Search squid archive

Re: SECURITY ALERT: Host header forgery detected on local

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/12/2013 9:51 a.m., Dr.x wrote:
> 
> hi ,
> 
> i have this logs and wondering if it is harmful :
> im ==>>using squid 3.3.9
> Squid Cache: Version 3.3.9
> ==========================================================================
> 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: Host header forgery detected
> on local=10.10.0.50:80 remote=x.x.x.x FD 573 flags=17 (local IP does not
> match any domain IP)
> 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: By user agent: 
> 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: on URL:
> client9.dropbox.com:443
> 2013/12/20 15:41:00.747 kid1| abandoning local=10.10.0.50:80 remote=x.x.x.x
> FD 573 flags=17
>  kid1| SECURITY ALERT: Host header forgery detected on local=10.10.0.50:80
> remote=x.x.x.x FD 163 flags=17 (local IP does not match any domain IP)
> 2013/12/20 15:41:29.611 kid1| SECURITY ALERT: By user agent: 
> 2013/12/20 15:41:29.611 kid1| SECURITY ALERT: on URL: d.dropbox.com:443
> 2013/12/20 15:41:29.611 kid1| abandoning local=10.10.0.50:80 remote=x.x.x.x
> FD 163 flags=17
> ===========================================================================
> 
> wish to clarify if  it is harmfull log

Well, that varies.

This is demonstrating a client browser being told it is connecting to
:443 (HTTPS secure connection) which is actually being sent over port 80
to 10.10.0.50.

For the URL to appear like that without http:// or https:// and path
pieces it is most likely a CONNECT request being sent over port 80 to an
explicit proxy. Your MITM has just screwed that up by either terminating
the bad behaviour, or making it a CONNECT request directly to
10.10.0.50:80 which will fail at the SSL handshake which follows.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux