[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Removal of IP




v. true - unfortunately there are a lot of things that people ought to be
doing that they don't

;-)

Longwe

On Mon, 5 May 2003, Mark Tinka wrote:

> Well, I am not sure whether the proxy is Squid, or something else. However,
> you MUST always have an ACL that says who can use it, and who can't.
> Typically, once ACL that says who can use will work against those that
> aren't specified.
>
> Also, you SHOULD have a firewall that double checks this. If you are running
> the proxy on your general purpose operating system [Linux, UNIX, *BSD], your
> firewall should only allow access for your network. This is if you are doing
> traditional proxying/caching.
>
> If you are doing transparent caching, you can even better secure your proxy;
> taking the example of Squid Cache, transparent proxy means your clients
> don't configure their browsers. They keep your core router as their default
> gateway. But using route maps or the WCCP protocol, your router will
> automatically redirect all HTTP-bound traffic back to your cache server. As
> you can see, your clients don't need to access the port 3128 on the cache
> server, and neither does the rest of the world.
>
> However, you use your firewall to redirect all HTTP-bound traffic to your
> port 3128 on the cache server, so Squid can process it and respond to the
> client. But now, this opens a port 80 on your cache server, so all you do is
> deny any remote networks from directly accessing the port 80 on your Squid
> cache.
>
> I know this breaks a lot of TCP rules, but hey, that's what route maps do
> :-).
>
> Regards,
>
> Mark Tinka - CCNA
> Network Engineer
> Africa Online Uganda
> 5th Floor, Commercial Plaza
> 7 Kampala Rd,
> Tel:   +256-41-258143
> Fax:   +256-41-258144
> E-mail: mtinka at africaonline.co.ug
> Web:     www.africaonline.co.ug
>
>
> -----Original Message-----
> From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org] On Behalf Of
> Brian Longwe
> Sent: Monday, May 05, 2003 3:20 PM
> To: antonio at nambu.uem.mz
> Cc: Brian Candler; afnog at afnog.org
> Subject: Re: Removal of IP
>
>
>
> Proxy didn't have an ACL to control who could/couldn't use it.
>
> (Apparently this is also a glitch in cisco's Content Engine IOS ver. 3 when
> http proxy is enabled)
>
>
> Brian
> On Mon, 5 May 2003 antonio at nambu.uem.mz wrote:
>
> > How were they exploiting the proxy?
> >
> > Cheers,
> >
> >
> >
> > On 5 May 2003 at 1:45, Brian Longwe wrote:
> >
> > >
> > >
> > > On Mon, 5 May 2003, Sunday Folayan wrote:
> > > > They spam using http not smtp. smtp is blocked, but you cannot do
> > > > that for http. They don't send one, they have programs that send
> > > > thousands within an hour, just changing recipient addresses. BTW.
> > > > I also get some addressed to me, since I figure they bought
> > > > addresses on CD.
> > > >
> > >
> > > One of our clients had an open http proxy which was exploited as a
> > > launch pad for spam - it took us three hours to detect and close the
> > > hole - within which time approx 30,000 messages had been generated -
> > > this stuff is deadly!
> > >
> > > Longwe
> > >
> > >
> > > -----
> > > This is the afnog mailing list, managed by Majordomo 1.94.5
> > >
> > > To send a message to this list, e-mail afnog at afnog.org
> > > To send a request to majordomo, e-mail majordomo at afnog.org and put
> > > your request in the body of the message (i.e use "help" for help)
> > >
> > > This list is maintained by owner-afnog at afnog.org
> > >
> >
> >
> >
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org and put your
> request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>
>
>
>


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org