Re: [squid-users] Undernet/mIRC Says Squid is misconfigured - Denies login

From: Dave Raven <dave@dont-contact.us>
Date: Sat, 21 Sep 2002 21:38:41 +0200

-----BEGIN PGP SIGNED MESSAGE-----

The network assumes you allow access to the cache from anyone;
because they could connect. If you firewall off port 3128; it will go
away. Its not to say that you have misconfigured your squid - nor
is this a squid vulnerability - but you may be allowing users from
elsewhere in the world to proxy though your caching server.
                                -frowned upon-

You should not allow connections to your squid from outside
your network; hence allow 192.168.?.? if that was your
network; and disallow all others as the doc. suggests.

Dave.

- ----- Original Message -----
From: "Cliff" <cliff@acsalaska.net>
To: "squid users" <squid-users@squid-cache.org>
Sent: Saturday, September 21, 2002 8:35 AM
Subject: [squid-users] Undernet/mIRC Says Squid is misconfigured -
Denies login

> Hi Folks
>
> What does mIRC have to do with squid's port 3128?
> Why do IRC servers give a hoot what I do on port 3128?
>
> And is this old information? Meaning squid 2.4Stable6
> is not vulnerable as suggested by the below article?
>
> My squid config is stock RH 7.3 so I'm at a loss.
> Misconfigged? huh?
> Do I want to do this?
>
> Here's the suggested fix:
> http://www.fr1.documents.cyberabuse.org/?page=vulnerabilities&doc=1
>
> How To... configure a Squid against spoofing
>
> POST comes from the http RFC, allowing to POST datas to
> websites (roughly).
> By using POSTs requests on a misconfigured Squid Proxy, its
> pretty easy to establish a connection between Squid and any
> server/port.
>
> This problem is due to a misconfiguration in squid.conf's access
> list. To solve this, you just have to well configure your Squid by
> adding a few lines on the Squid's access control part.
>
> A fast way of doing it is defining the range of ports you allow
> with an acl element.
> Squid knows as acl elements: "port" which is the destinationport
> number.
>
> Set the accessible ports, and then deny the others.
>
> acl safe 80 21 443 8000-65535 # Safe ports
> http_access deny !safe # Deny !Safe Ports
>
> Then, you are sure noone will be able to access by the POST
> exploit any forbidden ports (or only if thoses are > 8000).
>
> Of course, verify that you allow caching for only your customers,
> etc by theses lines :
> acl all src 0.0.0.0/0.0.0.0
> acl ourhosts src 192.168.0.0/255.255.0.0 # Here are your customers.
>
> --
> Best regards
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBPYzKvbTAuMekS5e2AQE+Zgf+LFgTkamqO1EExEErOLiNCvUyXV1YOH/9
5+5wnVp0RyQnpjdsx1sdLtJgzj7V4q+LipwWM9PwHyObbssLouRZqFcXb2xTC6kJ
JAZWTstcr+9BZ5vI7TtlNmQKyV66a2yBHYog9P4HML3ZF3Klfvhx5WTZRvNYDX0f
F7GwB8SSnuMm8xORXxM0ZwIQa8VkoM/Vo0ohFqJBqnY24eqR7S/u4VWwoUnFBZVi
B31snmWz70MRtqMDpOLgMVrMNRCYTermvQ0s3fxqyCrNYJ+GcyBm0R4kMc5o47lx
BryRHe81z1qs5iTFgcvbo2TsVlNX4Hb1AwniTwEcTInqExy7H5Z1mw==
=hlzY
-----END PGP SIGNATURE-----
Received on Sat Sep 21 2002 - 13:39:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:22 MST