest version of EPEL repository for CentOS 7 and then update your system for missing updates and security patches.

# yum install epel-release

# yum update -y

Establishing Dependencies

The ss5 requires having Development tools to be installed on the system along with some other packages. Install these packages using YUM package manager using below commands.

# yum groupinstall 'Development Tools'

# yum install gcc automake autoconf libtool make pam-devel yum-utils openldap-devel openssl-devel

Press ‘Y’ key to continue installing the required packages along with some of its dependencies.

Installing SOCKS5 Proxy Server Using SS5 on CentOS 7

Prepare the schedule first and download the SS5 packages using wget command as shown below within /opt/ directory.

# mkdir /opt/ss5

# cd /opt/ss5

# wget http://sourceforge.net/projects/ss5/files/ss5/3.8.9-8/ss5-3.8.9-8.src.rpm

Once the package has been downloaded, then check whether all dependencies are installed.

# yum-builddep ss5-3.8.9-8.src.rpm

You can also download the source package of ss5 using below command and then unpack the sources of SS5 and install the package.

# wget http://sourceforge.net/projects/ss5/files/ss5/3.8.9-8/ss5-3.8.9-8.tar.gz

# tar -zxf ss5-3.8.9-8.tar.gz

# cd ss5-3.8.9

Then within the same directory run ./configure command. This will be responsible for getting ready to build the software on your system. It makes sure all of the dependencies for the rest of the build and install process are available, and finds out whatever it needs to know to use those dependencies.

# ./configure

Once configure has done its job, we can invoke make to build the software. This runs a series of tasks defined in a Makefile to build the finished program from its source code.

# make

Now that the software is built and ready to run, the files can be copied to their final destinations. The make install command will copy the built program, and its libraries and documentation, to the correct locations.

# make install

Configuring SS5 Socks5 Proxy server

We have installed the ‘SS5’ packages using its source code, now we will be making some of its required configuration changes in its configuration files located in /etc/opt/ss5/ directory. But, before that copy the original configuration files before making changes to revert in case you need to revert back changes.

# cd /etc/opt/ss5/

# cp ss5.passwd ss5.passwd.org

# cp ss5.conf ss5.conf.org

Let’s start configuring SS5 by opening its configuration using any of your favorite command line editor like ‘vi’, ‘vim’ or ‘nano’.

# vim /etc/ss5.conf

The configuration file contains four sections:

  • variable and flags
  • authentication
  • authorization
  • bandwidth
  • proxy
  • dump
  • routing
  • balancing
  • miscellaneous

In each section, the SS5 daemon sequentially reads each line until it encounters a matching line for that section. The order of sections and the order of lines within a section are crucial to achieving the desired result. Every entry in a line must match. A few examples of customization as mentioned below.

SECTION AUTHENTICATION

The ‘auth’ directive sets the authentication policy.

1) Allow unauthenticated access to the socks server to the world only from the following addresses:

auth 0.0.0.0/0 - -

permit - 192.168.xx.xx/32 - 0.0.0.0/0 - - - - -

permit - 172.25.xx.yy/32 - 0.0.0.0/0 - - - - -

2) Allow unauthenticated access from the socks server to the world from all addresses (open proxy):

auth 0.0.0.0/0 - -

permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

3) Allow access only with authentication, for example, user user with password password access from the socks server to the world.

auth 0.0.0.0/0 - u

permit u 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Save and close the file using ‘wq!’.

Next we need to add the user and password in ‘/etc/opt/ss5/ss5.passwd’ file.

# vim /etc/opt/ss5/ss5.passwd
-- Output --
user password

aman [email protected]

You can put user and password separated by a space, one user/password per line to add multiple users. Make sure that this file is readable only by root that can be done issuing below commands.

# chown root.root /etc/opt/ss5/ss5.passwd

# chmod 750 /etc/opt/ss5/ss5.passwd

 

Starting SS5 Service

SS5 has been installed and configured now run the SS5 server and check whether it is running fine by using below commands.

# ss5 -u root -b 0.0.0.0:1080

Now run below commands to grep its port and process to confirm that is up and running.

# netstat -anp | grep ss5

# ps -ef | grep ss5

 

From the output as shown above, we can confirm that ss5 is running fine on port ‘10080’ . If you see any error message like the following in the logs,

can't create pid file /var/run/ss5/ss5.pid

can't unlink pid file /var/run/ss5/ss5.pid

Then make sure to create the directory ‘/var/run/ss5’ and start ss5 again.

Managing SS5 Logs

In order to view SS5 operation logs, let’s run below command to know if there is any issue going on.

# tail -f /var/log/ss5/ss5.log

[07/Mar/2017:12:27:23 GMT] [INFO] Copyright (C) 2002-2013 by Matteo Ricchetti -

[07/Mar/2017:12:27:23 GMT] [INFO] Setting dynamic configuration.

[07/Mar/2017:12:27:23 GMT] [INFO] Cleaning old configuration.

[07/Mar/2017:12:27:23 GMT] [INFO] Loading and validating new configuration.

[07/Mar/2017:12:27:23 GMT] [WARN] Duplicate auth lines in config file.

[07/Mar/2017:12:27:23 GMT] [INFO] Loading configuration completed

[07/Mar/2017:12:27:23 GMT] [INFO] Loading HA configuration completed

[07/Mar/2017:12:27:23 GMT] [INFO] Switching to new configuration.

[07/Mar/2017:12:27:23 GMT] [VERB] Role is ALONE.

[07/Mar/2017:12:27:23 GMT] [INFO] Loading network interfaces.

Remove the Duplicate ‘auth’ line from the SS5 configuration file as indication in the logs above.

To configure the log rotation for ss5 logs, create a new file and put the following contents in that as shown below.

# vim /etc/logrotate.d/ss5

var/log/ss5/ss5.log {

daily

rotate 3

dateext

compress

missingok

notifempty

copytruncate

}

That’s it save and close the file.

Connecting to SS5 Proxy

Now, let’s check from another server to execute the request through SS5 Proxy, before that make sure that port ‘1080’ is allowed for your source system. Then run below command from the remote VM.

# curl --socks5 destination_ip:1080 --proxy-user user:password http://ipinfo.io/ip

Then check ss5 logs of your SS5 Proxy server and you will see the below logs showing successful connection .

# tail -f /var/log/ss5/ss5.log
[07/Mar/2017:13:06:45 GMT] [10144] source_ip "" "CONNECT" STARTED 0 0 0 (source_ip:59286 -> destination_ip:80)

[07/Mar/2017:13:06:45 GMT] [10144] source_ip "" "CONNECT" TERMINATED 245 75 0 (source_ip:59286 -> destination_ip:80)

Conclusion

That’s all, we have successfully implemented SOCKS5 Proxy Server Using SS5 on CentOS 7. As a proxy server, SS5 authenticates, profiles and processes network requests for clients. It establishes connections to application hosts for client applications. When the client attempts to access the network, the client connects to the SS5 daemon instead of the application host. When the clients request that SS5 perform network activities for the client the activities might includes ‘Connection’, ‘Bind’ and Udp Associated authentication. The SS5 protocol is independent of application protocols, and can assist with different networking services, including telnet, ftp, finger, whois, gopher, and WWW access.