[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [afnog] Squid 2.4
- To: "'Brian Candler'" <B.Candler at pobox.com>
- Subject: RE: [afnog] Squid 2.4
- From: "Mark Tinka" <mtinka at africaonline.co.ug>
- Date: Fri, 8 Aug 2003 08:28:28 +0300
- Cc: afnog at afnog.org
- Content-Transfer-Encoding: quoted-printable
- Content-Type: text/plain;charset="us-ascii"
- Delivered-To: afnog-archive at lists.eahd.or.ug
- Delivered-To: afnog at afnog.org
- Importance: Normal
- In-Reply-To: <20030807152455.A47626 at linnet.org>
- List-Archive: <http://listserv4.cfi.co.ug/pipermail/afnog>
- List-Help: <mailto:afnog-request at afnog.org?subject=help>
- List-Id: The AfNOG general discussion list <afnog.afnog.org>
- List-Post: <mailto:afnog at afnog.org>
- List-Subscribe: <http://listserv4.cfi.co.ug/mailman/listinfo/afnog>,<mailto:afnog-request at afnog.org?subject=subscribe>
- List-Unsubscribe: <http://listserv4.cfi.co.ug/mailman/listinfo/afnog>,<mailto:afnog-request at afnog.org?subject=unsubscribe>
- Organization: Africa Online Uganda Limited
- Reply-To: mtinka at africaonline.co.ug
- Sender: afnog-bounces at afnog.org
Brian Candler wrote:
> On Thu, Aug 07, 2003 at 03:00:55PM +0300, Mark Tinka wrote:
>>
>> Wouldn't you rather secure the server, either by ensuring no
>> unnecessary logins, usernames and passwords are available on the
>> box or better, making a clean install with the knowledge that you
>> did a neat job and know everything about the box?
>>
>> You can then resume your Squid service on the same IP [after
>> confirming with your upstream], or use another IP address you
>> think the don't filter.
>>
>> Either way, you need to feel secure about the security of your
>> box. There's no telling how much damage has been done if you feel
>> it's been compromised.
>
> Good advice. However it could also be something simpler than that:
> you may just have configured squid as an open proxy. If you do that,
> then people will relay spam through it, and it will get blacklisted
> just like any other spam source.
>
> When you reinstall your box, read the squid docs carefully and make
> sure you permit access only from *your* IP address range. Once that's
> done, you can always post here and ask for someone to test it from
> their own IP, to check that it does in fact refuse to serve as a
> proxy to people on other networks.
>
> Regards,
>
> Brian.
Yes, definitely. Securing access to your Squid will also be essential in
ensuring your service is not misused and/or compromised.
In addition, if you are running Squid as a transparent proxy for your
clients, you don't really need to have the Squid default port, 3128, open to
the world, or even your own network. You can use your firewall to close this
port off and redirect all HTTP traffic to port 3128 instead. However, also
configure your Squid not to allow port 80 connections, but only port 80
redirections to port 3128.
If you have compiled you Squid with the '--enable-snmp' option, configuring
access lists for SNMP as well as firewalling the Squid SNMP port, 3401, will
help ensure no back door, if any, is open.
Are you doing transparent caching?
Regards,
Mark Tinka - CCNA
Network Engineer, Africa Online Uganda
__________________________________________________
This is the Africa Network Operators' Group(AfNOG)
technical discussion list.
The AfNOG website is: <http://www.afnog.org>