Friday, December 19, 2008

socks 5

Examples


SS5 has many features, so the following examples can be useful in order to configure the socks server:



Example 1

Enable authentication using PAM for all ip address, and permit SSH access to 172.30/16 network only to users into CN=LOGON,CN=Users,DC=it directory group.

Also enable authentication cache with expire time set to 600 seconds.

set SS5_PAM_AUTH
set SS5_AUTHCACHEAGE 600

ldap_profile_ip x.y.w.z
ldap_profile_port 389
ldap_profile_base DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=user1,CN=Users,DC=it
ldap_profile_pass xxxxxx

auth 0.0.0.0/0 - u

permit u 0.0.0.0/0 - 172.30.0.0/16 22 - CN=LOGON,CN=Users,DC=it -



Example 2

Bind ss5 on a privileged port (lower than 1024):

ss5 -u root -b 0.0.0.0:1020



Example 3, a case study

In the following case, ss5 works with:

1. PAM authentication using pam_winbind.so
2. Directory authorization with multiple userstore (Active Directory)
3. Authentication cache enable
4. Authorization cache enable
5. Netbios domain support
6. Proxy upstream through other socks server
7. Traffic dump to file

auth 0.0.0.0/0 - u

# Enable PAM authentication
set SS5_PAM_AUTH

# Set session timeout
set SS5_STIMEOUT 3600

# Enable Cache for authentication for 600 seconds
# set SS5_AUTHCACHEAGE 600

# Enable Cache for authorization for 600 seconds
# set SS5_AUTHOCACHEAGE 600

# Enable directory authorization with filter mode
set SS5_LDAP_FILTER

# Enable netbios domain mapping with directory
( socks username in the form: domainA\user1 )
set SS5_NETBIOS_DOMAIN

# Dump traffic data to file for connections through an Oracle db server
dump 182.10.10.20/32 1521 1

# Upstream proxy for 162.10.10.0 network
proxy 162.10.10.0/24 - 10.10.10.20 1080 -

# Permit http access to user who belong to WEB group into Active Directory
#Auth SHost SPort DHost DPort Fixup Group Band
permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainA,DC=DomainA,DC=it -
permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainB,DC=DomainB,DC=it -

# Netbios domain (in case of MSdomainA\userA)
ldap_profile_ip 162.10.20.1
ldap_profile_port 389
ldap_profile_base DC=subDomainA,DC=DomainA,DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=userReader,cn=Users,DC=subDomainA,DC=DomainA,DC=it
ldap_profile_pass password
ldap_netbios_domain MSDomainA

# Netbios domain (in case of MSdomainB\userB)
ldap_profile_ip 162.10.30.1
ldap_profile_port 389
ldap_profile_base DC=subDomainB,DC=DomainB,DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=userReader,cn=Users,DC=subDomainB,DC=DomainB,DC=it
ldap_profile_pass password
ldap_netbios_domain MSdomainB


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)