Re: [squid-users] Looking for additional information about securing squid
> First question - what are you aiming / hoping to achieve by implementing > Squid? 1. Some ad blocking via an MVPS hosts file. I'm not trying for a perfect solution, some ad blocking is better than none. 2. Parental control abilities. I like that squid can serve a local webpage that can say, "Facebook is only allowed between X hours on X days" instead of giving an unreachable response. 3. Possible small improvements in page response times due to web caching and ad blocking. > Second question - do you really give guests full access to your home > network, rather than just "a gateway to the Internet with no visibility > of my private machines"? At the moment, yes. It's a work in progress. I can count on one hand the number of people I've allowed access to in the last year and my wifi is secured as best it can be. That said, I recognize that - as the saying goes - locks only keep good people out. > data leaks > cache poisoning > message smuggling I need to read up on cache poisoning, haven't heard of that one. Not sure what you mean by message smuggling. And yes, the data leaks was what I knew enough to be asking about. Specifically my concern is that someone could gain control of my server and install malware/trojan/work/whatever. I'm not that good with Linux yet so I probably wouldn't even know where to begin looking for something like that, much less clean it off. And I would expect the malware/antivirus safeguards I have on my PCs would be less effective if there's a server on the same LAN possibly attacking them 24/7. > The risk is relative to your overall network security design, and that > should of course be considered before starting a proxy in any network > more secure than what the default squid.conf allows. Well I'm sure my network is *less* secure than what the default squid.conf allows so no worries, eh? > If you want advice about specific features that is not mentioned in the > relevant squid.conf directive docs or the wiki, feel free to ask. But > security is a rather big topic so pardon if I dont try to brain-dump > everything right here :-) Understood. Antony was on the right track with asking about my objectives. As far as non-standard squid config ... I really wish I could link you to the website I used as a template to add onto the default squid install. Normally I save the web link in the txt file with the notes I've made but I seem to have forgotten to save the link in this one. I've spent about the last 20 minutes searching but I can't find the page. There were a few things I added for rate limiting Windows update and allowing Youtube and cgi-bin pages to be cached, but the modifications shouldn't have affect permissions, etc. I don't think they would, but would've liked to have linked you to that page. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Looking for additional information about securing squid
On 14/12/2016 11:44 a.m., Steve Becker wrote: > Hi all, > > > > My background's in networking, I'm very new to unix/linux and server > administration, I don't know a whole lot about security beyond ACLs and > setting up crypto for VPNs. I'm setting up a box at home with CentOS and > squid, among other features (I want this box to be a syslog server, etc). > At the moment I have no plan to run a web server, but I'm still concerned. > I know web servers are vulnerable to certain kinds of attacks, some of which > could escalate user privileges or dump data people shouldn't have access to. > Is squid, as a proxy server, I'm vulnerable to some of these kinds of > attacks? Generally no. Those types of attack require operations that Squid does not do (executing something attacker-controlled). Though sometimes the helpers and plugins people use might have such problems. Especially badly written custom ones. Squid (and other HTTP proxies) vulnerabilities tend to be along the lines of; data leaks, DoS, cache poisoning, or message smuggling. The result of those types is typically privacy abuses, or network hijacking by allowing attack malwares to reach target servers or other clients. > I'll be limiting squid to only accept traffic from my LAN but you > still never know. A guest might use my network with an infected device, > etc. > > > I've looked at the security FAQ on the squid wiki, and I tried to search the > mailing list archive using the link at > http://www.squid-cache.org/Support/mailing-lists.html, however I get a 404 > error. I downloaded the last 6 months worth of archives and searched for > the word security, and I see references to SSL, TLS, bumping, etc. I'm sure > these conversations follow the requirements of people using squid at work > but aside from one thread I don't see anything addressing my concerns, hence > my post. > It may not be easy to see at times, but most of the traffic on this list includes a security aspect. The posters either have a specific transaction problem, or some f'up in their config settings letting traffic do unwanted things. To resolve that type of thing we not only have to provide a solution but try to ensure the admin in question (and future readers) understands why it solves the problem, and whether there are any risks associated (ie security considerations). (Thanks for the mention of that 404. Looking into it now.) > > I suspect there's no more additional securing of squid I need to do - if > there were I would've expected something to mention it in the FAQ - but I'd > rather ask just in case. Any thoughts/suggestions? > Yes. The default installation of Squid is very secure so far as CVE type vulnerability issues go. We do aim to be completely secure (if only it were possible!). But that naturally varies by version and what is known about. As for an attacker in your LAN; they can use the proxy default config to do some limited HTTP things, but they would be able to do even more nasties if they didn't go through Squids protocol sanitizing/validation logics. The risk is relative to your overall network security design, and that should of course be considered before starting a proxy in any network more secure than what the default squid.conf allows. The wiki in general has a lot of info, most of it is under specific config examples or feature documentations rather than the FAQ. The squid.conf documentation also has 'WARNING' and mentions of issues related to using the relevant directives. If you want advice about specific features that is not mentioned in the relevant squid.conf directive docs or the wiki, feel free to ask. But security is a rather big topic so pardon if I dont try to brain-dump everything right here :-) Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Looking for additional information about securing squid
On Tuesday 13 December 2016 at 23:44:12, Steve Becker wrote: > Hi all, Hi. > My background's in networking, I'm very new to unix/linux and server > administration, I don't know a whole lot about security beyond ACLs and > setting up crypto for VPNs. > > I'm setting up a box at home with CentOS and squid, > I know web servers are vulnerable to certain kinds of attacks, some of > which could escalate user privileges or dump data people shouldn't have > access to. Is squid, as a proxy server, I'm vulnerable to some of these > kinds of attacks? I'll be limiting squid to only accept traffic from my > LAN but you still never know. A guest might use my network with an > infected device, etc. First question - what are you aiming / hoping to achieve by implementing Squid? Second question - do you really give guests full access to your home network, rather than just "a gateway to the Internet with no visibility of my private machines"? Antony. -- I wasn't sure about having a beard at first, but then it grew on me. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Looking for additional information about securing squid
Hi all, My background's in networking, I'm very new to unix/linux and server administration, I don't know a whole lot about security beyond ACLs and setting up crypto for VPNs. I'm setting up a box at home with CentOS and squid, among other features (I want this box to be a syslog server, etc). At the moment I have no plan to run a web server, but I'm still concerned. I know web servers are vulnerable to certain kinds of attacks, some of which could escalate user privileges or dump data people shouldn't have access to. Is squid, as a proxy server, I'm vulnerable to some of these kinds of attacks? I'll be limiting squid to only accept traffic from my LAN but you still never know. A guest might use my network with an infected device, etc. I've looked at the security FAQ on the squid wiki, and I tried to search the mailing list archive using the link at http://www.squid-cache.org/Support/mailing-lists.html, however I get a 404 error. I downloaded the last 6 months worth of archives and searched for the word security, and I see references to SSL, TLS, bumping, etc. I'm sure these conversations follow the requirements of people using squid at work but aside from one thread I don't see anything addressing my concerns, hence my post. I suspect there's no more additional securing of squid I need to do - if there were I would've expected something to mention it in the FAQ - but I'd rather ask just in case. Any thoughts/suggestions? TIA ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
