help: squid+dansgaurdian setup compromised.
hey, I have a basic traditional NAT setup of squid+dansguardian on Linux Ubuntu 8.10. Squid as the proxy and dansguardian as the content manager. My network has suddenly started crawling and /var/log/dansguardian/access.log shows foreign IPs riding on my bandwidth and visiting graphic porn sites with impunity. Could someone give pointers on where I need to tighten the configs to keep off the external bad boys and girls (IPs) from the riding my proxy server? walu.
Walu, The first thing you need to look at it ACL on squid. It should ideally have been the next step after installation. <sample> acl localnet src x.x.x.x/x #x.x.x.x is your network http_access allow localnet http_access deny all </sampe> This is a very flexible list. Work on customizing it for your need. -----Original Message----- From: Walubengo J <jwalu@yahoo.com> Reply-to: Skunkworks forum <skunkworks@lists.my.co.ke> To: skunk <skunkworks@my.co.ke> Subject: [Skunkworks] help: squid+dansgaurdian setup compromised. Date: Thu, 20 Aug 2009 23:32:13 -0700 (PDT) hey, I have a basic traditional NAT setup of squid+dansguardian on Linux Ubuntu 8.10. Squid as the proxy and dansguardian as the content manager. My network has suddenly started crawling and /var/log/dansguardian/access.log shows foreign IPs riding on my bandwidth and visiting graphic porn sites with impunity. Could someone give pointers on where I need to tighten the configs to keep off the external bad boys and girls (IPs) from the riding my proxy server? walu. _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
On Fri, Aug 21, 2009 at 9:56 AM, Alex Nderitu<nderitualex@gmail.com> wrote:
Walu,
The first thing you need to look at it ACL on squid. It should ideally have been the next step after installation.
Hey Walu, After checking your ACL as per Alex's advice, check your firewall config. Your NAT setup should allow connections out and and drop all incoming SYNs unless explicitly allowed. Please run iptables -nxvL and paste the output here. BR, S
i will check. but my understanding was that there is a link btw squid and dansgaurdian and indeed only localhost 127.0.0.1 is configured to run squid -the other IPs being denied since they get access via dansguardian. so am a bit suprised to see foreign IPs. walu. --- On Fri, 8/21/09, Alex Nderitu <nderitualex@gmail.com> wrote:
From: Alex Nderitu <nderitualex@gmail.com> Subject: Re: [Skunkworks] help: squid+dansgaurdian setup compromised. To: "Skunkworks forum" <skunkworks@lists.my.co.ke> Date: Friday, August 21, 2009, 10:56 AM
Walu,
The first thing you need to look at it ACL on squid. It should ideally have been the next step after installation.
<sample>
acl localnet src x.x.x.x/x #x.x.x.x is your network
http_access allow localnet
http_access deny all
</sampe>
This is a very flexible list. Work on customizing it for your need.
-----Original Message-----
From: Walubengo J <jwalu@yahoo.com>
Reply-to: Skunkworks forum <skunkworks@lists.my.co.ke>
To: skunk <skunkworks@my.co.ke>
Subject: [Skunkworks] help: squid+dansgaurdian setup compromised.
Date: Thu, 20 Aug 2009 23:32:13 -0700 (PDT)
hey,
I have a basic traditional NAT setup of squid+dansguardian on Linux Ubuntu 8.10. Squid as the proxy and dansguardian as the content manager. My network has suddenly started crawling and /var/log/dansguardian/access.log shows foreign IPs riding on my bandwidth and visiting graphic porn sites with impunity.
Could someone give pointers on where I need to tighten the configs to keep off the external bad boys and girls (IPs) from the riding my proxy server?
walu.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-----Inline Attachment Follows-----
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
On Fri, Aug 21, 2009 at 10:24 AM, Walubengo J <jwalu@yahoo.com> wrote:
i will check. but my understanding was that there is a link btw squid and dansgaurdian and indeed only localhost 127.0.0.1 is configured to run squid -the other IPs being denied since they get access via dansguardian. so am a bit suprised to see foreign IPs.
In that case, can we take a look at your squid.conf, dansguardian.conf and perhaps the firewall/NAT rules? egrep -v '^[[:space:]]*(#|$)' /path/to/squid.conf If you have something like: http_port 3128 transparent That means squid is binded (forget the English here) to all IPs on that host, so port 3128 must be closed from outsiders. If you have "filterip = " in dansgurdian.conf, it also means that DG is binded to all IPs and I can simply configure my browser (or even my proxy) to connect to your host on whatever port is open and I use your bandwidth. So I suggest that at the very first level, ensure that you have: http_port a.b.c.d:3128 transparent And in DG, have filterip = a.b.c.d (where a.b.c.d is the private IP of the host running DG) Then check your firewall rules to see if any rule might be causing the circumvention. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
On Fri, Aug 21, 2009 at 9:32 AM, Walubengo J <jwalu@yahoo.com> wrote:
hey,
I have a basic traditional NAT setup of squid+dansguardian on Linux Ubuntu 8.10. Squid as the proxy and dansguardian as the content manager. My network has suddenly started crawling and /var/log/dansguardian/access.log shows foreign IPs riding on my bandwidth and visiting graphic porn sites with impunity.
Could someone give pointers on where I need to tighten the configs to keep off the external bad boys and girls (IPs) from the riding my proxy server?
Hi Walu, Ensure the following: 1. Your squid port (3128 or whatever you changed it to) is not open from outside. Block it from the firewall. You could as well let squid listen only on the private IP. 2. Ensure that DG port is also blocked from outsiders. Don't leave the "filterip =" in dansguardian.conf blank (which is the default). Bind it to the private IP of the host machine. If those two and what Alex Nderitu has detailed are observed and you still see foreigners using your bandwidth, then check if some other application/port is being abused on that host. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
Try this Drop the Ip's from iptables -- that should work, on squid only allow you networks under acl That should work, i think On Fri, Aug 21, 2009 at 9:32 AM, Walubengo J<jwalu@yahoo.com> wrote:
hey,
I have a basic traditional NAT setup of squid+dansguardian on Linux Ubuntu 8.10. Squid as the proxy and dansguardian as the content manager. My network has suddenly started crawling and /var/log/dansguardian/access.log shows foreign IPs riding on my bandwidth and visiting graphic porn sites with impunity.
Could someone give pointers on where I need to tighten the configs to keep off the external bad boys and girls (IPs) from the riding my proxy server?
walu.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Regards, Pride N.
participants (5)
-
Alex Nderitu -
Odhiambo ワシントン -
Pride Njukia -
Steve Muchai -
Walubengo J