SS5 is a high performance SOCKS proxy server implementing SOCK4 and SOCKS5 protocols. This step-by-step guide describes installation and configuration of SS5 with user/password authentication on a CentOS 5.x/6.x server.
1. Download the latest source rpm from sourceforge.net
wget http://downloads.sourceforge.net/ss5/ss5-3.8.9-8.src.rpm
2. Build the source rpm
This requires the rpmbuild tool provided by rpm-build package. Also, ss5 requires openldap-devel, pam-devel and openssl-devel development packages. Install these packages using YUM package manager:
For 32 bit Linux,
yum install gcc rpm-build openldap-devel pam-devel openssl-devel
For 64 bit Linux,
yum install gcc.x86_64 rpm-build.x86_64 openldap-devel.x86_64 pam-devel.x86_64 openssl-devel.x86_64
Install libgssapi-devel,
yum install libgssapi-devel
Now build ss5 source rpm to create the binary rpm package:
rpmbuild --rebuild ss5-3.8.9-8.src.rpm
3. Install SS5 rpm package
On CentOS 5.x, the RPM package will be created in /usr/src/redhat/RPMS/. On CentOS 6.x, RPM package will we created in the subdirectory rpmbuild/RPMS/ of build directory. You can install the RPM package using following command:
On CentOS 5,
rpm -ivh /usr/src/redhat/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm (for 64 bit Linux)
rpm -ivh /usr/src/redhat/RPMS/i386/ss5-3.8.9-8.i386.rpm (for 32 bit Linux)
On CentOS 6 (you might need to use “cd” command to change to root directory),
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm (for 64 bit Linux)
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.i386.rpm (for 32 bit Linux)
4. Run SS5 as root and change the port to 8899 (default port is 1080)
Edit /etc/init.d/ss5 and put following lines at the top after shabang(#!/bin/sh):
export SS5_SOCKS_PORT=8899
export SS5_SOCKS_USER=root
You can use any available port you want. Make sure that the port is opened in the server firewall, if any.
5. User/password authentication
SS5 configuration file is /etc/opt/ss5/ss5.conf. The ‘auth’ directive sets the authentication policy.
For no authentication,
auth 0.0.0.0/0 – –
For user/pass authentication,
auth 0.0.0.0/0 – u
The user/password pairs are stored in /etc/opt/ss5/ss5.passwd. Setup permission:
chown root:root /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5
In /etc/opt/ss5/ss5.passwd, put user and password separated by a space and one user/password per line.
E.g.
user1 pass1
user2 pass2
6. Set permission ( /etc/opt/ss5/ss5.conf )
Allow all hosts to connect:
permit u 0.0.0.0/0 – 0.0.0.0/0 – – – – –
7. Start/Stop/Restart ss5
service ss5 start
service ss5 stop
service ss5 restart
If you see an error message like the following,
Can’t create pid file /var/run/ss5/ss5.pid
Can’t unlink pid file /var/run/ss5/ss5.pid
create the directory /var/run/ss5 and start ss5 again.
The default location of log file: /var/log/ss5/ss5.log
8. If you have a block of say 10x IPs, you can config multiple ss5 proxy instance to use different outgoing IP.
8.1 create user to run the instances:
useradd user1 -s /bin/false -p YourPasswordHere
8.2 retrieve user’s UID:
awk -F: '/^user1:/{print $1,$4}' /etc/passwd
8.3 config firewall to set the outgoing IP:
iptables -t mangle -A OUTPUT -m owner --uid-owner USER_UID -j MARK --set-mark USER_UID
iptables -t nat -A POSTROUTING -m mark --mark USER_UID -j SNAT --to-source 24.68.1.1
(replace USER_UID with the output number from step 2)
To review the firewall rules:
iptables -nvL -t nat
iptables -nvL -t mangle
8.4 start the instance with specific user, IP and port:
ss5 -u user1 -b 24.68.1.1:10001
Note: make sure you open the port 10001 on the firewall.
You will need to repeat this process for each IP.