Thursday, June 17, 2010

the linux proxy problem

For those of you who use linux for anything more than web browsing (in university/office) must be aware of the problems a proxy can pose. In many places as in my institute, you need to necessarily use a specified proxy server to access outside world, needing authentication for your credentials.
In my college, a common login registered in a central ldap server provides for all authentication services (used for course registration/fees payments/emails/proxy/...). Hence it is very important to protect it. Here i will show one way to avoid anyone easily getting your password.


Network proxy loophole in GNOME:
If you are using GNOME (default Fedora/Ubuntu) and you set your proxy details in "system->preferences->network proxy" then you open a simple loophole in the settings.
After setting your username/password, open a new terminal and type
    echo $http_proxy
Now you can clearly see your password as
        http://<user>:<pass>@proxy.com:3128/
Now since many people come to your rooms in colleges you can see how simple it is to get your credentials.

Is there a way out:
There may be other ways, but here's the one which i follow. I create a local forwarding proxy server on my own computer and direct all applications to use that proxy. The settings for my proxy server are written in a file only readable by the root.
What follows is a step-by-step guide to set it up. Tested on Fedora

What do i use:
I use a small proxy server 3proxy, you could also use any other proxy server such as squid. In fact i used to use squid before i came to know of 3proxy (when it was packaged in fedora). Squid is a much more feature rich and heavy proxy. When i was using it had a bug whereby it would do at least 100 cpu wakeups per second, using precious power on my laptop. This may have been fixed by now.

Installation:
 On Fedora systems you can do
    yum install 3proxy
A similar command for apt-get may work on Ubuntu (i've never tried)

Configuration:
The configuration you need to do is

  1. Open the file /etc/3proxy.cfg in editor of your choice as root
  2. Locate the line containing 'proxy -n'
  3. Above this line, upto the line 'dnspr', comment out all uncommented lines and instead add the following lines:

    auth iponly

    allow * * 127.0.0.0/24,<local_IPs> * * * *
    allow * * * * * * *
    parent 1000 http <proxy.server.com> <port> <proxy_user> <proxy_pass>
    proxy -n

    The values in angle brackets need to be replaced by you configuration The values for my college are given in parenthesis
    <local IPs> = ips not connected through proxy [10.0.0.0/8]
    <proxy.server.name> = proxy server [netmon.iitb.ac.in]
    <port> = proxy port [80]
    <proxy_user> = proxy authentication username
    <proxy_pass> = proxy authentication password
  4. Comment out all lines with the content:

    socks
    pop3p
    ftppr
    admin
    dnspr
    tcppm
    udppm
  5. Save the file
  6. as root run (this will make the file only readable by root user)
        chmod o-rwx /etc/3proxy.cfg
        chkconfig 3proxy on
  7. ??
  8. profit
The details of the 3proxy.cfg file are documented at http://www.3proxy.ru/doc/html/man3/3proxy.cfg.3.html

Now in whichever application you need to set the proxy server, set it as

http://127.0.0.1:3128/

without any authentication.
Thats it, now only root knows your ldap password, and no one else can snoop

EDIT:
If you automatically want to set the proxy environment variable of the whole system, then you can create a file /etc/profile.d/proxy.sh with the following content

export http_proxy=http://127.0.0.1:3128/
export https_proxy=$http_proxy
export ftp_proxy=$http_proxy

Many (not all) programs on linux use these environment variables to get proxy settings.

EDIT2 :
To set multiple proxies (different hosts go through different proxies) you can do something like below (see 3proxy.cfg manual for much more detail and many other options):
# direct connection allow * 127.0.0.1 127.0.0.0/24,<local_IPs> * * # through proxy1 allow * * <hosts_thru_proxy1> * * parent 1000 http <proxy1.server.com> <port> <proxy_user>  # through proxy2 allow * * <hosts_thru_proxy2> * * parent 1000 http <proxy2.server.com> <port> <proxy_user>  # through proxy3 allow * * <hosts_thru_proxy3> * * parent 1000 http <proxy3.server.com> <port> <proxy_user> allow * * * * * proxy -n

21 comments:

  1. Good one. It worked for me. I tried it on Ubuntu. Standard Ubuntu repos dosen't contain 3proxy. So I had to compile the source.
    One thing I want to say about this.. It takes lot of time to response. So its very slow. May be proxy forwarding feature in 3proxy is not properly optimized. So some reputed proxies like squid would be good (and stable too). Can you work on the similar settings for squid proxy server ?

    ReplyDelete
  2. Any way we can have a proxy that uses 3 different proxies as parents.. and route different stuff through different proxies.. more like foxyproxy on FF?

    ReplyDelete
  3. Yes sure, 3proxy (squid too) can all do that.
    I've edited the post to a way in which it can be done (blogger's comment system is too bad, did not accept that text here)
    See the options in the 3proxy.cfg manual for many more options

    ReplyDelete
  4. I browse your article and obtain vital data additionally if you've got any question concerning subjected topic access Mp3lemon in UK.

    ReplyDelete
  5. Proxy sites are accessible for nothing and many individuals utilize intermediaries to profit. mexico vpn

    ReplyDelete
  6. This is on the grounds that the Contivity VPN Switch takes up to one hour to confirm that your association has been dropped and log you off from your record. https://novavpn.com/blog/popcorn-time/

    ReplyDelete
  7. I am all that much satisfied with the substance you have specified. I needed to thank you for this awesome article.  vpnveteran

    ReplyDelete
  8. I felt exceptionally glad while perusing this site. This was truly exceptionally enlightening site for me. I truly preferred it. This was truly a sincere post. Much obliged!.  visita il sito

    ReplyDelete
  9. This book gives you step wise extensive guide along with three golden lessons that helps your kids learn all the right things about survival diebestenvpn

    ReplyDelete
  10. This is exactly what I was looking for. Thanks for sharing this great article! That is very interesting Smile I love reading and I am always searching for informative information like this! https://prywatnoscwsieci.pl

    ReplyDelete
  11. A debt of gratitude is in order for offering this quality data to us. I truly delighted in perusing. Will without a doubt going to impart this URL to my companions.  weneedprivacy.com

    ReplyDelete
  12. Just pure classic stuff from you here. I have never seen such a brilliantly written article in a long time. I am thankful to you that you produced this! https://www.lemigliorivpn.com

    ReplyDelete
  13. Like I said, proxy websites need a lot of resources, so that is why you don't usually find hosts that allow proxy hosting proxy ipv4..

    ReplyDelete
  14. Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. allertaprivacy.it

    ReplyDelete
  15. There are a lot of blogs and articles out there on this topic, but you have acquired another side of the subject. This is reliable content thank you for sharing it. privacyenbescherming.nl

    ReplyDelete
  16. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. https://privatnostonline.com

    ReplyDelete
  17. An interesting dialogue is price comment. I feel that it is best to write more on this matter, it may not be a taboo topic however usually individuals are not enough to talk on such topics. To the next. Cheers. https://internetprivatsphare.ch

    ReplyDelete
  18. Hmm!! This blog is really cool, I’m so lucky that I have reached here and got this awesome information. lesmeilleursvpn

    ReplyDelete
  19. I couldn't find any knowledge on this matter prior to.Also operate a site and if you are ever interested in doing some. https://diebestenvpn.ch

    ReplyDelete
  20. The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface. privacy online

    ReplyDelete
  21. The Android OS controls something other than cell phones. You'll likewise have your selection of tablets and journals. what does isp see when using vpn

    ReplyDelete