SS5 is a high performance SOCKS proxy server implementing SOCK4 and SOCKS5 protocols. This step-by-step guide describes installation and configuration of SS5 with user/password authentication on a CentOS 5.x/6.x server.
1. Download the latest source rpm from sourceforge.net
wget http://downloads.sourceforge.net/ss5/ss5-3.8.9-8.src.rpm
2. Build the source rpm
This requires the rpmbuild tool provided by rpm-build package. Also, ss5 requires openldap-devel, pam-devel and openssl-devel development packages. Install these packages using YUM package manager:
For 32 bit Linux,
yum install gcc rpm-build openldap-devel pam-devel openssl-devel
For 64 bit Linux,
yum install gcc.x86_64 rpm-build.x86_64 openldap-devel.x86_64 pam-devel.x86_64 openssl-devel.x86_64
Install libgssapi-devel,
yum install libgssapi-devel
Now build ss5 source rpm to create the binary rpm package:
rpmbuild --rebuild ss5-3.8.9-8.src.rpm
3. Install SS5 rpm package
On CentOS 5.x, the RPM package will be created in /usr/src/redhat/RPMS/. On CentOS 6.x, RPM package will we created in the subdirectory rpmbuild/RPMS/ of build directory. You can install the RPM package using following command:
On CentOS 5,
rpm -ivh /usr/src/redhat/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm
(for 64 bit Linux)
rpm -ivh /usr/src/redhat/RPMS/i386/ss5-3.8.9-8.i386.rpm
(for 32 bit Linux)
On CentOS 6 (you might need to use “cd” command to change to root directory),
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm
(for 64 bit Linux)
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.i386.rpm
(for 32 bit Linux)
4. Run SS5 as root and change the port to 8899 (default port is 1080)
Edit /etc/init.d/ss5 and put following lines at the top after shabang(#!/bin/sh):
export SS5_SOCKS_PORT=8899
export SS5_SOCKS_USER=root
You can use any available port you want. Make sure that the port is opened in the server firewall, if any.
5. User/password authentication
SS5 configuration file is /etc/opt/ss5/ss5.conf. The ‘auth’ directive sets the authentication policy.
For no authentication,
auth 0.0.0.0/0 – –
For user/pass authentication,
auth 0.0.0.0/0 – u
The user/password pairs are stored in /etc/opt/ss5/ss5.passwd. Setup permission:
chown root:root /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5
In /etc/opt/ss5/ss5.passwd, put user and password separated by a space and one user/password per line.
E.g.
user1 pass1
user2 pass2
6. Set permission ( /etc/opt/ss5/ss5.conf )
Allow all hosts to connect:
permit u 0.0.0.0/0 – 0.0.0.0/0 – – – – –
7. Start/Stop/Restart ss5
service ss5 start
service ss5 stop
service ss5 restart
If you see an error message like the following,
Can’t create pid file /var/run/ss5/ss5.pid
Can’t unlink pid file /var/run/ss5/ss5.pid
create the directory /var/run/ss5 and start ss5 again.
The default location of log file: /var/log/ss5/ss5.log
8. If you have a block of say 10x IPs, you can config multiple ss5 proxy instance to use different outgoing IP.
8.1 create user to run the instances:
useradd user1 -s /bin/false -p YourPasswordHere
8.2 retrieve user’s UID:
awk -F: '/^user1:/{print $1,$4}' /etc/passwd
8.3 config firewall to set the outgoing IP:
iptables -t mangle -A OUTPUT -m owner --uid-owner USER_UID -j MARK --set-mark USER_UID
iptables -t nat -A POSTROUTING -m mark --mark USER_UID -j SNAT --to-source 24.68.1.1
(replace USER_UID with the output number from step 2)
To review the firewall rules:
iptables -nvL -t nat
iptables -nvL -t mangle
8.4 start the instance with specific user, IP and port:
ss5 -u user1 -b 24.68.1.1:10001
Note: make sure you open the port 10001 on the firewall.
You will need to repeat this process for each IP.
我已按上述的配置多ip 以及ss5 绑定用户与ip
但是多ip客户端该用什么帐号登录,怎么登录都提示用户密码不对
ss5 -u user1 -b 24.68.1.1:10001
这行命令开启 ss5 进程,你用 user1 或者 user2 帐号通过 ss5 客户端访问 IP 24.68.1.1 端口 10001 应该就可以了。注意防火墙的端口 10001要打开。
Hi,
我也遇到了同样的问题,
主IP设置没有问题,绑定的第二个IP设置出口8899端口了之后,连接提示如下错误:
————–
[23:41] Starting: Test 2: Connection through the Proxy Server
[23:42] Error : Authentication on the proxy server failed.
Please check your username and password.
[23:42] Test failed.
[23:42] Testing Finished.
————-
操作步骤一致,端口已在防火墙已经打开,账号密码无误,而连接时用1080端口就可以连接上,可是出来的IP是主IP~,,这个是怎回事呢?
我发现如果直接service ss5 start启动的话 两个IP都连接正常 并且出口都是默认主IP。如果2个不同用户分别启动ss5,再测试的话,都是认证失败,是权限的问题?该怎么设置呢?
端口只要一个,如果用8899就不用1080,这是入口端口,不是出口端口。
出口IP是在步骤8.3中设置,仔细检查绑定的 USER_UID
端口和出口IP没有疑问了,对于认证失败有个疑问:
第五步设置权限:chown root:root /etc/opt/ss5/ss5.passwd
意思是不是只能root访问呢?那用别的用户启动ss5后连接认证时候是不是没有权限访问?所以认证失败?原谅我问题太多,懂得太少。谢谢啦~
密码文件可读就行了。
如果是多个用户,例如:
ss5 -u user1 -b 24.68.1.1:10001
那么 user1 的访问IP是24.68.1.1, 端口是 10001,
ss5 -u user2 -b 24.68.1.2:10002
用户 user2 的访问IP是24.68.1.2, 端口是 10002
同个端口不可以吗?
可是如果一个用1080 一个用8899,也是不行哎~我实在找不到原因,困扰了一天了~救命啊~~ 能加你Q吗?我加你好几次~ 不知道您有没有在线呢?
已加
你好,我是小白,按照您这篇文章设置成功了,非常感谢。不过有个疑问:按这个过程设置下来,默认是否限制同时连接的用户数,每个用户使用的带宽是否限制?如果想要设置限制,该修改什么地方呢?有空希望回复一下额~再次感谢。
补充一下:我设置了一个账户,多的时候,有二三十个人同时通过这个账户使用ss5服务,每个人使用带宽都不做限制的话,是不是不需要修改什么了?
没有限制用户数,也没有限制带宽
步骤5中user1 pass1 和步骤8.1里面的user1是同一个用户吗?
可以是不同的用户
Hi Jack.
configured all as mentioned but outgoing IP is still the same.
I’m running
ss5 -u root -b 1.2.3.4:8898 but still have outgoing IP as 1.2.3.1.
Any ideas? Googled all the web. No any suggestions in config this at all.
Thank you.
Alexandr
run
and
to check if the firewall config is correct.
Hi, Jack!
Thank you very much for your reply!
——————-
[root@server~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 485 packets, 29051 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6847 414K SNAT all — * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0 to:XX.XXX.164.3
0 0 SNAT all — * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0 to:XX.XXX.165.2
0 0 SNAT all — * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0 to:XX.XXX.166.2
0 0 SNAT all — * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0 to:XX.XXX.167.4
Chain OUTPUT (policy ACCEPT 5039 packets, 305K bytes)
pkts bytes target prot opt in out source destination
———————–
[root@server ~]# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 100K packets, 34M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 100K packets, 34M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 106K packets, 30M bytes)
pkts bytes target prot opt in out source destination
258K 18M MARK all — * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 MARK and 0x0
5213 1889K MARK all — * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 MARK and 0x0
Chain POSTROUTING (policy ACCEPT 106K packets, 30M bytes)
pkts bytes target prot opt in out source destination
—————–
Then
[root@b2seo ~]# ss5 -u root -b XX.XXX.164.3:11643
[root@b2seo ~]# ss5 -u root -b XX.XXX.165.2:11652
[root@b2seo ~]# ss5 -u root -b XX.XXX.166.2:11662
[root@b2seo ~]# ss5 -u root -b XX.XXX.167.4:11674
And I get outgoing IP from 1st line of the rules (164.3).
Also, all my outgoing connections (for example CURL with binded other IPs) go through 164.3
I run all instances by root, also I have not created new user.
Checking user/pass from the file ss5.passwd.
Thanks again!
sure I’m using different IP:PORT (XX.XXX.167.4:11674 for example)
I’ve figured out
For those who has same problem
you need to create separate user for each instance and bind each IP:PORT for thouse users.