[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Removal of IP



Well, I am not sure whether the proxy is Squid, or something else. However,
you MUST always have an ACL that says who can use it, and who can't.
Typically, once ACL that says who can use will work against those that
aren't specified.

Also, you SHOULD have a firewall that double checks this. If you are running
the proxy on your general purpose operating system [Linux, UNIX, *BSD], your
firewall should only allow access for your network. This is if you are doing
traditional proxying/caching.

If you are doing transparent caching, you can even better secure your proxy;
taking the example of Squid Cache, transparent proxy means your clients
don't configure their browsers. They keep your core router as their default
gateway. But using route maps or the WCCP protocol, your router will
automatically redirect all HTTP-bound traffic back to your cache server. As
you can see, your clients don't need to access the port 3128 on the cache
server, and neither does the rest of the world.

However, you use your firewall to redirect all HTTP-bound traffic to your
port 3128 on the cache server, so Squid can process it and respond to the
client. But now, this opens a port 80 on your cache server, so all you do is
deny any remote networks from directly accessing the port 80 on your Squid
cache.

I know this breaks a lot of TCP rules, but hey, that's what route maps do
:-).

Regards,

Mark Tinka - CCNA
Network Engineer
Africa Online Uganda
5th Floor, Commercial Plaza
7 Kampala Rd,
Tel:   +256-41-258143
Fax:   +256-41-258144
E-mail: mtinka at africaonline.co.ug
Web:     www.africaonline.co.ug
 

-----Original Message-----
From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org] On Behalf Of
Brian Longwe
Sent: Monday, May 05, 2003 3:20 PM
To: antonio at nambu.uem.mz
Cc: Brian Candler; afnog at afnog.org
Subject: Re: Removal of IP



Proxy didn't have an ACL to control who could/couldn't use it.

(Apparently this is also a glitch in cisco's Content Engine IOS ver. 3 when
http proxy is enabled)


Brian
On Mon, 5 May 2003 antonio at nambu.uem.mz wrote:

> How were they exploiting the proxy?
>
> Cheers,
>
>
>
> On 5 May 2003 at 1:45, Brian Longwe wrote:
>
> >
> >
> > On Mon, 5 May 2003, Sunday Folayan wrote:
> > > They spam using http not smtp. smtp is blocked, but you cannot do 
> > > that for http. They don't send one, they have programs that send 
> > > thousands within an hour, just changing recipient addresses. BTW. 
> > > I also get some addressed to me, since I figure they bought 
> > > addresses on CD.
> > >
> >
> > One of our clients had an open http proxy which was exploited as a 
> > launch pad for spam - it took us three hours to detect and close the 
> > hole - within which time approx 30,000 messages had been generated - 
> > this stuff is deadly!
> >
> > Longwe
> >
> >
> > -----
> > This is the afnog mailing list, managed by Majordomo 1.94.5
> >
> > To send a message to this list, e-mail afnog at afnog.org
> > To send a request to majordomo, e-mail majordomo at afnog.org and put 
> > your request in the body of the message (i.e use "help" for help)
> >
> > This list is maintained by owner-afnog at afnog.org
> >
>
>
>


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put your
request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org





-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org