Search squid archive

Re: Squid Proxy Hijacked By Hackers in China

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



badaboom003-asdf@xxxxxxxxx schrieb:
Hi,

My server was brought down by a group in China who were able to use my squid proxy to send and receive requests from their IPs. There were over 370 IPs hitting my server. I'm wondering where I went wrong and what I need to fix to prevent this in the future? Below are a snippet from my cache.log and my squid.conf file with IP obfuscated. One thing I noticed was that they connected through port 443, which I have in my Safe_Ports list. Should I remove all of those ports from my safe list?

Hi; as I see it the requests come in via the standard proxy port.
With the line

http_access allow port80

you are allowing anybody access to port 80 ANYWHERE. Remember that the _access entries are checked in the order of appearance and that CHECKS STOP AT THE FIRST MATCH. Therefore this rule is a bad idea anyway; you should explicitly telling which networks are allowed access, assuming that we are talking about a border gateway proxy situation as one can assume from the config. Anyway the proxy configuration normally should not be the only protection line; you should also protect unwanted port access by firewalling. In this case I assume the squid port was not protected from outside access.

Hope this helps,


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux