Enabling Proxies

Previous page
Table of content
Next page

Another way to add security to the network is to relay through a proxy. Chapter 5 covers how to install a SOCKS server for assisting privacy. The example relays web traffic through a SSH tunnel. However, this example works because the web browser was configured to use a proxy. Under Dapper, there are many different ways to configure proxies. For example, there is a general system proxy setting that few applications use. There are also some generic proxy settings that are supported by a variety of applications.

Proxies can add more than a level of indirection. Some proxy systems, like Tor, can provide network anonymity.

Using the General System Proxy

Individual applications can be independently configured to each use a proxy, In contrast, Ubuntu's Gnome desktop supports a global proxy configuration. The theory is that all applications will immediately use the proxy rather than directly access the Internet. In reality, only specific applications use these settings and you may need to log out and log back in for all applications to use the configuration. General system proxy configurations are commonly required for corporate networks that have specific outbound relays for accessing the Internet.

To set the general proxy, use System image from book Preferences image from book Network Proxy. This opens the Network Proxy Preferences applet (see Figure 11-3). In this applet, you can declare your SOCKS, HTTP, HTTPS, and FTP proxy servers. You will need to know the host names (or network address) as well as the proxy port number. Under the Advanced Configuration tab, you can specify local hosts and networks that do not require proxy access.

image from book
Figure 11-3: The Network Proxy Preferences applet.

Enabling Application-Specific Proxy Configurations

Although the global proxy settings are a nice idea, they are currently not supported by many applications. For example, the settings may be ignored by firefox, ssh, wget, and apt-get. If you want more general proxy support, you can use environment variables. Many applications look for HTTP, HTTPS, and FTP proxy definitions in variable names that have become de facto standards. Table 11-6 lists the more common definitions. In general, if the variable is in all capitals, only the server name and port number are specified. Lowercase variables need entire URLs.

Table 11-6: Common Proxy Environment Variables
Open table as spreadsheet

Variable

Example

Purpose

HTTP_PROXY

export HTTP_PROXY=10.1.2.45:8080

Define an HTTP proxy.

FTP_PROXY

export FTP_PROXY=10.1.2.45:8081

Define an FTP proxy.

ftp_proxy

export ftp_proxy= "http://10.1.2.45:8081/"

Specify a proxy for relaying FTP traffic.

http_proxy

export http_proxy= "http://10.1.2.45:8080/"

Specify an HTTP proxy.

https_proxy

export https_proxy= "http://10.1.2.45:8082/"

Specify an HTTPS proxy.

gopher_proxy

export gopher_proxy= "http://10.1.2.45:8083/"

Although few networks still support the GOPHER protocol, you can specify a proxy if you need it.

wais_proxy

export wais_proxy= "http://10.1.2.45:8084/"

As with GOPHER, you can specify a WAIS proxy if you need it.
Warning 

Setting the general system proxy defines many of these variables for new shells and applications. However, they are only set for Gnome applications. For example, if you start the Gnome Terminal, they will be set; however, if you start an xterm, they will not be set. They will also not necessarily be available if you remotely log in and you may also need to log out and log back in for the changes to take affect. If you need these proxy settings, you should probably define them manually.
Tip 

In many corporate environments, the same server and port are used for all proxy services. They do not need to all be different.

These proxy definitions can be added to your $HOME/.profile (or $HOME/.bashrc) for individual user declarations. For system-wide support, they should be added to /etc/ bash.bashrc or /etc/profile.

Note 

Setting proxy variables does not impact running applications. You will need to log out and log back in to set the variables for all of your running processes.

Defining these proxy variables will give you proxy support for some applications, but other applications need their own configurations. For example:

  • Firefox-Proxy settings for the web browser must be specified through the Firefox preferences. If you have multiple profiles, then you will need to set the preferences in each one of them.

  • APT-The apt-get command looks for proxies in /etc/apt/apt.conf. The default install says:

     Acquire::http::Proxy "false";

    This setting disables all proxies. If you need to use a proxy, then you can change the line to something like:

     Acquire::http::Proxy "http://proxyserver:port/";

    This tells apt-get to use this specific proxy for HTTP access. If you have multiple proxies available, then you can specify multiple proxy definitions.

Enabling SOCKS Clients

While HTTP and FTP proxies forward specific protocols, SOCKS servers can forward almost any protocol. This can be specified using the SOCKS_SERVER environment variable. For example:

 export SOCKS_SERVER=10.1.2.251:1080

Unfortunately, most applications do not support SOCKS, even if the environment variable is defined. For SOCKS support, you will need to socksify applications.

  1. If you have not already installed it, then install the dante-client package. This will give you a SOCKS client.

     sudo apt-get install dante-client

  2. Edit the /etc/dante.conf configuration and declare your SOCKS server. You will need to know the server's network address, port, and version (either SOCKSv4 or SOCKSv5). My configuration specifies a SOCKS server at 10.1.2.251 and uses the standard port 1080. The configuration looks like this:

     route {       from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.2.251 port = 1080       protocol: tcp udp                # server supports tcp and udp       proxyprotocol: socks_v4 socks_v5 # server supports both versions.       method: none #username           # no authentication needed }

  3. To enable SOCKS support for non-SOCKS applications, run the application through the socksify wrapper. For example to use ssh to connect to the host outside.local.lan via the SOCKS server, I can use:

     socksify ssh outside.local.lan

    Similarly, I can force Firefox to use the SOCKS server without changing the Firefox proxy settings:

     socksify firefox
Note 

Socksifying Firefox will only work if there are no other open Firefox windows. This is because Firefox uses inter-process communications when there are multiple instances running, and will use the existing instance instead of creating a new one. You can overcome this limitation by using socksify firefox –no-xshm.

Anonymizing with Tor

A simple proxy is good for relaying traffic, but a group of proxies can provide network anonymity. A system called The Onion Router (Tor) uses groups of linked proxies to relay traffic. The connection between each proxy is encrypted, so anyone observing the network traffic will be unable to see what is going on. From the client's end, Tor looks like just another SOCKS proxy server (although it may have significantly higher network delays).

Installing Tor is relatively easy:

 sudo apt-get install tor

The installation packages include startup scripts for /etc/init.d/ and intelligent default configurations.

To run an application over the Tor network, either set the proxy to be localhost:9050,or use the program torify the same way you would use socksify. For example, to run Firefox through the Tor network, you can use: torify firefox –no-xshm. When Firefox runs using Tor, your external IP address may be anywhere in the world. Connecting to sites like Google (http://www.google.com) may display text in English, German, Italian, or some other language depending on where Google thinks you are coming from.

Understanding Tor's Limitations

Although Tor does make all of the SOCKS connections effectively anonymous, there are still some ways to breach the anonymity.

The most significant leak is due to UDP traffic. Tor only proxies TCP. However, host name lookups use UDP. If you connect to a site by specifying the host name, then the host name lookup may be traceable back to your system. To overcome this limitation, install the privoxy package.

 sudo apt-get install privoxy

The privoxy system provides an HTTP proxy interface to Tor. Since HTTP proxies do not need the client to perform host name lookups, UDP traffic is never generated by the client. You can then use the HTTP_PROXY and http_proxy environment variables (or the Firefox HTTP proxy connection preference) to specify using the privoxy server on localhost:8118.

While privoxy provides anonymity for web requests, it offers no security for other protocols. For example, SSH through a Tor connection will generate a host name lookup that is traceable.

Another limitation to Tor comes from unproxied requests. For example, if your web browser spawns a RealPlayer or Totem player for streaming video, then these players may not use the proxy server.


Previous page
Table of content
Next page
Hacking Ubuntu
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: 047010872X
EAN: 2147483647
Year: 2004
Pages: 124
Authors: Neal Krawetz
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Building Web Applications with UML (2nd Edition)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Ruby Cookbook (Cookbooks (OReilly))
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy