subject:"Re\: \[squid\-users\] Bypassed Proxy"

Re: [squid-users] Bypassed Proxy

2016-12-23 Thread Yuri Voinov



23.12.2016 23:30, Sameh Onaissi пишет:
> Thank you all for the suggestions.
>
> I will try to read up on iptables and add the necessary rules, as well as try 
> to add norhtghost IPs to the blacklist.
AFAIK not IPs, but network ranges. And you require to regullarry update
it, to keep up-to-date, and made enough exceptions - to work innocent sites.
>
> On another note, I noticed Tor Browser bypasses squid completely. The only 
> search results I found on how to block it with squid date back to 2011. (Amos 
> has a script for that?)
> Any idea how to block Tor? I downloaded it and ran it and none of its traffic 
> is detected by Squid.
Bridged Tor?! Cool story, bro. Ever China government, with Great China
Firewall, can't block Tor.

PS. Personal advice. Forget about blocking Tor. Forever. It desined to
prevent any blocking. And good designed.
>
>
>
>
>
>> On Dec 23, 2016, at 4:31 AM, Eliezer Croitoru  wrote:
>>
>> My suggestion would be to find the holes in the system.
>> There are couple good networking tools ie:
>> Iptstate
>> Iptraf-ng
>> netstat-nat
>> conntrackd-tools
>>
>> The above tools have the options to see what parts of the IP is not ports 
>> such as:
>> 53
>> 80
>> 443
>>
>> Which you can control easily.
>> You can easily add a DROP or REJECT rule in iptables for all new connections 
>> on other then these ports as a starter.
>> It's very simple to write and I think you should dig a bit on iptables so 
>> you would be able to understand how it works better to give you a glimpse 
>> into the networking security world.
>> This amazing site and page:
>> http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
>>
>> Gives a better understanding to iptables and also on networking.
>> If you need more guidance let me know.
>>
>> Eliezer 
>>
>> 
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: elie...@ngtech.co.il
>>
>>
>> -----Original Message-
>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
>> Behalf Of Sameh Onaissi
>> Sent: Friday, December 23, 2016 2:03 AM
>> To: Antony Stone 
>> Cc: squid-users@lists.squid-cache.org
>> Subject: Re: [squid-users] Bypassed Proxy
>>
>> I have been trying to replicate what he is doing.
>>
>> I have tried 4 or 5 VPN software and none connects, including Hotspot 
>> Shield. My iptables seem to be doing the job in that regard (Eliezer helped 
>> me set them up)
>>
>>
>>
>>> On Dec 22, 2016, at 5:14 PM, Antony Stone 
>>>  wrote:
>>>
>>> On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote:
>>>
>>>> The user has hotspot shield installed on his PC, which I believe is a 
>>>> similar extension to the one you mentioned.
>>>> He is getting by squid with some sort of VPN, I thought squid can be 
>>>> configured against such things?
>>> It sounds as though you need to review your firewall (routing) policies.
>>>
>>> Anyone who is allowed to use a VPN can effectively bypass all security 
>>> policies on your network.
>>>
>>>
>>> Antony.
>>>
>>> --
>>> Schrödinger's rule of data integrity: the condition of any backup is 
>>> unknown until a restore is attempted.
>>>
>>>  Please reply to the list;
>>>please *don't* CC me.
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
What is the fundamental difference between the programmer and by a fag?
Fag never become five times to free the memory of one object. Fag will
not use two almost identical string libraries in the same project. Fag
will never write to a mixture of C and C ++. Fag will never pass objects
by pointer. Now you know why these two categories so often mentioned
together, and one of them is worse :)


0x613DEC46.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-23 Thread Sameh Onaissi

Thank you all for the suggestions.

I will try to read up on iptables and add the necessary rules, as well as try 
to add norhtghost IPs to the blacklist.

On another note, I noticed Tor Browser bypasses squid completely. The only 
search results I found on how to block it with squid date back to 2011. (Amos 
has a script for that?)
Any idea how to block Tor? I downloaded it and ran it and none of its traffic 
is detected by Squid.





> On Dec 23, 2016, at 4:31 AM, Eliezer Croitoru  wrote:
> 
> My suggestion would be to find the holes in the system.
> There are couple good networking tools ie:
> Iptstate
> Iptraf-ng
> netstat-nat
> conntrackd-tools
> 
> The above tools have the options to see what parts of the IP is not ports 
> such as:
> 53
> 80
> 443
> 
> Which you can control easily.
> You can easily add a DROP or REJECT rule in iptables for all new connections 
> on other then these ports as a starter.
> It's very simple to write and I think you should dig a bit on iptables so you 
> would be able to understand how it works better to give you a glimpse into 
> the networking security world.
> This amazing site and page:
> http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
> 
> Gives a better understanding to iptables and also on networking.
> If you need more guidance let me know.
> 
> Eliezer 
> 
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
> 
> 
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Sameh Onaissi
> Sent: Friday, December 23, 2016 2:03 AM
> To: Antony Stone 
> Cc: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Bypassed Proxy
> 
> I have been trying to replicate what he is doing.
> 
> I have tried 4 or 5 VPN software and none connects, including Hotspot Shield. 
> My iptables seem to be doing the job in that regard (Eliezer helped me set 
> them up)
> 
> 
> 
>> On Dec 22, 2016, at 5:14 PM, Antony Stone 
>>  wrote:
>> 
>> On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote:
>> 
>>> The user has hotspot shield installed on his PC, which I believe is a 
>>> similar extension to the one you mentioned.
>> 
>>> He is getting by squid with some sort of VPN, I thought squid can be 
>>> configured against such things?
>> 
>> It sounds as though you need to review your firewall (routing) policies.
>> 
>> Anyone who is allowed to use a VPN can effectively bypass all security 
>> policies on your network.
>> 
>> 
>> Antony.
>> 
>> --
>> Schrödinger's rule of data integrity: the condition of any backup is 
>> unknown until a restore is attempted.
>> 
>>  Please reply to the list;
>>please *don't* CC me.
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-23 Thread Eliezer Croitoru

My suggestion would be to find the holes in the system.
There are couple good networking tools ie:
Iptstate
Iptraf-ng
netstat-nat
conntrackd-tools

The above tools have the options to see what parts of the IP is not ports such 
as:
53
80
443

Which you can control easily.
You can easily add a DROP or REJECT rule in iptables for all new connections on 
other then these ports as a starter.
It's very simple to write and I think you should dig a bit on iptables so you 
would be able to understand how it works better to give you a glimpse into the 
networking security world.
This amazing site and page:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

Gives a better understanding to iptables and also on networking.
If you need more guidance let me know.

Eliezer 

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Sameh Onaissi
Sent: Friday, December 23, 2016 2:03 AM
To: Antony Stone 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Bypassed Proxy

I have been trying to replicate what he is doing.

I have tried 4 or 5 VPN software and none connects, including Hotspot Shield. 
My iptables seem to be doing the job in that regard (Eliezer helped me set them 
up)

> On Dec 22, 2016, at 5:14 PM, Antony Stone  
> wrote:
> 
> On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote:
> 
>> The user has hotspot shield installed on his PC, which I believe is a 
>> similar extension to the one you mentioned.
> 
>> He is getting by squid with some sort of VPN, I thought squid can be 
>> configured against such things?
> 
> It sounds as though you need to review your firewall (routing) policies.
> 
> Anyone who is allowed to use a VPN can effectively bypass all security 
> policies on your network.
> 
> 
> Antony.
> 
> --
> Schrödinger's rule of data integrity: the condition of any backup is 
> unknown until a restore is attempted.
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-22 Thread Amos Jeffries

On 23/12/2016 10:02 a.m., Sameh Onaissi wrote:
> Hello,
> 
> 
> Eliezer’s recommended fix did not work.
> 
> The user was on YouTube watching UFC all day today.
> 
> Here’s a copy of the log at the time.
> 1482436450.285353 10.0.0.105 TAG_NONE/200 0 CONNECT 167.114.159.186:443 - 
> ORIGINAL_DST/167.114.159.186 -
> 1482436450.303  0 10.0.0.105 TAG_NONE/503 4462 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436450.318   4756 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - 
> ORIGINAL_DST/139.59.225.84 -
> 1482436450.340  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436450.567839 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - 
> ORIGINAL_DST/188.166.70.138 -
> 1482436450.585  0 10.0.0.105 TAG_NONE/503 4459 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436450.650373 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.7.35:443 - 
> ORIGINAL_DST/85.203.7.35 -
> 1482436450.669  0 10.0.0.105 TAG_NONE/503 4450 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436450.682   1969 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - 
> ORIGINAL_DST/139.59.225.84 -
> 1482436450.706386 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.73.9:443 - 
> ORIGINAL_DST/188.166.73.9 -
> 1482436450.740   6540 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.18.254:443 - 
> ORIGINAL_DST/85.203.18.254 -
> 1482436450.784  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436450.784  0 10.0.0.105 TAG_NONE/503 4453 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436450.784  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436450.909469 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - 
> ORIGINAL_DST/138.68.93.229 -
> 1482436450.927   1882 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - 
> ORIGINAL_DST/208.123.223.254 -
> 1482436450.940  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436450.955  0 10.0.0.105 TAG_NONE/503 4462 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436451.063197 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - 
> ORIGINAL_DST/208.123.223.254 -
> 1482436451.080  0 10.0.0.105 TAG_NONE/503 4462 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436451.217434 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.97.9:443 - 
> ORIGINAL_DST/138.68.97.9 -
> 1482436451.236  0 10.0.0.105 TAG_NONE/503 4450 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436451.322271 10.0.0.105 TAG_NONE/200 0 CONNECT 65.52.108.76:443 - 
> ORIGINAL_DST/65.52.108.76 -
> 1482436451.345479 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - 
> ORIGINAL_DST/138.68.93.229 -
> 1482436451.361  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436451.498   4240 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - 
> ORIGINAL_DST/139.59.225.84 -
> 1482436451.530  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
> s.youtube.com:443 - HIER_NONE/- text/html
> 1482436451.909817 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - 
> ORIGINAL_DST/188.166.70.138 -
> 
> 
> 
> I know 503 is an error, but the user was using youtube without any hassles.
> Those IPs are for Digital Ocean and Alentus Corporation.

rDNS says they are being used by the northghost "Touch VPN" network.

> 
> Squid is being “fooled” somehow.
>  I did notice the 503, which made it more confusing to me.

Squid is rejecting the YT traffic attempts asked of it. Maybe not in the
way you intended, but to the same effect.

The above log implies they are visiting northghost. Nothing is
prohibiting that. Then Squid during the bumping process sees the YT
domain in SNI or somesuch, and tries to reject it but cant at that late
stage so 503 occurs.

There are very likely other attempts being made in other ways since
these did not succeed. If any of those do succeed the user gets their YT
access.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-22 Thread Amos Jeffries

On 23/12/2016 1:02 p.m., Sameh Onaissi wrote:
> I have been trying to replicate what he is doing.
> 
> I have tried 4 or 5 VPN software and none connects, including Hotspot
> Shield. My iptables seem to be doing the job in that regard (Eliezer
> helped me set them up)
> 

Do you have matching ip6tables rules to prevent IPv6 networking being
used for the prohibited things?

>> On Dec 22, 2016, at 5:14 PM, Antony Stone wrote:
>>
>> On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote:
>>
>>> The user has hotspot shield installed on his PC, which I believe is a
>>> similar extension to the one you mentioned.
>>
>>> He is getting by squid with some sort of VPN, I thought squid can be
>>> configured against such things?

Squid can only prevent things going through itself.

Unless the VPN software is using HTTP(S) protocol messaging as a
transport layer, AND that messaging goes through the proxy, the answer
is no. That kind of control is what firewalls are for.

>>
>> It sounds as though you need to review your firewall (routing) policies.
>>
>> Anyone who is allowed to use a VPN can effectively bypass all security 
>> policies 
>> on your network.
>>

I second that.

Keep in mind that "iptables" command only sets up rules for IPv4
connections. They could be using IPv6. 'VPN' also has a number of
sub-types: 6to4, SOCKS, IP-IP, or remote NPT relay.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-22 Thread Sameh Onaissi

I have been trying to replicate what he is doing.

I have tried 4 or 5 VPN software and none connects, including Hotspot Shield. 
My iptables seem to be doing the job in that regard (Eliezer helped me set them 
up)



> On Dec 22, 2016, at 5:14 PM, Antony Stone  
> wrote:
> 
> On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote:
> 
>> The user has hotspot shield installed on his PC, which I believe is a
>> similar extension to the one you mentioned.
> 
>> He is getting by squid with some sort of VPN, I thought squid can be
>> configured against such things?
> 
> It sounds as though you need to review your firewall (routing) policies.
> 
> Anyone who is allowed to use a VPN can effectively bypass all security 
> policies 
> on your network.
> 
> 
> Antony.
> 
> -- 
> Schrödinger's rule of data integrity: the condition of any backup is unknown 
> until a restore is attempted.
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-22 Thread Antony Stone

On Thursday 22 December 2016 at 22:50:33, Sameh Onaissi wrote:

> The user has hotspot shield installed on his PC, which I believe is a
> similar extension to the one you mentioned.

> He is getting by squid with some sort of VPN, I thought squid can be
> configured against such things?

It sounds as though you need to review your firewall (routing) policies.

Anyone who is allowed to use a VPN can effectively bypass all security policies 
on your network.

Antony.

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-22 Thread Sameh Onaissi

Hi Paul and thank you for your reply.

I did try the extension and Squid blocked it right away.

The user has hotspot shield installed on his PC, which I believe is a similar 
extension to the one you mentioned.
My squid.conf blocks domains, I have a bypass list of IPs for local company 
servers and Skype For Business.

The user has hotspot shield installed, both the chrome extension and the 
desktop software, although the chrome extension is always Off from what I have 
seen (red icon when off, green when on).

He is getting by squid with some sort of VPN, I thought squid can be configured 
against such things?




On Dec 22, 2016, at 4:34 PM, Paul Freeman 
mailto:paul.free...@emlchem.com.au>> wrote:

Sam,
I haven’t followed your thread closely so what I am about to mentio may already 
have been discussed.  Apologies if this is the case.

As Alex says, the connections to youtube receive a 503 but then there are 
successful connects on port 443 to numerous site by IP address rather than 
hostname.

Doing a reverse lookup on the IP addresses shows some are in the 
northghost.com<http://northghost.com/> dns domain name.

I looked up northghost.com<http://northghost.com/> and they offer an app for 
mobiles or an add-on for Chrome called Touch VPN.  Perhaps this might be being 
used by your user although I don’t really know how it works and whether it 
really is how the user appears to be pypassing the proxy.

In your squid.conf or other access control systems, do you allow urls specified 
by IP as well as hostnames?

Paul

NOTE: This email contains my personal opinions and comments which do not 
necessarily represent those of my employer.


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Sameh Onaissi
Sent: Friday, 23 December 2016 8:03 AM
To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
Subject: Re: [squid-users] Bypassed Proxy

Hello,


Eliezer’s recommended fix did not work.

The user was on YouTube watching UFC all day today.

Here’s a copy of the log at the time.
1482436450.285353 10.0.0.105 TAG_NONE/200 0 CONNECT 167.114.159.186:443 - 
ORIGINAL_DST/167.114.159.186 -
1482436450.303  0 10.0.0.105 TAG_NONE/503 4462 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.318   4756 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - 
ORIGINAL_DST/139.59.225.84 -
1482436450.340  0 10.0.0.105 TAG_NONE/503 4456 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.567839 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - 
ORIGINAL_DST/188.166.70.138 -
1482436450.585  0 10.0.0.105 TAG_NONE/503 4459 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.650373 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.7.35:443 - 
ORIGINAL_DST/85.203.7.35 -
1482436450.669  0 10.0.0.105 TAG_NONE/503 4450 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.682   1969 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - 
ORIGINAL_DST/139.59.225.84 -
1482436450.706386 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.73.9:443 - 
ORIGINAL_DST/188.166.73.9 -
1482436450.740   6540 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.18.254:443 - 
ORIGINAL_DST/85.203.18.254 -
1482436450.784  0 10.0.0.105 TAG_NONE/503 4456 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.784  0 10.0.0.105 TAG_NONE/503 4453 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.784  0 10.0.0.105 TAG_NONE/503 4456 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.909469 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - 
ORIGINAL_DST/138.68.93.229 -
1482436450.927   1882 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - 
ORIGINAL_DST/208.123.223.254 -
1482436450.940  0 10.0.0.105 TAG_NONE/503 4456 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.955  0 10.0.0.105 TAG_NONE/503 4462 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436451.063197 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - 
ORIGINAL_DST/208.123.223.254 -
1482436451.080  0 10.0.0.105 TAG_NONE/503 4462 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436451.217434 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.97.9:443 - 
ORIGINAL_DST/138.68.97.9 -
1482436451.236  0 10.0.0.105 TAG_NONE/503 4450 
CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436451.322271 10.0.0.105 TAG_NONE/200 0 CONNECT 65.52.108.76:443 - 
ORIGINAL_DST/65.52.108.76 -
1482436451.345479 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - 
ORIGINAL_DST/138.68.93.229 -
1482436451.361  0 10.0.0.105 TAG_NONE/503 4456 
CONNECTs.youtube.com<http://s.yout

Re: [squid-users] Bypassed Proxy

2016-12-22 Thread Sameh Onaissi

Hello,


Eliezer’s recommended fix did not work.

The user was on YouTube watching UFC all day today.

Here’s a copy of the log at the time.
1482436450.285353 10.0.0.105 TAG_NONE/200 0 CONNECT 167.114.159.186:443 - 
ORIGINAL_DST/167.114.159.186 -
1482436450.303  0 10.0.0.105 TAG_NONE/503 4462 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436450.318   4756 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - 
ORIGINAL_DST/139.59.225.84 -
1482436450.340  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436450.567839 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - 
ORIGINAL_DST/188.166.70.138 -
1482436450.585  0 10.0.0.105 TAG_NONE/503 4459 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436450.650373 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.7.35:443 - 
ORIGINAL_DST/85.203.7.35 -
1482436450.669  0 10.0.0.105 TAG_NONE/503 4450 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436450.682   1969 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - 
ORIGINAL_DST/139.59.225.84 -
1482436450.706386 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.73.9:443 - 
ORIGINAL_DST/188.166.73.9 -
1482436450.740   6540 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.18.254:443 - 
ORIGINAL_DST/85.203.18.254 -
1482436450.784  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436450.784  0 10.0.0.105 TAG_NONE/503 4453 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436450.784  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436450.909469 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - 
ORIGINAL_DST/138.68.93.229 -
1482436450.927   1882 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - 
ORIGINAL_DST/208.123.223.254 -
1482436450.940  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436450.955  0 10.0.0.105 TAG_NONE/503 4462 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436451.063197 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - 
ORIGINAL_DST/208.123.223.254 -
1482436451.080  0 10.0.0.105 TAG_NONE/503 4462 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436451.217434 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.97.9:443 - 
ORIGINAL_DST/138.68.97.9 -
1482436451.236  0 10.0.0.105 TAG_NONE/503 4450 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436451.322271 10.0.0.105 TAG_NONE/200 0 CONNECT 65.52.108.76:443 - 
ORIGINAL_DST/65.52.108.76 -
1482436451.345479 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - 
ORIGINAL_DST/138.68.93.229 -
1482436451.361  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436451.498   4240 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - 
ORIGINAL_DST/139.59.225.84 -
1482436451.530  0 10.0.0.105 TAG_NONE/503 4456 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html
1482436451.909817 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - 
ORIGINAL_DST/188.166.70.138 -



I know 503 is an error, but the user was using youtube without any hassles.
Those IPs are for Digital Ocean and Alentus Corporation.

Squid is being “fooled” somehow.
 I did notice the 503, which made it more confusing to me.
The reason I investigated the issue was because I saw youtube working on the 
client’s PC with a blue shield-like icon along with some words on top of the 
youtube page (was not close enough to see the exact logo/words). The video was 
working fine, but that blue shield extension seems to be the reason behind 
“fooling” squid.

Both the chrome extension and the Desktop client are installed on the machine.

I tried replicating that, but I couldn’t even connect the client.

What should I be looking for in cache.log?


Thanks again!

Sam

On Dec 21, 2016, at 6:59 PM, Sameh Onaissi 
mailto:sameh.onai...@solcv.com>> wrote:





On Dec 21, 2016, at 6:51 PM, Alex Rousskov 
mailto:rouss...@measurement-factory.com>> 
wrote:

On 12/21/2016 10:14 AM, Sameh Onaissi wrote:

One user is somehow, able to access you tube through squid!

1482339083.228  0 10.0.0.162 TAG_NONE/503 4459 CONNECT 
s.youtube.com:443 - HIER_NONE/- text/html

What makes you think this user was able to access youtube? AFAICT, Squid
responded with an error (TAG_NONE/503) and did not contact the origin
server (HIER_NONE/-).

I did notice the 503, which made it more confusing to me.
The reason I investigated the issue was because I saw youtube working on the 
client’s PC with a blue shield-like icon along with some words on top of the 
youtube page (was not close enough to see the exact logo/words). The video was 
worki

Re: [squid-users] Bypassed Proxy

2016-12-21 Thread Alex Rousskov

On 12/21/2016 10:14 AM, Sameh Onaissi wrote:

> One user is somehow, able to access you tube through squid!

> 1482339083.228  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443 
> - HIER_NONE/- text/html

What makes you think this user was able to access youtube? AFAICT, Squid
responded with an error (TAG_NONE/503) and did not contact the origin
server (HIER_NONE/-).

I understand that you want Squid to redirect users instead of responding
with an error. This 503 response could be due to Squid being unable to
bump the user connection for some reason. Successful bumping is required
to redirect users.

You may see more details inside that error response itself. Others on
the list may be able to help you to get to that response in Squid logs
or packet captures.

HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-21 Thread Eliezer Croitoru

Try to see what happens when you change and simplify squidguard conf(after a 
backup) to a one default which blocks youtube.
This way you would be able to minimize the options from squidguard to squid or 
backwards.
Try to follow the cache.log and see if you see anything about anything which 
mentions "youtube".

The options for the issue are one of two:
Squidguard is configured wrong or has a bug
Squid is configured wrong or has a bug

I cannot say that squid is 100% bullet proof but first analyze the logs to see 
what happens and if you need to block youtube specifically I would do it in the 
squid level rather then in squidguard level since it's a very simple and tiny 
and static rule.
And leaving the beauty of the splash page and just block add the next lines to 
the beginning of squid.conf:
#YT DOMS
acl ytdoms dstdomain .youtube.com .ytimg.com .googlevideo.com
acl ytallowedusers src 10.0.0.1/32 10.0.0.2/32
http_access deny ytdoms !ytallowedusers
##END OF ADDITION

If you wish to allow a specific user to access these domains just add them to 
the ytallowedusers acl.
Use squidguard only for things which needs more frequent updates.

All The Bests,
Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: Sameh Onaissi [mailto:sameh.onai...@solcv.com] 
Sent: Thursday, December 22, 2016 12:20 AM
To: Eliezer Croitoru 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Bypassed Proxy

HI Eliezer, 


squid.conf: http://pastebin.com/7Nusciiu

sqiudguard.conf: http://pastebin.com/DiRgD23c


I think the client is using a Google chrome extension: 
https://chrome.google.com/webstore/detail/hotspot-shield-free-vpn-p/nlbejmccbhkncgokjcmghpfloaajcffj?hl=en

(can’t get cache logs now as client is disconnected)




On Dec 21, 2016, at 1:43 PM, Eliezer Croitoru <mailto:elie...@ngtech.co.il> 
wrote:

How does squid.conf looks now?
It’s probably a typo or some settings exception.
You need to debug and check first if squidguard receives the request details
and what it does with it.
To see the relevant details you will need to use squid debug_options:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

Specifically section 61.
You should add to squid.conf the line
debug_options ALL,1 61,6

And your cache.log will be flooded with details about any request that is
being passed to squidguard.
I believe that this should be a start point that will show you if squid is
sending the request to squidguard and how squidguard answers.
If you want more help share with a paste the current squid.conf and
squidguard.conf.
This way even if it’s not related directly to squid we can see if there is a
hole in the setup you don’t see yet.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Sameh Onaissi
Sent: Wednesday, December 21, 2016 7:14 PM
To: mailto:squid-users@lists.squid-cache.org
Subject: [squid-users] Bypassed Proxy

Hello all, 

I got a transparent squid installed on Ubuntu 16.04

Using squid guard, I am blocking certain websites, including youtube.

Anytime a user tries accessing it, he/she is redirected to an access denied
page.

Except for ONE user!

One user is somehow, able to access you tube through squid!
That IP is not on the exempt list, and has no special configurations.

access.log:

1482339083.228  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.324  0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.331  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.422  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.436  0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.517  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339086.251  0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html


Any other user tries and gets:

1482339588.002350 10.0.0.40 TCP_MISS/200 611 GET
https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html

That is the redirect html page.

My deny list where youtube is:

var/lib/squidguard/db/deny/urls has http://www.youtube.com
var/lib/squidguard/db/deny/domains has http://youtube.com


Any idea to how he is doing it?

I can add a rule to specifically deny 10.0.0.162, but I want to know how he
is doing it to prevent it for others. Also this is a dynamic IP.

Thank you,
Sam





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-21 Thread Sameh Onaissi

HI Eliezer,


squid.conf: http://pastebin.com/7Nusciiu

sqiudguard.conf: http://pastebin.com/DiRgD23c


I think the client is using a Google chrome extension: 
https://chrome.google.com/webstore/detail/hotspot-shield-free-vpn-p/nlbejmccbhkncgokjcmghpfloaajcffj?hl=en

(can’t get cache logs now as client is disconnected)




On Dec 21, 2016, at 1:43 PM, Eliezer Croitoru 
mailto:elie...@ngtech.co.il>> wrote:

How does squid.conf looks now?
It’s probably a typo or some settings exception.
You need to debug and check first if squidguard receives the request details
and what it does with it.
To see the relevant details you will need to use squid debug_options:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

Specifically section 61.
You should add to squid.conf the line
debug_options ALL,1 61,6

And your cache.log will be flooded with details about any request that is
being passed to squidguard.
I believe that this should be a start point that will show you if squid is
sending the request to squidguard and how squidguard answers.
If you want more help share with a paste the current squid.conf and
squidguard.conf.
This way even if it’s not related directly to squid we can see if there is a
hole in the setup you don’t see yet.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Sameh Onaissi
Sent: Wednesday, December 21, 2016 7:14 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Bypassed Proxy

Hello all,

I got a transparent squid installed on Ubuntu 16.04

Using squid guard, I am blocking certain websites, including youtube.

Anytime a user tries accessing it, he/she is redirected to an access denied
page.

Except for ONE user!

One user is somehow, able to access you tube through squid!
That IP is not on the exempt list, and has no special configurations.

access.log:

1482339083.228  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.324  0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.331  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.422  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.436  0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.517  0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339086.251  0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html


Any other user tries and gets:

1482339588.002350 10.0.0.40 TCP_MISS/200 611 GET
https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html

That is the redirect html page.

My deny list where youtube is:

var/lib/squidguard/db/deny/urls has http://www.youtube.com
var/lib/squidguard/db/deny/domains has http://youtube.com


Any idea to how he is doing it?

I can add a rule to specifically deny 10.0.0.162, but I want to know how he
is doing it to prevent it for others. Also this is a dynamic IP.

Thank you,
Sam





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

2016-12-21 Thread Eliezer Croitoru

How does squid.conf looks now?
It’s probably a typo or some settings exception.
You need to debug and check first if squidguard receives the request details
and what it does with it.
To see the relevant details you will need to use squid debug_options:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

Specifically section 61.
You should add to squid.conf the line
debug_options ALL,1 61,6

And your cache.log will be flooded with details about any request that is
being passed to squidguard.
I believe that this should be a start point that will show you if squid is
sending the request to squidguard and how squidguard answers.
If you want more help share with a paste the current squid.conf and
squidguard.conf.
This way even if it’s not related directly to squid we can see if there is a
hole in the setup you don’t see yet.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Sameh Onaissi
Sent: Wednesday, December 21, 2016 7:14 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Bypassed Proxy

Hello all, 

I got a transparent squid installed on Ubuntu 16.04

Using squid guard, I am blocking certain websites, including youtube.

Anytime a user tries accessing it, he/she is redirected to an access denied
page.

Except for ONE user!

One user is somehow, able to access you tube through squid!
That IP is not on the exempt list, and has no special configurations.

access.log:

1482339083.228      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.324      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.331      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.422      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.436      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.517      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339086.251      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html


Any other user tries and gets:

1482339588.002    350 10.0.0.40 TCP_MISS/200 611 GET
https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html

That is the redirect html page.

My deny list where youtube is:

var/lib/squidguard/db/deny/urls has http://www.youtube.com
var/lib/squidguard/db/deny/domains has http://youtube.com


Any idea to how he is doing it?

I can add a rule to specifically deny 10.0.0.162, but I want to know how he
is doing it to prevent it for others. Also this is a dynamic IP.

Thank you,
Sam




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

Re: [squid-users] Bypassed Proxy

13 matches

Site Navigation

Mail list logo

Footer information