On 14/12/2016 11:44 a.m., Steve Becker wrote: > Hi all, > > > > My background's in networking, I'm very new to unix/linux and server > administration, I don't know a whole lot about security beyond ACLs and > setting up crypto for VPNs. I'm setting up a box at home with CentOS and > squid, among other features (I want this box to be a syslog server, etc). > At the moment I have no plan to run a web server, but I'm still concerned. > I know web servers are vulnerable to certain kinds of attacks, some of which > could escalate user privileges or dump data people shouldn't have access to. > Is squid, as a proxy server, I'm vulnerable to some of these kinds of > attacks? Generally no. Those types of attack require operations that Squid does not do (executing something attacker-controlled). Though sometimes the helpers and plugins people use might have such problems. Especially badly written custom ones. Squid (and other HTTP proxies) vulnerabilities tend to be along the lines of; data leaks, DoS, cache poisoning, or message smuggling. The result of those types is typically privacy abuses, or network hijacking by allowing attack malwares to reach target servers or other clients. > I'll be limiting squid to only accept traffic from my LAN but you > still never know. A guest might use my network with an infected device, > etc. > > > I've looked at the security FAQ on the squid wiki, and I tried to search the > mailing list archive using the link at > http://www.squid-cache.org/Support/mailing-lists.html, however I get a 404 > error. I downloaded the last 6 months worth of archives and searched for > the word security, and I see references to SSL, TLS, bumping, etc. I'm sure > these conversations follow the requirements of people using squid at work > but aside from one thread I don't see anything addressing my concerns, hence > my post. > It may not be easy to see at times, but most of the traffic on this list includes a security aspect. The posters either have a specific transaction problem, or some f'up in their config settings letting traffic do unwanted things. To resolve that type of thing we not only have to provide a solution but try to ensure the admin in question (and future readers) understands why it solves the problem, and whether there are any risks associated (ie security considerations). (Thanks for the mention of that 404. Looking into it now.) > > I suspect there's no more additional securing of squid I need to do - if > there were I would've expected something to mention it in the FAQ - but I'd > rather ask just in case. Any thoughts/suggestions? > Yes. The default installation of Squid is very secure so far as CVE type vulnerability issues go. We do aim to be completely secure (if only it were possible!). But that naturally varies by version and what is known about. As for an attacker in your LAN; they can use the proxy default config to do some limited HTTP things, but they would be able to do even more nasties if they didn't go through Squids protocol sanitizing/validation logics. The risk is relative to your overall network security design, and that should of course be considered before starting a proxy in any network more secure than what the default squid.conf allows. The wiki in general has a lot of info, most of it is under specific config examples or feature documentations rather than the FAQ. The squid.conf documentation also has 'WARNING' and mentions of issues related to using the relevant directives. If you want advice about specific features that is not mentioned in the relevant squid.conf directive docs or the wiki, feel free to ask. But security is a rather big topic so pardon if I dont try to brain-dump everything right here :-) Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
