Secure SOCKS5 proxy for Telegram for 1 Euro and 10 minutes
Not all proxies are equally useful. In the wake of news about the blocking of the Telegram messenger, it became important to raise its SOCKS5 proxy, since it is not safe to use someone else's - it is not known who owns the servers, what software is used on them, and what vulnerabilities are in it. In addition, public proxies are often very slow, since a large number of clients simultaneously “try” to use it, overloading server resources. Under the cut instructions on how to quickly set up a private SOCKS5 proxy with authentication for 1 euro and 10 minutes of time and the ability to further expand server protection with enhanced authentication.
I decided to check the offer of the Italian hosting provider Aruba , which offers VPS for 1 euro per month with a white IP included in this price. For 1 euro I got a combat server with 1 core. 1 GB of memory, 20 GB of storage, 2 TB of traffic per month. As the operating system, I chose my favorite Ubuntu server 16.04. As a proxy server - Dante.
OS installation is performed when configuring the server from a template. After 2-3 minutes after creation, the machine will be ready for SSH using the set password or a loaded SSH key (in the same web admin area).
')
I’ll just say that the proxy authentication by the system user does not work in the package provided in the distribution, and we don’t need an open proxy. We will use the source distribution and build Dante ourselves, since the build process on our OS goes without a single error. So let's get started:
We register on arubacloud, we start a server for 1 euro, we create a Ubuntu Server 16 OS using a template.
We go via SSH to our server, download and collect Dante.
The correctness of the installation can be checked by entering
Download the settings file
The configuration, if used on the platform described, is no different, i.e. by default it is. Everything you need is already there.
To run, run
The binary is in
To stop
Let's create a system user, which we will use for our proxy (without the ability to log in via SSH).
Set him a password
Restart Dante with our config
If you restart the server, Dante will need to be started manually.
Now you need to connect the proxy in the settings of the Messenger: Settings> Data and Disk -> Use Proxy -> SOCKS5. We enter our IP, 1080 port, login and password for the created user. The setting is available for all Telegram desktop applications in the Advanced Settings -> Connection Type -> TCP with Proxy section.
As it should be in the world of information security, immediately after setting up, you need to spend some more time protecting your server, namely access to the console via SSH. To do this, I recommend replacing the traditional approach to protecting access with the traditional “login-password” pair with specialized devices to provide secure access based on asymmetric cryptography, in our example, these are JaCarta PKI USB tokens. In this scenario, you will log in to the server using a certificate, the private key of which is located in the JaCarta PKI device itself and cannot be retrieved. How to do this is described in this article .
If you do not want to use devices for strong authentication based on asymmetric cryptography, you can configure one-time password (OTP) logins with the JaCarta Authentication Server service. An article about this can be found here .
I decided to check the offer of the Italian hosting provider Aruba , which offers VPS for 1 euro per month with a white IP included in this price. For 1 euro I got a combat server with 1 core. 1 GB of memory, 20 GB of storage, 2 TB of traffic per month. As the operating system, I chose my favorite Ubuntu server 16.04. As a proxy server - Dante.
OS installation is performed when configuring the server from a template. After 2-3 minutes after creation, the machine will be ready for SSH using the set password or a loaded SSH key (in the same web admin area).
')
I’ll just say that the proxy authentication by the system user does not work in the package provided in the distribution, and we don’t need an open proxy. We will use the source distribution and build Dante ourselves, since the build process on our OS goes without a single error. So let's get started:
We register on arubacloud, we start a server for 1 euro, we create a Ubuntu Server 16 OS using a template.
We go via SSH to our server, download and collect Dante.
wget https://www.inet.no/dante/files/dante-1.4.1.tar.gz tar -xvf dante-1.4.1.tar.gz cd dante-1.4.1 apt-get install gcc make mkdir /home/dante ./configure --prefix=/home/dante make make install The correctness of the installation can be checked by entering
/home/dante/sbin/sockd -v Download the settings file
wget -O /home/dante/danted.conf https://demo.a-rd.ru/danted.conf The configuration, if used on the platform described, is no different, i.e. by default it is. Everything you need is already there.
logoutput: /var/log/socks.log internal: eth0 port = 1080 # 1080 external: eth0 # method: username user.privileged: root # user.notprivileged: nobody client pass { from: 0.0.0.0/0 to: 0.0.0.0/0 # , log: error connect disconnect } client block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } pass { from: 0.0.0.0/0 to: 0.0.0.0/0 log: error connect disconnect } block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } To run, run
/home/dante/sbin/sockd -f /home/dante/danted.conf -D The binary is in
home/dante/sbin/ To stop
pkill sockd Let's create a system user, which we will use for our proxy (without the ability to log in via SSH).
useradd --shell /usr/sbin/nologin username Set him a password
passwd username Restart Dante with our config
pkill sockd /home/dante/sbin/sockd -f /home/dante/danted.conf -D If you restart the server, Dante will need to be started manually.
Now you need to connect the proxy in the settings of the Messenger: Settings> Data and Disk -> Use Proxy -> SOCKS5. We enter our IP, 1080 port, login and password for the created user. The setting is available for all Telegram desktop applications in the Advanced Settings -> Connection Type -> TCP with Proxy section.
As it should be in the world of information security, immediately after setting up, you need to spend some more time protecting your server, namely access to the console via SSH. To do this, I recommend replacing the traditional approach to protecting access with the traditional “login-password” pair with specialized devices to provide secure access based on asymmetric cryptography, in our example, these are JaCarta PKI USB tokens. In this scenario, you will log in to the server using a certificate, the private key of which is located in the JaCarta PKI device itself and cannot be retrieved. How to do this is described in this article .
If you do not want to use devices for strong authentication based on asymmetric cryptography, you can configure one-time password (OTP) logins with the JaCarta Authentication Server service. An article about this can be found here .
Source: https://habr.com/ru/post/353738/
All Articles