Document Sample
SOCKS FOR PROXY Powered By Docstoc
COVER STORY Schlagwort sollte hier stehen
               Socks v5
               Schlagwort sollte hier stehen

Examining the generic Socks version 5 proxy protocol

Socks is a universal proxy protocol for TCP and UDP that allows internal hosts to securely pass the firewall

and authenticates users. This article describes the latest version of the Socks proxy protocol and shows how


           any firewall admins allow          known as a Socks server) authenticates          nection uses port 1080 by default. The
           direct access to the Web from      the client and authorizes the client for        client sends a Negotiation packet sug-
           the internal network but are       access, sets up the connection to the tar-      gesting a few authentication methods
more restrictive with other services such     get server, and transparently forwards          (number in NMETHODS and methods in
as FTP or SMTP. They rightfully argue         any data sent or received.                      METHODS).
that filter rules that allow a minimum of                                                        If the proxy accepts the request (step 2
services and ports are easier to track and    Intermediate                                    in Figure 2), it uses a Server Negotiation
manage. Application Level Gateways            Normally, client applications need to           packet to tell the client its preferred
(ALGs) provide even more granular con-        have integrated Socks support to be able        authentication method (METHODS with
trol and are typically implemented as         to use the proxy, as Socks does affect the      exactly one entry). The proxy then pro-
proxies (Figure 1a). However, the appli-      way protocols interact. However, a wrap-        ceeds to authenticate the client (step 3).
cation firewall needs a proxy for each        per can add Socks support to binaries           The exact procedure at this step depends
service.                                      using LD_PRELOAD technology. To do              on the selected method.
   The Socks protocol [2] (RFC 1928, Fig-     this, the wrapper implements a custom-             The client then sends a request to the
ure 1b) treads a path between the state-      ized socket library.                            proxy stating which service it requires
ful packet filter and the ALG. Socks is         The name Socks is derived from                (target address DST.ADDR and target
implemented in the Dante package [1],         Socket, the original working title was          port DST.PORT). The Socks proxy evalu-
for example. The generic Socks proxy          SOCK-et-S. There are two main versions:         ates the request, based on the client ID
technology leaves the firewall in control     Socks v4 and v5. Both protocols insert          and the target address, taking an access
of applications, separating networks in       themselves into the OSI model between           control list into consideration in a style
the Transport Layer and giving clients a      the Transport and Application layers.           typical of firewalls. If the client is
fixed request port (typically 1080).          Version 4 is restricted to handling con-        not allowed the type of
             Clients formulate Socks          nection requests, honoring Proxy rules,         access it has requested,
                requests, specifying target   and forwarding application data. It does        the Socks proxy
                   servers and services       not provide any kind of authentication          drops the con-
                       (such as HTTP,         and is restricted to TCP. Socks v5 adds         nection to
                           SMTP, or FTP).     robust authentication mechanisms and            the client.
                             The Socks        extends support to UDP.
                                proxy (also
                                              Roundabout Route
                                              In a typical Socks scenario, the client
                                              might want to access the HTTP service
                                              provided by a server on an external net-
                                              work. The procedure is shown in Figure
                                              2, the data format in Figure 3, and the
                                              field contents are shown in Table 1. The
                                                client starts by opening a TCP
                                                     connection to the Socks
                                                          proxy (1); the con-

62        ISSUE 56 JULY 2005                     W W W. L I N U X - M A G A Z I N E . C O M
                                                                                             Socks v5
                                                                         Schlagwort sollte hier stehen                                        SYSADMIN
                                                                                                                                           COVER STORY

                                                                                                                  request. The client then uses a Bind
                                                                                                                  request within a second connection to
                                              SMTP       Configuration                       S1                   ask the Socks proxy to open a port for
                                              FTP        Configuration                                            the incoming data connection.
                                                                                                                     The proxy sends two replies in
                                              IRQ        Configuration
                    C2                                                                                            response. The first contains the port and
                                              DNS        Configuration                                            address at which the Socks server will
               Intranet                                                                       Internet
                                             Application Level Gateway                                            listen for the incoming connection. The
                                                                                                                  proxy does not send the second reply
Figure 1a: If the firewall is implemented as an application level gateway, it separates the inter-                until the target server opens a connec-
nal and external networks at application level. However, it then needs a proxy for each proto-                    tion. When this happens, the proxy’s
col.                                                                                                              reply contains the source address and
                                                                                                                  source port the target machine used to
                                                                                                                  open a connection to it. Finally, the
                                             Port 1080
                                                                                              S1                  proxy forwards the data from the exter-
         C1                                                                                                       nal server to the internal client.
                                                                                        S2                           If you want Socks to act as a UDP
                                                                                                        S3        proxy, the client first needs to use TCP to
                                                                                               S4                 contact the proxy and authenticate (Fig-
           Intranet                                                                          Internet             ure 4). The CMD it stipulates in this case
                                                Socks Proxy
                                                                                                                  is the third value in Table 1: UDP Associ-
Figure 1b: In contrast to an ALG, Socks assumes the role of a generic proxy, accepting s con-                     ate. As the client will actually be using
nections for any application protocols on port 1080, authenticating clients, and authorizing                      UDP to transmit data later on, it needs to
transfers.                                                                                                        tell the proxy where these packets will
                                                                                                                  be coming from. To do so, the client
In any other case, it replies with one or            nection from a target server. This sce-                      adds its own address and port to the
multiple server reply packets.                       nario might seem back-to-front, but it is                    DST.ADDR and DST.PORT fields.
                                                     quite normal in the case of the FTP pro-                        The proxy then opens an internal UDP
Addressed                                            tocol in active mode. With FTP, and fol-                     relay port, allowing the client to send
Socks requests and replies can contain               lowing best client-server traditions, the                    packets to the outside world. The client
different types of addresses. The proto-             client first establishes a connection to                     reads the address and port for the relay
col supports IPv4 and IPv6 addresses,                the FTP server; this is known as the con-                    from the server’s reply to the UDP Asso-
along with domain names. The latter                  trol connection. Whenever a file needs                       ciate request: BND.PORT and BND.
removes the need for the client to per-              to be transferred, the server establishes a                  ADDR. And this is where the client has
form a DNS lookup, and the internal net-             data connection back to the client. Prior                    to send any UDP packets destined for the
work does not need to resolve external               to this, the client needs to tell the server                 external network. The client wraps its
DNS names.                                           which address and port the server                            own UDP packets in a UDP Request
  Depending on the client request type,              should use. Again, this information is                       (Figure 3 bottom). The UDP Relay stays
that is, depending on the value of CMD               sent across the control channel.                             open for as long as the client keeps the
(Figure 2 and Table 1), the address                                                                               authenticated TCP connection up.
details in the Socks server reply have a             Upside-Down World
different significance. A reply to a CON-            Socks can selectively allow this type of                     Authentic
NECT request contains the BND.PORT                   connection into the internal network.                        The authentication method can also pro-
and BND.ADDR, that is the address at                 The client opens the control channel to                      vide trust and integrity between the cli-
which the proxy has connected the tar-               the server by sending a normal Connect                       ent and the proxy. The authentication
get server.
  The BND.ADDR address is typically                                         1. Client Negotiation
not identical to the Socks server address,                                                                                                 6. Server Request
                                                                            2. Server Negotiation
                                                                                                             Socks Port        Bind Port
to which the client sent the original                                       3. Authentication Protocol       1080
                                                                                                                                           7. Server Response
request. This constellation, which is                                       4. Client Request
referred to as a multi-homed Socks                                          5. Server Reply
server, is typical of a Socks firewall that                                 8. Data                                                        8. Data
connects two networks. After a success-
                                                              Client                                                                                            Server
ful Connect command, the client and                                                                                       Configuration
target server can communicate transpar-                                     Intranet                                                       Internet
                                                                                                                   Socks Proxy
ently through the proxy; Socks simply
forwards any data.                                   Figure 2: When establishing a Socks v5 connection, the client starts by sending a negotiation
  The client sends a BIND request to                 packet to the Socks proxy (1). The client authenticates (3); the proxy then establishes the
indicate that it expects an incoming con-            connection to the target server (6) and forwards data (8).

                                                         W W W. L I N U X - M A G A Z I N E . C O M                                 ISSUE 56 JULY 2005                   63
COVER STORY                                            Socks v5
                                                       Schlagwort sollte hier stehen

                                                                                                                            Dante is developed by a Norwegian con-
  Client Negotiation
                             VER     NMETHOD           METHODS                                                              sultancy called Inferno Nettverk A/S,
  Client                      1         1               1-255
                                                                                                                            who also have commercial modules for
  Server Negotiation
                             VER     METHODS
                                                                                                                            bandwidth control and port/forwarding
  Client        Socks-
                Server        1         1                                                                                   monitoring.
  Client Request
                                                                                                                               This said, the free version is typically
                             VER         CMD         RSV      ATYP            DST.ADDR             DST.PORT
  Client            Socks-
                              1           1           1         1              variable                2                    fine for most tasks. Besides providing
                                                                                                                            Socks and MSproxy services, it can also
  Server Reply
                             VER         REP         RSV      ATYP            BND.ADDR             BND.PORT                 act as a HTTP proxy, authenticate users
  Client            Socks-                                                     variable               2
                              1           1           1         1
                    Server                                                                                                  based on usernames and passwords, or
  UDP-Request                                                                                                               via Pluggable Authentication Module.
                                   RSV               FRAG     ATYP            DST.ADDR             DST.PORT      DATA
  Client            Socks-          2                  1        1              variable                2        variable    Support for interface names in the con-
                                                                                                                            figuration file allows it to support DHCP.
Figure 3: Socks version 5 uses five packet types: Client Negotiation, Server Negotiation,
Client Request, Server Reply, and UDP Request. The fields specify the name and size. Table 1                                Configuring the Proxy
describes the contents.                                                                                                     The normal install, using configure &&
                                                                                                                            make && make install, drops the Socks
                             1. Client Negotiation
                                                                                                                            server configuration file into /etc/sockd.
                                                                                                                            conf (Listing 1). In line 1, a logoutput
                             2. Server Negotiation
                                                                     Socks Port                                             instruction tells Dante where to send the
                             3. Authentication Protocol              1080
                                                                     (TCP)                                                  logfiles (Syslog or Stdout). The internal
                             4. Client Request (DST.PORT = X)
                                                                                                                            and external network interfaces are
                             5. Server Reply (BND.PORT = Y)
                                                                                                                            specified by interface names in lines 4
                                                                                                                            and 5. This is useful for computers with
           UDP               6. UDP-Request (DST.PORT = Z)           UDP                              7. Data   UDP
           Port X                                                    Port Y                                     Port Z      a DHCP-based configuration. Lines 6
                                                                                   Configuration                            and 7 show that IP addresses are just as
       Client                                                                 Socks Proxy                          Server   acceptable. Note that the internal inter-
                                                                                                                            face needs a port number.
Figure 4: In a UDP scenario, the client first uses TCP to connect to the Socks proxy. The                                      The authentication methods supported
Client Request (4) contains a UDP Associate command, in which the client tells the proxy                                    by Dante include username / password
from where it will be sending UDP packets.                                                                                  (line 9), the Ident method as specified in
                                                                                                                            RFC 931 (line 11) and PAM. The Socks
might involve encapsulating the data, for                               mobile, wireless devices securely via the           server needs different user privileges to
example, using a secure protocol such as                                Socks proxy.                                        reflect the authentication method. If it
SSL or TLS. After completing the client/                                                                                    needs access to the password file, it will
server negotiation process, the client                                  Dante                                               opt for a privileged user account
then authenticates using SSL/TLS. Any                                   The BSD-licensed Socks client and server            (defined as proxy in line 14), although it
other data sent during the connection                                   implementation Dante for Unix [1] sup-              is quite happy to be a nobody (line 15)
can also be protected by SSL/TLS, and                                   ports Socks v4 and v5 and the less com-             under other circumstances. Best practice
this form of secure communication                                       mon MSproxy. Version 1.1.15 was                     would suggest using a dedicated user
ensures trust and integrity. Users can run                              released at the end of January 2005.                account for the Socks v5 server. Admins

                                                                                Listing 1: Socks Server
 01 logoutput: syslog                                                     15 user.notprivileged: nobody                      28     log: connect error
 02 #logoutput: stdout                                                    16                                                 29 }
 03                                                                       17 client pass {                                   30
 04 internal: eth0 port = 1080                                            18       from:                           31 pass {
 05 external: eth1                                                               0 port 1-65535 to:                32     from:
 06 #internal: port = 1080                                      19 }                                                    0 to:
 07 #external:                                               20                                                 33     protocol: tcp udp
 08                                                                       21 client block {                                  34 }
 09 method: username                                                      22        from: to:            35
 10 #method: none                                                         23        log: connect error                       36 block {
 11 #method: rfc931                                                       24 }                                               37     from: to:
 12 #method: pam                                                          25                                                 38     log: connect error
 13                                                                       26 block {                                         39 }
 14 user.privileged: proxy                                                27        from: to:

64               ISSUE 56 JULY 2005                                            W W W. L I N U X - M A G A Z I N E . C O M
                                                                  Schlagwort sollte hier stehen
                                                                                      Socks v5                      COVER STORY

can run the server in a chroot jail to keep      19 allow the computer with the IP
it well away from system files and also          address of unrestricted access,
give the server its own password file.           whereas lines 21 through 24 deny any               [1] Dante:
                                                 other access. These rules are applied at           [2] RFC 1928, “SOCKS Protocol Version
Well Filtered                                    TCP/IP level and have nothing to do                    5”:
Filter rules in the configuration files          with the Socks protocol.                           [3] RFC 1929, “Username/Password
allow you to specify which clients can              The second class of filter rules checks             Authentication for SOCKS V5”:
access the Socks proxy and to which              the content of the client requests. These    
addresses the proxy is allowed to con-           rules specify the kinds of requests the            [4] RFC 1961, “GSS-API Authentication
nect. Dante parses the filter rules              proxy will honor. The block rule in lines              Method for SOCKS Version 5”:
sequentially. It first evaluates any rules       26 through 29 of Listing 1 rejects any       
with the client prefix to establish which        requests from computers wanting to con-
computers are allowed to access the              nect to The TCP and UDP traf-          will be in/var/log/messages if you use
Socks server (Lines 17 through 24). The          fic from the host with requests          Syslog.
pass rules allow access, whereas block           for is permitted (lines 1
rules disallow access. Lines 17 through          through 34). The proxy will ignore any            Socks All Round
                                                                   other requests.                 Besides the Socks server, the Dante
               Table 1: Packet Tags                                                                package has a simple wrapper script
                                                                     First Tests                   called socksify. The socksify script pro-
 Tag               Content/Description
                                                                     Calling /sbin/sockd -d        vides the user with the option of adding
 ATYP              Address Type:
                                                                     launches the proxy in         Socks capabilities to most network client
                   0x01: IPv4 address
                                                                     debug mode. Launching         programs. With socksify, you can add
                   0x02: Domain name
                                                                     in debug mode tells the       Socks capability to protocols such as
                   0x03: IPv6 address
                                                                     proxy to log anything         SMTP, FTP, NTP, DNS, or IRQ. For exam-
 BND.ADDR          Socks Proxy source address for data transfer
                   to server
                                                                     important in logoutput.       ple:
 BND.PORT          Socks Proxy source port for data transfer to      Ethereal is perfect for
                   server                                            checking the details of        ./socksify -c ftp
 CMD               Transmission types:                               the communication. We
                   0x01 CONNECT                                      used the Mozilla              In cooperation with a suitable /etc/socks.
                   0x02 BIND                                         browser as our test cli-      conf configuration file, the preceding
                   0x03 UDP Associate                                ent. We set the Socks         command tells socksify to talk the ftp cli-
 DST.ADDR          Target address requested (on server)              server to and       ent program into using the Socks proxy
 DST.PORT          Target port requested (on server)                 port 1080 in Manual           without needing to rebuild the client.
 FRAG              Current fragment number (for UDP packets)         proxy configuration in
 METHODS           Selection field for authentication method:        our case.                      route {
                   0x00: No authentication                              If the Socks proxy            from: to: U
                   0x01: GSSAPI                                      refuses a connection on U
                   0x02: User name and password                      account of missing or            via: port = 1080
                   0x03 through 0x7E: Defined by IANA                inappropriate access             proxyprotocol: socks_v5
                   0x80 through 0xFE: Reserved for private           privileges, the user           }
                   methods (only used locally)                       might become aware of
                   0xFF: The proxy has refused the methods           the symptoms without          The preceding settings tell socksify to
                   offered by the client
                                                                     ever learning the reason      use Socks v5 as its proxy protocol, and
 NMETHODS          Number of entries in METHODS field
                                                                     for the connection fail-      to establish a secure network connection
 REP               Reply field:
                                                                     ure. For example, if the      via port 1080 on the computer at
                   0x00: Successful                                  Mozilla browser is faced
                   0x01: Generic Socks proxy error                   with a connection fail-
                   0x02: Connection disallowed by ruleset            ure, it might simply          One for All
                   0x03: Network not accessible                      state that The document       The Socks technology gives network
                   0x04: Host not accessible
                                                                     contains no data in case      admins the ability to deploy a simple
                                                                     of an error in part 2 of      and transparent method for security
                   0x05: Connection request refused
                                                                     the filter rules, but there   management. Socks also adds authenti-
                   0x06: Timeout (TTL expired)
                                                                     is no mention of the          cation and encryption to networked
                   0x07: Socks command not supported                 proxy being the cause.        applications. In contrast to many other
                   0x08: Address type not supported                  To investigate the possi-     protocols, the Socks proxy protocol does
                   0x09 through 0xFF: Not defined                    ble causes for a connec-      not separate connection and user
 RSV               Reserved                                          tion problem of this          authentication, and thus, Socks gives the
                                                                     kind, check out the           firewall complete control over all data
 VER               Protocol version (0x05)
                                                                     proxy logfiles, which         traffic. ■

                                                     W W W. L I N U X - M A G A Z I N E . C O M               ISSUE 56 JULY 2005              65

Shared By: