Published at: http://www1.ngtech.co.il/wpe/?p=142
I am happy to release the new RPMs of squid 3.5.8 for Centos 6 64bit,
32bit and CentOS 7 64bit.
The new release includes couple bug fixes and improvements.
The details about the the RPMs repository are at
squid-wiki[http://wiki.squid-cache.org/KnowledgeBase/CentOS].
* couple important notes about this release in the end of the article
Do we need to protect squid?
Squid comes also to protect other applications but the past lessons
teach us that squid like any other software is vulnerable. It can act as
an internal management service inside a company or an external service
connecting an external network to some internal systems.
Places that use squid do not always say they do but universities is one
of the users of squid around the internet. Most of them give access to
some internal system using a user credentials, a single sign-on pass or
other authentication methods. In all of these places there is a chance
that some hacker will try to hack the proxy and use it to access these
internal systems or to access the internet through it. The basics to
defend a proxy service is to block clients which are using wrong
authentication credentials.
In most cases the basic act would be to just DROP the IP traffic in the
firewall. I do not think it’s a bad way but I do think that using some
iptables DNAT\REDIRECT rule instead of DROPPING the connection is kind
of nicer. especially if it’s a system that gives users access to work or
office applications and systems.
Fail2ban is one of the great tools to allow the proxy to defend
itself(using squid access.log) from basic attacks. And of-course depends
on the sensitivity of the system a DROP rule can be the right solution
to mitigate the effect of some attackers.
If you would choose to give the blocked user some information about his
situation and who to contact about it please use a very lightweight http
service that can take load and use 100% static pages for that
purpose.(IE don’t use apache with PHP in it).
For this action you would require a special action from fail2ban in the
mangle table of iptables.
An example fail2ban action file: “action.d/iptables-redirect.conf”
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Modified by Eliezer Croitoru for DNAT into a ban page\service
[INCLUDES]
before = iptables-common.conf
[Definition]
actionstart = <iptables> -t nat -N f2b-<name>
<iptables> -t nat -A f2b-<name> -j <returntype>
<iptables> -t nat -I <chain> -p <protocol> -m multiport
--dports <port> -j f2b-<name>
actionstop = <iptables> -t nat -D <chain> -p <protocol> -m multiport
--dports <port> -j f2b-<name>
<iptables> -t nat -F f2b-<name>
<iptables> -tnat -X f2b-<name>
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
actionban = <iptables> -t nat -I f2b-<name> 1 -p <protocol> -s <ip> -j
REDIRECT --to-ports 8080
actionunban = <iptables> -t nat -D f2b-<name> -p <protocol> -s <ip> -j
REDIRECT --to-ports 8080
[Init]
##END
I hope it will help others to improve their service.
In this release I will recommend about a nice tutorial video about DDOS
from Krassimir Tzvetanov, A10 Networks,
Inc.[https://www.youtube.com/watch?v=POFEMlQw6Rc]
This talk covers the principles and particular implementations of DDoS.
It goes in detail as to what are the bottlenecks that are generally
exploited/overloaded, the attack types and the solutions to those.
Or a local mirror at:
Tutorial: Denial of Service
101[http://ngtech.co.il/squid/videos/POFEMlQw6Rc.mp4]
A note: From this RPM release for the CentOS 7 RPM I have replaced the
sysV init script with a systemd scripts that can monitor squid but
requires a special script to make sure that systemd will not halt the
system before squid was able to shutdown properly.
Also the default number of open file descriptors per process is set to
16384 and if you want to change it use one of the two options that are
mentioned in the systemd mailing list :
solution 1, override the unit
file[http://lists.freedesktop.org/archives/systemd-devel/2015-September/034094.html]
solution 2, override the service relevant
variable[http://lists.freedesktop.org/archives/systemd-devel/2015-September/034095.html]
The upgrade into the systemd unit file will be reflected when stopping,
restarting, upgrading or any other stop related usage of the unit.
More details about the repository at
squid-wiki[http://wiki.squid-cache.org/KnowledgeBase/CentOS].
All The Bests,
Eliezer Croitoru
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users