Re: [squid-users] Squid Proxy Hijacked By Hackers in China

From: Jakob Curdes <jc_at_info-systems.de>
Date: Tue, 27 May 2008 14:07:22 +0200

badaboom003-asdf_at_yahoo.com schrieb:
> Hi,
>
> My server was brought down by a group in China who were able to use my squid proxy to send and receive requests from their IPs. There were over 370 IPs hitting my server. I'm wondering where I went wrong and what I need to fix to prevent this in the future? Below are a snippet from my cache.log and my squid.conf file with IP obfuscated. One thing I noticed was that they connected through port 443, which I have in my Safe_Ports list. Should I remove all of those ports from my safe list?
>
>
Hi; as I see it the requests come in via the standard proxy port.
With the line

http_access allow port80

you are allowing anybody access to port 80 ANYWHERE. Remember that the
_access entries are checked in the order of appearance and that CHECKS
STOP AT THE FIRST MATCH. Therefore this rule is a bad idea anyway; you
should explicitly telling which networks are allowed access, assuming
that we are talking about a border gateway proxy situation as one can
assume from the config. Anyway the proxy configuration normally should
not be the only protection line; you should also protect unwanted port
access by firewalling. In this case I assume the squid port was not
protected from outside access.

Hope this helps,
Received on Tue May 27 2008 - 12:07:42 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT