LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   is there any possibility to attack squid proxy server? (https://www.linuxquestions.org/questions/linux-server-73/is-there-any-possibility-to-attack-squid-proxy-server-709561/)

kirukan 03-06-2009 02:08 AM
is there any possibility to attack squid proxy server?
 
My squid server receiving http request frequently from a particular outside IP. I got tcpdump and analyzed packets, We do not send any request from our LAN to that Outside IP(actually outside ip sending http request to my squid server), is this kind of any attack (like spoofing or DoS attack)?? Please help me to shortout this problem
Thanks.

JulianTosh 03-06-2009 02:26 AM
How is your squid proxy server configured? Is it firewalled? Is it listening for proxy requests on the internet facing interface?

If you can attach a copy of the pcap data, it would help us determine what kind of traffic it is. It could be typical noise, scans, or an active attack... hard to say without seeing the pcap.

kirukan 03-06-2009 03:13 AM
I configured proxy as a transparent proxy and i redirect port 80 request to port 3128, necessary ports are allowed and all other traffic droped in filter table
Ex-
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

JulianTosh 03-06-2009 03:36 AM
Is the squid service bound to the external-internet-facing NIC? And are their any iptables rules that would allow traffic from the internet to access the proxy service? Is so, you could be placing yourself in some legal jepardy.

As for being attacked though, Internet facing NICs receive directed and blind attacks constantly.

We cant address any of that without the pcap data and knowing exactly what services are being made available on the server.

Just to be clear so we dont go back and forth on this:

1) Post your squid.conf
2) Post your iptables rules
3) Post your pcap data of the attacks you believe are happening.
4) Post the output of your NIC configurations: 'ifconfig -a'

ledow 03-06-2009 08:52 AM
More info required.

However, it sounds like external packets are being routed to the Squid process, which SHOULD NOT be happening unless you designed it that way. You've probably messed up the iptables or redirection rules so that either port 3128 is open to the world, or external traffic touching your port 80 is actually sent to your Squid process, which is dangerous and stupid if you don't know that's happening (you've just made yourself an anonymous web proxy for anyone on the Internet).


All times are GMT -5. The time now is 06:25 AM.