From 21b829b5f905e0317395cddcedbb9bbd4ff24435 Mon Sep 17 00:00:00 2001 From: elejke Date: Fri, 13 Apr 2018 13:34:09 +0300 Subject: [PATCH] password auth added --- Dockerfile | 4 + sockd.conf | 295 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 299 insertions(+) create mode 100644 Dockerfile create mode 100644 sockd.conf diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..023c6ce --- /dev/null +++ b/Dockerfile @@ -0,0 +1,4 @@ +FROM wernight/dante + +# TODO: Replace 'john' and 'MyPassword' by any username/password you want. +RUN printf 'MyPassword\nMyPassword\n' | adduser john diff --git a/sockd.conf b/sockd.conf new file mode 100644 index 0000000..9dc6124 --- /dev/null +++ b/sockd.conf @@ -0,0 +1,295 @@ +# +# A sample sockd.conf +# +# +# The config file is divided into three parts; +# 1) server settings +# 2) rules +# 3) routes +# +# The recommended order is: +# Server settings: +# logoutput +# internal +# external +# socksmethod +# clientmethod +# users +# compatibility +# extension +# timeout +# srchost +# +# Rules: +# client block/pass +# from to +# libwrap +# log +# +# block/pass +# from to +# socksmethod +# command +# libwrap +# log +# protocol +# proxyprotocol +# +# Routes: + +# the server will log both via syslog, to stdout and to /var/log/sockd.log +#logoutput: syslog stdout /var/log/sockd.log +logoutput: stderr + +# The server will bind to the address 10.1.1.1, port 1080 and will only +# accept connections going to that address. +#internal: 10.1.1.1 port = 1080 +# Alternatively, the interface name can be used instead of the address. +#internal: eth0 port = 1080 +internal: 0.0.0.0 port = 1080 + +# all outgoing connections from the server will use the IP address +# 195.168.1.1 +#external: 192.168.1.1 +external: eth0 +external.rotation: route + +# list over acceptable authentication methods, order of preference. +# An authentication method not set here will never be selected. +# +# If the socksmethod field is not set in a rule, the global +# socksmethod is filled in for that rule. +# + +# methods for socks-rules. +#socksmethod: username none #rfc931 +#socksmethod: username none # No authentication. +socksmethod: username # as described in the repo + +# methods for client-rules. +clientmethod: none # No authentication. + +#or if you want to allow rfc931 (ident) too +#socksmethod: username rfc931 none + +#or for PAM authentication +#socksmethod: pam + +# +# User identities, an important section. +# + +# when doing something that can require privilege, it will use the +# userid "sockd". +#user.privileged: sockd + +# when running as usual, it will use the unprivileged userid of "sockd". +user.unprivileged: sockd + +# If you are not using libwrap, no need for the below line, so leave +# it commented. +# If you compiled with libwrap support, what userid should it use +# when executing your libwrap commands? "libwrap". +#user.libwrap: libwrap + + +# +# Some options to help clients with compatibility: +# + +# when a client connection comes in the socks server will try to use +# the same port as the client is using, when the socks server +# goes out on the clients behalf (external: IP address). +# If this option is set, Dante will try to do it for reserved ports as well. +# This will usually require user.privileged to be set to "root". +#compatibility: sameport + +# If you are using the Inferno Nettverk bind extension and have trouble +# running servers via the server, you might try setting this. +#compatibility: reuseaddr + +# +# The Dante server supports some extensions to the socks protocol. +# These require that the socks client implements the same extension and +# can be enabled using the "extension" keyword. +# +# enable the bind extension. +#extension: bind + + +# +# Misc options. +# + +# how many seconds can pass from when a client connects til it has +# sent us it's request? Adjust according to your network performance +# and methods supported. +#timeout.negotiate: 30 # on a lan, this should be enough. + +# how many seconds can the client and it's peer idle without sending +# any data before we dump it? Unless you disable tcp keep-alive for +# some reason, it's probably best to set this to 0, which is +# "forever". +#timeout.io: 0 # or perhaps 86400, for a day. + +# do you want to accept connections from addresses without +# dns info? what about addresses having a mismatch in dns info? +#srchost: nodnsunknown nodnsmismatch + +# +# The actual rules. There are two kinds and they work at different levels. +# +# The rules prefixed with "client" are checked first and say who is allowed +# and who is not allowed to speak/connect to the server. I.e the +# ip range containing possibly valid clients. +# It is especially important that these only use IP addresses, not hostnames, +# for security reasons. +# +# The rules that do not have a "client" prefix are checked later, when the +# client has sent its request and are used to evaluate the actual +# request. +# +# The "to:" in the "client" context gives the address the connection +# is accepted on, i.e the address the socks server is listening on, or +# just "0.0.0.0/0" for any address the server is listening on. +# +# The "to:" in the non-"client" context gives the destination of the clients +# socks request. +# +# "from:" is the source address in both contexts. +# + + +# +# The "client" rules. +# + +# Allow everyone to connect to this server. +client pass { + from: 0.0.0.0/0 to: 0.0.0.0/0 + log: connect error # disconnect +} + +# Allow all operations for connected clients on this server. +socks pass { + from: 0.0.0.0/0 to: 0.0.0.0/0 + command: bind connect udpassociate + log: error # connect disconnect iooperation + #socksmethod: username +} +# Allow all inbound packets. +socks pass { + from: 0.0.0.0/0 to: 0.0.0.0/0 + command: bindreply udpreply + log: error # connect disconnect iooperation +} + +# Other sample rules below, supposing that our clients come from the net 10.0.0.0/8. + +# Allow our clients, also provides an example of the port range command. +#client pass { +# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0 +# clientmethod: rfc931 # match all idented users that also are in passwordfile +#} + +# This is identical to above, but allows clients without a rfc931 (ident) +# too. In practice this means the socks server will try to get a rfc931 +# reply first (the above rule), if that fails, it tries this rule. +#client pass { +# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0 +#} + + +# drop everyone else as soon as we can and log the connect, they are not +# on our net and have no business connecting to us. This is the default +# but if you give the rule yourself, you can specify details. +#client block { +# from: 0.0.0.0/0 to: 0.0.0.0/0 +# log: connect error +#} + + +# the rules controlling what clients are allowed what requests +# + +# you probably don't want people connecting to loopback addresses, +# who knows what could happen then. +#socks block { +# from: 0.0.0.0/0 to: lo0 +# log: connect error +#} + +# the people at the 172.16.0.0/12 are bad, no one should talk to them. +# log the connect request and also provide an example on how to +# interact with libwrap. +#socks block { +# from: 0.0.0.0/0 to: 172.16.0.0/12 +# libwrap: spawn finger @%a +# log: connect error +#} + +# unless you need it, you could block any bind requests. +#socks block { +# from: 0.0.0.0/0 to: 0.0.0.0/0 +# command: bind +# log: connect error +#} + +# or you might want to allow it, for instance "active" ftp uses it. +# Note that a "bindreply" command must also be allowed, it +# should usually by from "0.0.0.0/0", i.e if a client of yours +# has permission to bind, it will also have permission to accept +# the reply from anywhere. +#socks pass { +# from: 10.0.0.0/8 to: 0.0.0.0/0 +# command: bind +# log: connect error +#} + +# some connections expect some sort of "reply", this might be +# the reply to a bind request or it may be the reply to a +# udppacket, since udp is packet based. +# Note that nothing is done to verify that it's a "genuine" reply, +# that is in general not possible anyway. The below will allow +# all "replies" in to your clients at the 10.0.0.0/8 net. +#socks pass { +# from: 0.0.0.0/0 to: 10.0.0.0/8 +# command: bindreply udpreply +# log: connect error +#} + + +# pass any http connects to the example.com domain if they +# authenticate with username. +# This matches "example.com" itself and everything ending in ".example.com". +#socks pass { +# from: 10.0.0.0/8 to: .example.com port = http +# log: connect error +# clientmethod: username +#} + + +# block any other http connects to the example.com domain. +#socks block { +# from: 0.0.0.0/0 to: .example.com port = http +# log: connect error +#} + +# everyone from our internal network, 10.0.0.0/8 is allowed to use +# tcp and udp for everything else. +#socks pass { +# from: 10.0.0.0/8 to: 0.0.0.0/0 +# protocol: tcp udp +#} + +# last line, block everyone else. This is the default but if you provide +# one yourself you can specify your own logging/actions +#socks block { +# from: 0.0.0.0/0 to: 0.0.0.0/0 +# log: connect error +#} + +# route all http connects via an upstream socks server, aka "server-chaining". +#route { +# from: 10.0.0.0/8 to: 0.0.0.0/0 port = http via: socks.example.net port = socks +#}