[leaf-user] Safe transparent proxying via DS1.02 and Squid
Hello Everyone, I needed to perform transparent proxying wherein web clients from both public and private net can access my internal web site. So I rolled a squid.lrp package that came from a redhat6.2, and followed the instructions found here: http://www.flounder.net/ipchains/ipchains-howto.html#8 http://users.gurulink.com/drk/transproxy/transproxy-linux21-squid1.html With the squid package also running at port 80 in my DS1.02 based border router box, I managed to get the entire setup working. Now my problem is that, the setup ended getting abused as it was used to send spam all over. My IP got black listed on some sites and so on. An exact explanation of what happend is found here: http://www.fr2.cyberabuse.org/?page=abuse-proxy My question now is, how do I get this requirement properly set? I needed to do transparent proxying at port 80 and at the same time, avoid getting abused. Any hists on proper firewalling techniques, etc, on this matter is greately appreciated. TIA - VIC --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Vic At 15:02 02.07.2003 +0800, Victor Berdin wrote: Hello Everyone, I needed to perform transparent proxying wherein web clients from both public and private net can access my internal web site. Transparent proxying AFAIK is nothing but redirection of packets to the relevant port(s) to a proxy server. Relevant is the word here. Now my problem is that, the setup ended getting abused as it was used to send spam all over. My IP got black listed on some sites and so on. An exact explanation of what happend is found here: http://www.fr2.cyberabuse.org/?page=abuse-proxy I am puzzled, I always thought spam was distributed using mail,e.g.SMTP, port 25, how exactly was your server abused? Unless your Gateway was completely compromised I do not see how Squid was used to forward mail. Please enlighten me Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Erich Titl [EMAIL PROTECTED] schrieb: I am puzzled, I always thought spam was distributed using mail,e.g.SMTP, port 25, how exactly was your server abused? Unless your Gateway was completely compromised I do not see how Squid was used to forward mail. It must not become abused in this case. He could get on the abuse list, only because he is a open proxy. THINK [:)] about webmail clients. If you can use his proxy to hack his internal webmail client, the spammer got what he wants. A open proxy can also be used for DoS. Using the CONNECT feature you possibly can connect to any port on a remote machine. Just some ideas... Cu -- written with FeLaMiMail --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hello Erich, - Original Message - From: Erich Titl [EMAIL PROTECTED] To: Victor Berdin [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 4:08 PM Subject: Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid Vic [snipped] I am puzzled, I always thought spam was distributed using mail,e.g.SMTP, port 25, how exactly was your server abused? Unless your Gateway was completely compromised I do not see how Squid was used to forward mail. Please enlighten me Perhaps it is indeed compromised. Only my logs are no longer available as I'm clearing them automatically via cron (due to ramdisk limitations, ouch!). But I really have no idea how to make use of an open proxy server to send out mail spam. But according to my ISP, that's exactly what happened. I notified my ISP soon as I realized that my bandwith is maxed out and my private net has nothing to do with it. What is physically evident is that, during my tests, my external device kept on blinking like mad. Isuing an 'ifconfig' command shows that RX and TX packets of the external device kept on incrementing while the internal RX/TX isn't moving at all. This shows that unwanted packets are simply flowing into the box then back out again (perhaps to the spam target/s), without touching my private net. Then my ISP forwarded me this: Dear Network Security: (You are receiving this message because your local IP registry and/or DNS showed that you are the owner of this IP address, or that you are the access provider for this IP address. If you are not responsible for the system at this address, PLEASE FORWARD to the responsible party!) One of your users (IP XXX.XXX.XXX.XXX) is running an open proxy server that is being used to forward untold tens of thousands of junk emails daily. PLEASE shut down this abusive user. This user has open proxies running on port 80. The proxycheck program clearly shows the open proxy port: [EMAIL PROTECTED] pck XXX.XXX.XXX.XXX To check: hosts=1, proto:ports=63, host:proto:ports=63 XXX.XXX.XXX.XXX:hc:80: HTTP request successeful (200) XXX.XXX.XXX.XXX hc:80 open NumOpen=1(1) NRead=119 Time=23 Note: There may be other open proxy ports in addition to the ones listed above. This user is so abusive, they have managed to get themselves listed in the MONKEYS.COM open proxy list: http://www.monkeys.com/upl/listed-ip-0.cgi?ip=XXX.XXX.XXX.XXX They have also managed to get themselves blacklisted as an open proxy by NJABL.ORG: http://njabl.org/cgi-bin/lookup.cgi?query=XXX.XXX.XXX.XXX Finally, the investigation of this IP address was triggered by this system port scanning our MTA (a common indicator that a proxy server is about to try to send spam) as shown in the following log record(s): Jun 29 16:54:27 trustem01.trustem.net sendmail[953]: h5TKsQlq000953: [XXX.XXX.XXX.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA [FURTHER MESSAGES SNIPPED] At present I'm scouring the net for info on how to go about with this. This is really embarassing as I had no idea that having an open proxy server is a no-no. (http://theproxyconnection.com/openproxy.html) But it is my requirement to allow EVERYBODY to be able to access my web server in the private net. Perhaps some more squid howto is the answer. But further tips on tightening a firewall is also very much welcome (TIA). The blacklist is lifted now, but I currently opt to use a backup IP until I get this fixed. :o( TIA - Vic --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hi again, I notified my ISP soon as I realized that my bandwith is maxed out and my private net has nothing to do with it. This just confirms my previous post. What is physically evident is that, during my tests, my external device kept on blinking like mad. Isuing an 'ifconfig' command shows that RX and TX packets of the external device kept on incrementing while the internal RX/TX isn't moving at all. This shows that unwanted packets are simply flowing into the box then back out again (perhaps to the spam target/s), without touching my private net. Exactly, this also confirms that the webmail system is not affected at all. You have an OPEN RELAY proxy. The abuser just asks for a page (coming traffic in your external interface), the proxy accepts and connects to it (outgoing traffic in the outside interface). The internal interface is not touched at all :) Then my ISP forwarded me this: [...] PLEASE shut down this abusive user. This user has open proxies running on port 80. The proxycheck program clearly shows the open proxy port: [EMAIL PROTECTED] pck XXX.XXX.XXX.XXX To check: hosts=1, proto:ports=63, host:proto:ports=63 XXX.XXX.XXX.XXX:hc:80: HTTP request successeful (200) XXX.XXX.XXX.XXX hc:80 open NumOpen=1(1) NRead=119 Time=23 Your ISP has detected the open relay proxy :) At present I'm scouring the net for info on how to go about with this. This is really embarassing as I had no idea that having an open proxy server is a no-no. (http://theproxyconnection.com/openproxy.html) Please, understand a reverse proxy is not the same than an open relay proxy. A reverse proxy is just a proxy that acts as a web server, listenning in port 80. The difference is it only accepts url behind the proxy. An open relay proxy is configured exactly the same BUT accepts any url. But it is my requirement to allow EVERYBODY to be able to access my web server in the private net. A reverse proxy will do this. Perhaps some more squid howto is the answer. But further tips on tightening a firewall is also very much welcome (TIA). Regards. -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hi, I needed to perform transparent proxying wherein web clients from both public and private net can access my internal web site. Why do you need the transparent proxy? Do you need a reverse proxy to speed up web access (local cache), do you need load balancing, do you need extra protection? Now my problem is that, the setup ended getting abused as it was used to send spam all over. Do you run some kind of webmail? If the problem is spam related, most probably your users are using your wemail system to send spam. In that case, a proxy wont help you at all. You have to educate your users, impose some restrictions (like number of emails a day a user can send) or improve your user selection. Still, nothing to do with the proxy. But I believe most probably you have been banned because of an open proxy. In this case, your proxy does its work even with urls that you dont control and this is bad. You have to configure the proxy to allow petitions only for those domains you control and that are BEHIND the reverse proxy. My IP got black listed on some sites and so on. An exact explanation of what happend is found here: http://www.fr2.cyberabuse.org/?page=abuse-proxy Reading this page clarifies ALL. Now my guess was right. You have not been banned because of spam but because you have an OPEN RELAY proxy. Configure it properly. For local users I dont recall right now if SQUID allowed for different behaviour in different interfaces. If yes, configure it properly, if not, try to run two instances of squid or use a different box. My question now is, how do I get this requirement properly set? I needed to do transparent proxying at port 80 and at the same time, avoid getting abused. Any hists on proper firewalling techniques, etc, on this matter is greately appreciated. If you need further profesional assistance with this part we can help you. Just email me privatelly. Regards -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hi again, Why do you need the transparent proxy? Do you need a reverse proxy to speed up web access (local cache), do you need load balancing, do you need extra protection? Yes, I'm using it as a reverse proxy. Yes, but why? There are better solution depending of what you want to achieve. -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hello once more, - Original Message - From: Jaime Nebrera Herrera [EMAIL PROTECTED] To: Victor Berdin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 5:53 PM Subject: Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid Hi again, Why do you need the transparent proxy? Do you need a reverse proxy to speed up web access (local cache), do you need load balancing, do you need extra protection? Yes, I'm using it as a reverse proxy. Yes, but why? There are better solution depending of what you want to achieve. All I needed is to *securely* open my private web server to the public net. I figured squid can do that via httpd_accel_host _port. Please do point me to other open source solutions if others are more appropriate. TIA - Vic --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hello Jaime, - Original Message - From: Jaime Nebrera Herrera [EMAIL PROTECTED] To: Victor Berdin [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 5:22 PM Subject: Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid [snip] Why do you need the transparent proxy? Do you need a reverse proxy to speed up web access (local cache), do you need load balancing, do you need extra protection? Yes, I'm using it as a reverse proxy. Do you run some kind of webmail? If the problem is spam related, most probably your users are using your wemail system to send spam. In that case, a proxy wont help you at all. You have to educate your users, impose some restrictions (like number of emails a day a user can send) or improve your user selection. Still, nothing to do with the proxy. No that is not that case at all. My internal net lay dormant as my box kept on receiving and automatically forwarding junk packets. But I believe most probably you have been banned because of an open proxy. In this case, your proxy does its work even with urls that you dont control and this is bad. You have to configure the proxy to allow petitions only for those domains you control and that are BEHIND the reverse proxy. http://www.fr2.cyberabuse.org/?page=abuse-proxy Reading this page clarifies ALL. Now my guess was right. You have not been banned because of spam but because you have an OPEN RELAY proxy. Configure it properly. Perhaps, but an e-mail from my ISP details that my box was used to send tons of spam. :o( For local users I dont recall right now if SQUID allowed for different behaviour in different interfaces. If yes, configure it properly, if not, try to run two instances of squid or use a different box. It is highly possible that I'm not setting it up properly. And yeah, the DOCs are my friends. Plus I was so harsh/excited to place the box in the jungle right away soon as I got it up, without doing security tests. :o( I learned my lesson, the challenge now is to fix it. Thanks for your reply, Vic --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Victor Berdin wrote: snip At present I'm scouring the net for info on how to go about with this. This is really embarassing as I had no idea that having an open proxy server is a no-no. (http://theproxyconnection.com/openproxy.html) But it is my requirement to allow EVERYBODY to be able to access my web server in the private net. Perhaps some more squid howto is the answer. But further tips on tightening a firewall is also very much welcome (TIA). If you *REALLY* want to do this using a proxy like squid, you need to put appropriate access rules in place. Start by denying everything. Then enable access *ONLY* to your local web server for all IP's. Finally, you can enable general access for users on your local lan, if necessary. I'm not a squid guru, but the info on setting this up should be in the squid documentation and/or various HOWTOs. I suggest you start with the access control section of the squid manual: http://squid.visolve.com/squid24s1/access_controls.htm Looks like you can control access based on source IP, destination, and protocol...everything you need to lock down the proxy to *JUST* allowing access to your local server, rather than the internet in general. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hello Charles, - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: Victor Berdin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 8:07 PM Subject: Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid Victor Berdin wrote: snip At present I'm scouring the net for info on how to go about with this. This is really embarassing as I had no idea that having an open proxy server is a no-no. (http://theproxyconnection.com/openproxy.html) But it is my requirement to allow EVERYBODY to be able to access my web server in the private net. Perhaps some more squid howto is the answer. But further tips on tightening a firewall is also very much welcome (TIA). If you *REALLY* want to do this using a proxy like squid, you need to put appropriate access rules in place. Start by denying everything. Then enable access *ONLY* to your local web server for all IP's. Finally, you can enable general access for users on your local lan, if necessary. I'm not a squid guru, but the info on setting this up should be in the squid documentation and/or various HOWTOs. I suggest you start with the access control section of the squid manual: http://squid.visolve.com/squid24s1/access_controls.htm Looks like you can control access based on source IP, destination, and protocol...everything you need to lock down the proxy to *JUST* allowing access to your local server, rather than the internet in general. -- Charles Steinkuehler [EMAIL PROTECTED] But it is my requirement that I allow both public and private, directing them to a specific web server in my private net. I think I've got it with hints from Jaime. Need to test further though before raising it up again in the harsh public environment ;o) - Vic --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html