is there any possibility to attack squid proxy server?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
is there any possibility to attack squid proxy server?
My squid server receiving http request frequently from a particular outside IP. I got tcpdump and analyzed packets, We do not send any request from our LAN to that Outside IP(actually outside ip sending http request to my squid server), is this kind of any attack (like spoofing or DoS attack)?? Please help me to shortout this problem
Thanks.
How is your squid proxy server configured? Is it firewalled? Is it listening for proxy requests on the internet facing interface?
If you can attach a copy of the pcap data, it would help us determine what kind of traffic it is. It could be typical noise, scans, or an active attack... hard to say without seeing the pcap.
I configured proxy as a transparent proxy and i redirect port 80 request to port 3128, necessary ports are allowed and all other traffic droped in filter table
Ex-
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
Is the squid service bound to the external-internet-facing NIC? And are their any iptables rules that would allow traffic from the internet to access the proxy service? Is so, you could be placing yourself in some legal jepardy.
As for being attacked though, Internet facing NICs receive directed and blind attacks constantly.
We cant address any of that without the pcap data and knowing exactly what services are being made available on the server.
Just to be clear so we dont go back and forth on this:
1) Post your squid.conf
2) Post your iptables rules
3) Post your pcap data of the attacks you believe are happening.
4) Post the output of your NIC configurations: 'ifconfig -a'
However, it sounds like external packets are being routed to the Squid process, which SHOULD NOT be happening unless you designed it that way. You've probably messed up the iptables or redirection rules so that either port 3128 is open to the world, or external traffic touching your port 80 is actually sent to your Squid process, which is dangerous and stupid if you don't know that's happening (you've just made yourself an anonymous web proxy for anyone on the Internet).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.