On Wednesday 13 February 2002 18.00, Brian E. Seppanen wrote:
> I would assume that a proper acl in the config would minimize the
> possible exposures to any vulnerability. Preventing someone from
> spoofing the packets is another issue entirely.
Strongly recommended. There is plenty of sensitive information
available via the SNMP interface. Sort of like giving anyone access
to everything of cachemgr.
I'd also recommend you to firewall the SNMP port. Not only for Squid
but also any other SNMP enabled equipment you have such as printers,
routers, servers, desktops, etc..
If you are only using SMTP for MRTG or similar tools, and these run
on the same server as Squid then a good measurement is to make sure
Squid only listens for SNMP queries on localhost. See the
snmp_incoming_address directive.
If you are not using SNMP, then don't enable it when building Squid,
or at a minimum disable the SNMP port by setting "snmp_port 0" in
squid.conf.
Regards
Henrik Nordström
Squid Developer
-- MARA Systems AB, Giving you basic free Squid support Customized solutions, packaged solutions and priority support available on requestReceived on Wed Feb 13 2002 - 22:08:33 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:21 MST