For those of you who use linux for anything more than web browsing (in university/office) must be aware of the problems a proxy can pose. In many places as in my institute, you need to necessarily use a specified proxy server to access outside world, needing authentication for your credentials.
In my college, a common login registered in a central ldap server provides for all authentication services (used for course registration/fees payments/emails/proxy/...). Hence it is very important to protect it. Here i will show one way to avoid anyone easily getting your password.
Network proxy loophole in GNOME:
If you are using GNOME (default Fedora/Ubuntu) and you set your proxy details in "system->preferences->network proxy" then you open a simple loophole in the settings.
After setting your username/password, open a new terminal and type
echo $http_proxy
Now you can clearly see your password as
http://<user>:<pass>@proxy.com:3128/
Now since many people come to your rooms in colleges you can see how simple it is to get your credentials.
Is there a way out:
There may be other ways, but here's the one which i follow. I create a local forwarding proxy server on my own computer and direct all applications to use that proxy. The settings for my proxy server are written in a file only readable by the root.
What follows is a step-by-step guide to set it up. Tested on Fedora
What do i use:
I use a small proxy server 3proxy, you could also use any other proxy server such as squid. In fact i used to use squid before i came to know of 3proxy (when it was packaged in fedora). Squid is a much more feature rich and heavy proxy. When i was using it had a bug whereby it would do at least 100 cpu wakeups per second, using precious power on my laptop. This may have been fixed by now.
Installation:
On Fedora systems you can do
yum install 3proxy
A similar command for apt-get may work on Ubuntu (i've never tried)
Configuration:
The configuration you need to do is
- Open the file /etc/3proxy.cfg in editor of your choice as root
- Locate the line containing 'proxy -n'
- Above this line, upto the line 'dnspr', comment out all uncommented lines and instead add the following lines:
auth iponly
allow * * 127.0.0.0/24,<local_IPs> * * * *
allow * * * * * * *
parent 1000 http <proxy.server.com> <port> <proxy_user> <proxy_pass>
proxy -n
The values in angle brackets need to be replaced by you configuration The values for my college are given in parenthesis
<local IPs> = ips not connected through proxy [10.0.0.0/8]
<proxy.server.name> = proxy server [netmon.iitb.ac.in]
<port> = proxy port [80]
<proxy_user> = proxy authentication username
<proxy_pass> = proxy authentication password - Comment out all lines with the content:
socks
pop3p
ftppr
admin
dnspr
tcppm
udppm - Save the file
- as root run (this will make the file only readable by root user)
chmod o-rwx /etc/3proxy.cfg
chkconfig 3proxy on - ??
- profit
Now in whichever application you need to set the proxy server, set it as
http://127.0.0.1:3128/
without any authentication.
Thats it, now only root knows your ldap password, and no one else can snoop
EDIT:
If you automatically want to set the proxy environment variable of the whole system, then you can create a file /etc/profile.d/proxy.sh with the following content
export http_proxy=http://127.0.0.1:3128/
export https_proxy=$http_proxy
export ftp_proxy=$http_proxy
Many (not all) programs on linux use these environment variables to get proxy settings.
EDIT2 :
To set multiple proxies (different hosts go through different proxies) you can do something like below (see 3proxy.cfg manual for much more detail and many other options):
- # direct connection allow * 127.0.0.1 127.0.0.0/24,<local_IPs> * * # through proxy1 allow * * <hosts_thru_proxy1> * * parent 1000 http <proxy1.server.com> <port> <proxy_user> # through proxy2 allow * * <hosts_thru_proxy2> * * parent 1000 http <proxy2.server.com> <port> <proxy_user> # through proxy3 allow * * <hosts_thru_proxy3> * * parent 1000 http <proxy3.server.com> <port> <proxy_user> allow * * * * * proxy -n
Posts
Good one. It worked for me. I tried it on Ubuntu. Standard Ubuntu repos dosen't contain 3proxy. So I had to compile the source.
ReplyDeleteOne thing I want to say about this.. It takes lot of time to response. So its very slow. May be proxy forwarding feature in 3proxy is not properly optimized. So some reputed proxies like squid would be good (and stable too). Can you work on the similar settings for squid proxy server ?
Any way we can have a proxy that uses 3 different proxies as parents.. and route different stuff through different proxies.. more like foxyproxy on FF?
ReplyDeleteYes sure, 3proxy (squid too) can all do that.
ReplyDeleteI've edited the post to a way in which it can be done (blogger's comment system is too bad, did not accept that text here)
See the options in the 3proxy.cfg manual for many more options
I browse your article and obtain vital data additionally if you've got any question concerning subjected topic access Mp3lemon in UK.
ReplyDeleteProxy sites are accessible for nothing and many individuals utilize intermediaries to profit. mexico vpn
ReplyDeleteThis is on the grounds that the Contivity VPN Switch takes up to one hour to confirm that your association has been dropped and log you off from your record. https://novavpn.com/blog/popcorn-time/
ReplyDeleteI am all that much satisfied with the substance you have specified. I needed to thank you for this awesome article. vpnveteran
ReplyDeleteI felt exceptionally glad while perusing this site. This was truly exceptionally enlightening site for me. I truly preferred it. This was truly a sincere post. Much obliged!. visita il sito
ReplyDeleteThis book gives you step wise extensive guide along with three golden lessons that helps your kids learn all the right things about survival diebestenvpn
ReplyDeleteThis is exactly what I was looking for. Thanks for sharing this great article! That is very interesting Smile I love reading and I am always searching for informative information like this! https://prywatnoscwsieci.pl
ReplyDeleteA debt of gratitude is in order for offering this quality data to us. I truly delighted in perusing. Will without a doubt going to impart this URL to my companions. weneedprivacy.com
ReplyDeleteJust pure classic stuff from you here. I have never seen such a brilliantly written article in a long time. I am thankful to you that you produced this! https://www.lemigliorivpn.com
ReplyDeleteLike I said, proxy websites need a lot of resources, so that is why you don't usually find hosts that allow proxy hosting proxy ipv4..
ReplyDeleteInteresting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. allertaprivacy.it
ReplyDeleteThere are a lot of blogs and articles out there on this topic, but you have acquired another side of the subject. This is reliable content thank you for sharing it. privacyenbescherming.nl
ReplyDeleteThis is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. https://privatnostonline.com
ReplyDeleteAn interesting dialogue is price comment. I feel that it is best to write more on this matter, it may not be a taboo topic however usually individuals are not enough to talk on such topics. To the next. Cheers. https://internetprivatsphare.ch
ReplyDeleteHmm!! This blog is really cool, I’m so lucky that I have reached here and got this awesome information. lesmeilleursvpn
ReplyDeleteI couldn't find any knowledge on this matter prior to.Also operate a site and if you are ever interested in doing some. https://diebestenvpn.ch
ReplyDeleteThe website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface. privacy online
ReplyDeleteThe Android OS controls something other than cell phones. You'll likewise have your selection of tablets and journals. what does isp see when using vpn
ReplyDeleteSuch a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. lesmeilleursvpn.com
ReplyDeleteI felt exceptionally glad while perusing this site. This was truly exceptionally enlightening site for me. I truly preferred it. This was truly a sincere post. Much obliged!. bezoek website
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete