badaboom003-asdf@xxxxxxxxx schrieb:
Hi,
My server was brought down by a group in China who were able to use my squid proxy to send and receive requests from their IPs. There were over 370 IPs hitting my server. I'm wondering where I went wrong and what I need to fix to prevent this in the future? Below are a snippet from my cache.log and my squid.conf file with IP obfuscated. One thing I noticed was that they connected through port 443, which I have in my Safe_Ports list. Should I remove all of those ports from my safe list?
Hi; as I see it the requests come in via the standard proxy port.
With the line
http_access allow port80
you are allowing anybody access to port 80 ANYWHERE. Remember that the
_access entries are checked in the order of appearance and that CHECKS
STOP AT THE FIRST MATCH. Therefore this rule is a bad idea anyway; you
should explicitly telling which networks are allowed access, assuming
that we are talking about a border gateway proxy situation as one can
assume from the config. Anyway the proxy configuration normally should
not be the only protection line; you should also protect unwanted port
access by firewalling. In this case I assume the squid port was not
protected from outside access.
Hope this helps,