AW: [squid-users] securise squid

From: <Werner.Rost@dont-contact.us>
Date: Wed, 16 Mar 2005 11:29:33 +0100

Try something like this:

acl myclients src 10.1.3.0/255.255.255.0
acl myclients src 10.19.220.0/255.255.255.0
http_access deny !myclients

"myclients" are the allowed clients which may use the proxy.
Use these acl's in front of all other acl's.

Mit freundlichem Gruß/Yours sincerely
Werner Rost
GMT-FIR - Netzwerk
 
ZF Boge Elastmetall GmbH
Friesdorfer Str. 175, 53175 Bonn, Deutschland/Germany
Telefon/Phone +49 228 3825 - 420
Telefax/Fax +49 228 3825 - 398
werner.rost@zf.com

>-----Ursprüngliche Nachricht-----
>Von: deny1 [mailto:deny1@free.fr]
>Gesendet: Mittwoch, 16. März 2005 10:56
>An: squid-users@squid-cache.org
>Betreff: [squid-users] securise squid
>
>
>good morning
>
>a nessus scan give this about my squid :
>Warning found on port squid-http (3128/tcp)
>
>
> The misconfigured proxy accepts requests coming
> from anywhere. This allows attackers to gain some anonymity when
>browsing
> some sensitive sites using your proxy, making the remote
>sites think
>that
> the requests come from your network.
>
> Solution: Reconfigure the remote proxy so that it only
>accepts requests
> coming
> from inside your network.
>
>
>i see squid.conf and find this :
>
>#Recommended minimum configuration:
>acl all src 0.0.0.0/0.0.0.0
>acl manager proto cache_object
>acl localdomain src 192.168.0.0/255.255.255.0
>acl to_localhost dst 127.0.0.0/8
>acl SSL_ports port 443 563
>acl Safe_ports port 80
>acl Safe_ports port 21
>acl Safe_ports port 443 563
>acl Safe_ports port 70
>acl Safe_ports port 210
>acl Safe_ports port 1025-65535
>acl Safe_ports port 280
>acl Safe_ports port 488
>acl Safe_ports port 591
>acl Safe_ports port 777
>acl CONNECT method CONNECT
>
>auth_param basic program /usr/lib/squid/ncsa_auth
>/usr/local/squid/users auth_param basic children 5 auth_param
>basic realm Squid proxy-caching web server auth_param basic
>credentialsttl 24 hour
>
>acl eth0 src 192.168.0.0/255.255.255.0
>acl users proxy_auth REQUIRED
>
>http_access allow eth0 users
>
># Only allow cachemgr access from localhost
>http_access allow manager localdomain
>http_access allow localdomain
># Deny requests to unknown ports
>http_access deny manager
># Deny CONNECT to other than SSL ports
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>
>
>
>http_access deny to_localhost
>
>
>
>another lines to add or uncomment to avoid this nessus message ? thanks
>
Received on Wed Mar 16 2005 - 03:27:51 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST