Re: [squid-users] authentication abuse

From: Marc van Selm <marc.van.selm@dont-contact.us>
Date: Wed, 04 Jul 2001 11:16:00 +0200

Peter,

I considered the same problem for our corporate network. I did approached
the authentication with a MySQL solution (I needed also a username to full
name/room/division/etc mapping). I had it running as a pilot (but have not
made it production because the requirement was more or less removed).

I played with the same trouble as you did. I had actually made a concept
that allows users to register themselves after which an automatic
verification of credentials against a number of databases would take place.
(the system was more for billing and abuse prevention purposes and not
security). I approached the question of users intentionally registering
with fake credentials like this: Mr X. of fuck-up division would not have a
valid phone number and would not own a legitimate computer on the net so
will get caught after database verification. Stealing your neighbors
credentials will be detected because the owner of the credentials
(according to the personnel database) gets notified automatically. Also
users sharing the same login can be detected by monitoring the source IP
(or hostname). One can not browse from two workstations at more or less the
same time. When this would be detected the original owner gets a mail that
his account is blocked (the computers that were used can now also not
register new accounts (blocked). That will make it the ordinary login
abuser pretty miserable. A real abuser will find a way anyway but there has
to be some trust in the staff. I guess you are not interested in the
initial registration verification as I described but more in the login
sharing concept.

Anyway this could be done with a small tool that scans the access.log. If
it finds abusers the accounts are locked. Then the owner will have to ask
to get it unlocked and you can give him a slap on the wrist. I have not
made that analysis tool but if you are (or some-one else) is willing to do
some programming it is not complicated.

So not a ready to use product but a start for a concept that an eager
programmer will be able to build pretty quick.

Regards, Marc

At 05:43 PM 7/3/01 +0200, Peter Kassies wrote:
>Hello,
>
>I'm running:
>- Squid v2.3.3 (in a parent and child cluster)
>- NCSA (for user authentication purposes)
>- Junkbusters (to filter out the banners)
>- SARG (for analysis of the logfile)
>
>I've also created a script which does all the dirty work (clean up logfiles)
>automatically, so it's basically a "zero administration proxyservice" for
>about 20k users within our organisation.
>
>With NCSA we have a problem that people are "sharing" the same proxy
>account. This is very annoing, because we check on abuse reguarly and cannot
>determine who was responsible. Of course we can analyse the logfiles on
>ipaddresses, but this is a lot of work and does not solve the problem.
>
>What I really would like is to prevent users from using the same
>username/password at the SAME time. If a second/third person would use the
>combination, all users should be banned or have to re-authenticate
>themselves.
>
>When implemented this script is going to cause hell on our servicedesk,
>where people will complain that they cannot surf anymore. This is great,
>because we can check them if they really have an account.
>
>Is there such a tool?
>
>Peter Kassies

---------------------------------------------------------
Marc van Selm
NATO C3 Agency, CSD/A

*********************************************************
** -- This mail is personal -- **
** All statements in this mail are made from my own **
** personal perspective and do not necessarily reflect **
** my employer's opinions or policies. **
*********************************************************
Received on Wed Jul 04 2001 - 03:16:19 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:00 MST