diff --git a/tutorials/install-and-configure-danted-proxy-socks5/01.en.md b/tutorials/install-and-configure-danted-proxy-socks5/01.en.md index ba6400b0d..512e5ef49 100644 --- a/tutorials/install-and-configure-danted-proxy-socks5/01.en.md +++ b/tutorials/install-and-configure-danted-proxy-socks5/01.en.md @@ -2,7 +2,7 @@ SPDX-License-Identifier: MIT path: "/tutorials/install-and-configure-danted-proxy-socks5" slug: "install-and-configure-danted-proxy-socks5" -date: "2019-05-09" +date: "2024-08-28" title: "Install and Configure Dante Socks5 Proxy on Debian/Ubuntu" short_description: "This tutorial will explain how to Install and Configure the Dante Socks5 Proxy on Debian/Ubuntu." tags: ["Danted", "Proxy", "Socks5", "Debian", "Ubuntu"] @@ -21,222 +21,38 @@ cta: "dedicated" This tutorial will explain how to install and configure the Dante Socks5 Proxy on Debian/Ubuntu. Before you start the installation, you must meet the following conditions: **Prerequisites** -* Server with Operating System Linux : - * Debian 9 - * Ubuntu 18.04 -* Root access +* Server with Operating System Linux: + * Debian 12 + * Ubuntu 24.04 +* Access to root user or user with sudo permission * SSH Tools - * [PuTTY For Windows](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) + * [PuTTY For Windows](https://community.hetzner.com/tutorials/howto-ssh-on-windows) * OpenSSH in Linux/macOS (available by default) ## Step 1 - Install Dante -### Step 1.1 - Install from APT - -```bash -apt update - -// Debian 9 -apt install dante-server - -// Ubuntu 18.04 -apt install dante-server -``` - -When the installation is complete, you will see that Danted has encountered an error, because it has not been configured yet. - -Check Dante Version : -```bash -// Debian 9 -root@your_host:~# danted -v -Dante v1.4.1 - -// Ubuntu 18.04 -root@your_host:~# danted -v -Dante v1.4.2 -``` - -Please note: when installing Dante using apt on Debian 9 and Ubuntu 18.04 there are differences in versions. In Debian 9 the Dante version of 1.4.1 is different from Ubuntu 18.04 which is 1.4.2. Full details about release information are [HERE](https://www.inet.no/dante/). - -### Step 1.2 - Install from Source (Optional) - -If you want to install the latest version, please follow the tutorial below. Make sure to delete dante if it's already installed. - -In this tutorial, we use the Dante version 1.4.2 [(Download Pages)](https://www.inet.no/dante/download.html) - -```bash -apt update -apt install build-essential gcc make -wget http://www.inet.no/dante/files/dante-1.4.2.tar.gz -tar -xvf dante-1.4.2.tar.gz -cd dante-1.4.2 -./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --disable-client --without-libwrap --without-bsdauth --without-gssapi --without-krb5 --without-upnp --without-pam -make -make install -``` - -Check Dante version : - -```bash -root@your_host:~# /usr/sbin/sockd -v -Dante v1.4.2 -``` - -You have successfully installed Dante from sources. Now, We have to make daemons danted on linux systems. - -```bash -nano /etc/init.d/danted -``` - -Copy and paste the configuration below: - -```bash -#! /bin/sh -### BEGIN INIT INFO -# Provides: danted -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: SOCKS (v4 and v5) proxy daemon (danted) -# Description: Starts or stops the Dante SOCKS proxy daemon. -# Its configuration is stored in the /etc/danted.conf file; -# see the danted.conf(5) manual page for details. -### END INIT INFO -# -# dante SOCKS server init.d file. Based on /etc/init.d/skeleton: -# Version: @(#)skeleton 1.8 03-Mar-1998 miquels@cistron.nl - -. /lib/lsb/init-functions - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -DAEMON=/usr/sbin/sockd -NAME=danted -DESC="Dante SOCKS daemon" -PIDFILE=/var/run/$NAME.pid -CONFFILE=/etc/$NAME.conf - -test -f $DAEMON || exit 0 - -set -e - -# This function makes sure that the Dante server can write to the pid-file. -touch_pidfile () -{ - if [ -r $CONFFILE ]; then - uid="`sed -n -e 's/[[:space:]]//g' -e 's/#.*//' -e '/^user\.privileged/{s/[^:]*://p;q;}' $CONFFILE`" - if [ -n "$uid" ]; then - touch $PIDFILE - chown $uid $PIDFILE - fi - fi -} - -case "$1" in - start) - if ! egrep -cve '^ *(#|$)' \ - -e '^(logoutput|user\.((not)?privileged|libwrap)):' \ - $CONFFILE > /dev/null - then - echo "Not starting $DESC: not configured." - exit 0 - fi - echo -n "Starting $DESC: " - touch_pidfile - start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE \ - --exec $DAEMON -- -D - echo "$NAME." - ;; - stop) - echo -n "Stopping $DESC: " - start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE \ - --exec $DAEMON - echo "$NAME." - ;; - reload|force-reload) - # - # If the daemon can reload its config files on the fly - # for example by sending it SIGHUP, do it here. - # - # If the daemon responds to changes in its config file - # directly anyway, make this a do-nothing entry. - # - echo "Reloading $DESC configuration files." - start-stop-daemon --stop --signal 1 --quiet --pidfile \ - $PIDFILE --exec $DAEMON -- -D - ;; - restart) - # - # If the "reload" option is implemented, move the "force-reload" - # option to the "reload" entry above. If not, "force-reload" is - # just the same as "restart". - # - echo -n "Restarting $DESC: " - start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON - sleep 1 - touch_pidfile - start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --exec $DAEMON -- -D - echo "$NAME." - ;; - status) - if ! egrep -cve '^ *(#|$)' \ - -e '^(logoutput|user\.((not)?privileged|libwrap)):' \ - $CONFFILE > /dev/null - then - configured='' - else - configured='1' - fi - if start-stop-daemon --status --quiet --pidfile $PIDFILE \ - --exec $DAEMON; then - if [ -n "$configured" ]; then - echo "$DESC running" - else - echo "$DESC running, yet not configured?!" - fi - else - if [ -n "$configured" ]; then - echo "$DESC not running" - else - echo "$DESC not configured" - fi - fi - ;; - *) - N=/etc/init.d/$NAME - # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $N {start|stop|restart|force-reload|status}" >&2 - exit 1 - ;; -esac - -exit 0 -``` - -Give access to Danted daemon: - -```bash -chmod +x /etc/init.d/danted -update-rc.d danted defaults -``` - -Now you can start / stop danted services with the installed version using apt: - -```bash -systemctl status danted -systemctl start danted -systemctl stop danted - -// Automatic Start Danted After Reboot -systemctl enable danted -``` - +You can install Dante with apt. When using apt to install Dante, it might not install the latest version. Full details about release information are [HERE](https://www.inet.no/dante/). + +* Update the system packages and install Dante: + ```bash + sudo apt update + sudo apt install dante-server + ``` + On Debian, you might also need to run: + ```bash + export PATH=$PATH:/usr/sbin + ``` + +* Check Dante Version: + ```bash + holu@your_host:~# danted -v + Dante v1.4.3 + ``` ## Step 2 - Configure Dante ### Step 2.1 - Internet Interface -We must check the server interface, in the example below, the server uses the `eth0` interface. +In the next step, we will create the Dante configuration file. In this file, you have to add the interface name of the public interface. We can check the interface name by running `ip a`. The public interface usually has an MTU size of 1500 bytes. In the example below, the server uses the `eth0` interface. ```bash root@your_host:~# ip a @@ -244,12 +60,12 @@ root@your_host:~# ip a link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever - inet6 ::1/128 scope host + inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever -2: eth0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 +2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:50:56:06:d1:d0 brd ff:ff:ff:ff:ff:ff - inet 10.0.0.1/24 brd 10.0.0.1 scope global eth0 - valid_lft forever preferred_lft forever + inet 203.0.113.1/32 metric 100 scope global dynamic eth0 + valid_lft 86232sec preferred_lft 86232sec ``` ### Step 2.2 - Dante Configuration @@ -257,18 +73,18 @@ root@your_host:~# ip a Before we change the configuration, we must make a backup configuration file, because in the configuration file there is information about the functions of each configuration line. ```bash -mv /etc/danted.conf /etc/danted.conf.bak +sudo mv /etc/danted.conf /etc/danted.conf.bak ``` Then we edit the Danted configuration: ```bash -nano /etc/danted.conf +sudo nano /etc/danted.conf ``` Copy and paste the configuration below: -``` +```conf logoutput: /var/log/socks.log internal: eth0 port = 1080 external: eth0 @@ -295,31 +111,46 @@ socks block { } ``` -Configuration Notes -* If your server does not use the eth0 interface, change it in the section `internal` and `external`. -* If you use public wifi and it turns out that the non-standard port is blocked, you can replace it with another port like `53` or `443`, change in `port = 1080` to port you want it. +Configuration Notes: + +* If your server does not use the `eth0` interface, change it in the sections `internal` and `external`. +* If you use public wifi and it turns out that the non-standard port is blocked, you can replace it with another port like `53` or `443`. In this case, change the port in `port = 1080` to the port you want. + +Make sure Dante can write the log entries: + +```bash +sudo nano /lib/systemd/system/danted.service +``` + +Add this entry and save the changes: + +``` +[Service] +ReadWriteDirectories=/var/log +``` Start and check if Danted is running normally: ```bash -systemctl start danted -systemctl status danted +sudo systemctl daemon-reload +sudo systemctl start danted +sudo systemctl status danted ``` ### Step 2.3 - Dante Socks5 Test ```bash -curl -x socks5://: https://ip.hetzner.com +curl -x socks5://: -4 https://ip.hetzner.com ``` Example output of the command: ```bash -root@your_host:~# curl -x socks5://10.0.0.1:1080 https://ip.hetzner.com -10.0.0.1 +holu@your_host:~# curl -x socks5://203.0.113.1:1080 -4 https://ip.hetzner.com +203.0.113.1 ``` -If when doing a test it turns out that it failed, you can check the log is Danted on `/var/log/socks.log` +If the test fails, you can check the Danted log in `/var/log/socks.log`. ## Step 3 - Limit Access @@ -327,9 +158,9 @@ If when doing a test it turns out that it failed, you can check the log is Dante You can restrict access to your proxy server using a username and password. -Edit Danted Configuration on `/etc/danted.conf`, and change this section: +Edit the Danted configuration in `/etc/danted.conf`, and change this section: -``` +```conf # socksmethod: none // for non-authentication socksmethod: username @@ -341,94 +172,107 @@ socks pass { } ``` -Save and restart using `systemctl restart danted`. +Save, and restart using: + +```bash +sudo systemctl restart danted +sudo systemctl status danted +``` To create a user and password, use the following command: ```bash -useradd holu -r -passwd holu +sudo useradd holu -r +sudo passwd holu ``` Use the following command to test the login with your username and password: ```bash -curl -x socks5://:@: https://ip.hetzner.com +curl -x socks5://:@: -4 https://ip.hetzner.com ``` Example output of the command: * With Username & Password: -```bash -root@your_host:~# curl -x socks5://holu:2M6GTPkKubsrED5F@10.0.0.1:1080 https://ip.hetzner.com -10.0.0.1 -``` + ```bash + holu@your_host:~# curl -x socks5://holu:secure-password@203.0.113.1:1080 -4 https://ip.hetzner.com + 203.0.113.1 + ``` * Without Username & Password: -```bash -root@your_host:~# curl -x socks5://10.0.0.1:1080 https://ip.hetzner.com -curl: (7) No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.) + ```bash + holu@your_host:~# curl -x socks5://203.0.113.1:1080 -4 https://ip.hetzner.com + curl: (97) No authentication method was acceptable. # It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection. + ``` -``` +You can check the login for success or failure on your proxy server with this command: -You can check the login for success or failure on your proxy server with the command `tail -10 /var/log/socks.log` +```bash +sudo tail -10 /var/log/socks.log +``` Example output of the command: + ```bash -root@your_host:~# tail -10 /var/log/socks.log -Apr 19 12:15:16 (1555701316.599506) danted[1477]: info: pass(1): tcp/accept [: 203.0.113.1.36730 10.0.0.1.1080 -Apr 19 12:15:16 (1555701316.625405) danted[1479]: info: pass(1): tcp/connect [: username%holu@203.0.113.1.36730 10.0.0.1.1080 -> 10.0.0.1.36730 104.28.19.94.80 -Apr 19 12:15:16 (1555701316.808180) danted[1479]: info: pass(1): tcp/connect ]: 363 -> username%holu@203.0.113.1.36730 10.0.0.1.1080 -> 75, 75 -> 10.0.0.1.36730 104.28.19.94.80 -> 363: local client closed. Session duration: 0s -Apr 19 12:15:16 (1555701316.808231) danted[1479]: info: pass(1): tcp/accept ]: 363 -> 203.0.113.1.36730 10.0.0.1.1080 -> 75: local client closed. Session duration: 0s -Apr 19 12:15:20 (1555701320.794622) danted[1596]: info: pass(1): tcp/accept [: 203.0.113.1.36732 10.0.0.1.1080 -Apr 19 12:15:20 (1555701320.796002) danted[1596]: info: block(1): tcp/accept ]: 203.0.113.1.36732 10.0.0.1.1080: error after reading 4 bytes in 0 seconds: client offered no acceptable authentication method +holu@your_host:~# sudo tail -10 /var/log/socks.log +Aug 28 09:48:27 (1724838507.525562) danted[2129]: info: pass(1): tcp/accept [: 203.0.113.1.38304 203.0.113.1.1080 +Aug 28 09:48:27 (1724838507.599879) danted[2146]: info: pass(1): tcp/connect [: username%sock@203.0.113.1.38304 203.0.113.1.1080 -> 203.0.113.1.46603 213.133.116.46.443 +Aug 28 09:48:27 (1724838507.717996) danted[2146]: info: pass(1): tcp/connect ]: 4178 -> username%sock@203.0.113.1.38304 203.0.113.1.1080 -> 799, 799 -> 203.0.113.1.46603 213.133.116.46.443 -> 4178: local client closed. Session duration: 0s +Aug 28 09:48:27 (1724838507.718030) danted[2146]: info: pass(1): tcp/accept ]: 4178 -> 203.0.113.1.38304 203.0.113.1.1080 -> 799: local client closed. Session duration: 0s +Aug 28 09:48:33 (1724838513.864032) danted[2129]: info: pass(1): tcp/accept [: 203.0.113.1.34414 203.0.113.1.1080 +Aug 28 09:48:33 (1724838513.864239) danted[2129]: info: block(1): tcp/accept ]: 203.0.113.1.34414 203.0.113.1.1080: error after reading 4 bytes in 0 seconds: client offered no acceptable authentication method ``` ### Step 3.2 - Limit by IP Address -In the previous danted configuration, we gave public access to all IPs to connect to our proxy server. In this step, we will limit access to only one or several IPs. +In the previous Danted configuration, we gave public access to all IPs to connect to our proxy server. In this step, we will limit access to only one or several IPs. -Edit Danted Configuration on `/etc/danted.conf`, and change this section: -``` +Edit the Danted configuration in `/etc/danted.conf`, and change this section: + +```conf client pass { - from: 203.0.113.1/32 to: 0.0.0.0/0 + from: 198.51.100.1/32 to: 0.0.0.0/0 log: error connect disconnect } ``` -* `203.0.113.1/32` is the single IP you want to allow access to your proxy server. +* `198.51.100.1/32` is the single IP you want to allow access to your proxy server. If you want to add another single IP again, just repeat the configuration. -``` +```conf client pass { - from: 203.0.113.1/32 to: 0.0.0.0/0 + from: 198.51.100.1/32 to: 0.0.0.0/0 log: error connect disconnect } client pass { - from: 198.51.100.1/32 to: 0.0.0.0/0 + from: 10.0.0.2/32 to: 0.0.0.0/0 log: error connect disconnect } ``` -Save and restart using `systemctl restart danted`. +Save, and restart using: +```bash +sudo systemctl restart danted +sudo systemctl status danted +``` If you want to give a range or block of IPs access, change the slash behind the IP to your IP block. Use the following command to test the login to the proxy server with an unregistered IP: * If you are using username and password authentication -```bash -root@your_host:~# curl -x socks5://holu:2M6GTPkKubsrED5F@10.0.0.1:1080 https://ip.hetzner.com -curl: (7) Unable to receive initial SOCKS5 response. - -``` + ```bash + holu@your_host:~# curl -x socks5://holu:secure-password@203.0.113.1:1080 -4 https://ip.hetzner.com + curl: (97) Recv failure: Connection reset by peer + ``` * If you are not using username and password authentication -```bash -root@your_host:~# curl -x socks5://10.0.0.1:1080 https://ip.hetzner.com -curl: (7) Unable to receive initial SOCKS5 response. -``` + ```bash + holu@your_host:~# curl -x socks5://203.0.113.1:1080 -4 https://ip.hetzner.com + curl: (97) Recv failure: Connection reset by peer + ``` ## Conclusion