Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-01-2007, 07:26 AM
|
#16
|
LQ Newbie
Registered: Jun 2007
Posts: 15
Rep:
|
Quote:
Originally Posted by javaroast
For what it's worth you can find rseans talking about safesquid all over the internet on various forums. Basically with the same "We use safesquid" format. Seems to me to be kind of spammy, but I hope you can contribute in other ways to the forum as well
|
I would be so glad to do that, but you see, I am not an expert in Linux. I was introduced to SafeSquid by a colleague, who also set it up for me at our office, and is now managed by me. It helped solve a lot of issues that were bugging us. It made me realize that you do not have to be an expert in Linux to make use of it's immense powers. There are so many other poor guys like me, with limited knowledge of Linux, looking for similar solution? Can I, in some way, help them with my experience? That's my only intention. I would seriously like to apologize, if in doing so, I have harmed anyone's feelings.
Regards
|
|
|
07-01-2007, 09:48 PM
|
#17
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Original Poster
Rep:
|
Ok so the
Quote:
ACL CONNECT method CONNECT
|
you used it in you example to block users from connecting to other https ports and only allow 443 to be access by the network... so i guess this can also be used on other ports?
how come i cant find this technique on all Squid tutorials that i found on the internet...
|
|
|
07-02-2007, 02:22 AM
|
#18
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SBN
Ok so the you used it in you example to block users from connecting to other https ports and only allow 443 to be access by the network...
|
Sort of. When we implement this ACL we are saying " deny the CONNECT method to anything that isn't going to port 443". That's what the exclamation mark means, it inverts the match. We do this because we know we don't need CONNECT used for HTTP, only for HTTPS.
Quote:
so i guess this can also be used on other ports?
|
Yes, if you wanted clients to tunnel through to other ports you could use this. Notice how in a default Squid configuration you have an ACL called "SSL_ports" which lists other ports beside 443 that would need to use CONNECT, such as port 563 ( NNTP over SSL) for example.
Quote:
how come i cant find this technique on all Squid tutorials that i found on the internet...
|
Not sure, but the CONNECT ACL and the rule are part of the default Squid configuration.
Last edited by win32sux; 07-02-2007 at 02:57 AM.
|
|
|
07-02-2007, 03:43 AM
|
#19
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Original Poster
Rep:
|
I find this on 1 website can this also be possible
Quote:
acl block_port port 1234
http_access deny block_port
http_access allow all
|
|
|
|
07-02-2007, 07:59 AM
|
#20
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SBN
I find this on 1 website can this also be possible
acl block_port port 1234
http_access deny block_port
http_access allow all
|
Sure, but that's a default-allow (blacklist) approach, which in the long run is much less practical and effective than a default-deny (whitelist) approach.
Last edited by win32sux; 07-02-2007 at 09:29 AM.
|
|
|
07-02-2007, 10:25 AM
|
#21
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Original Poster
Rep:
|
Speaking of whitelist, in our Squid.conf all sites are whitelisted and i used txt file to store sites that can be accessed. i use this approach:
Quote:
http_access my_network allowedsites
|
but what about in port how do you whitelist them and allow only those you want. can they be the same approach?
|
|
|
07-02-2007, 11:01 AM
|
#22
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SBN
but what about in port how do you whitelist them and allow only those you want. can they be the same approach?
|
When you specify a port for each rule you are already whitelisting. Like in my example:
Code:
http_access allow my_network HTTPS_port allowed_https_sites
http_access allow my_network HTTP_port
http_access deny all
That's basically whitelisting HTTPS_port and HTTP_port, because a connection to any other port would not match either of the allow rules and would therefore run into the deny one. Squid confs should always be whitelist-based IMHO.
|
|
|
07-02-2007, 08:30 PM
|
#23
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Original Poster
Rep:
|
oh ok...
but when you whitelist ports how do you specify a port where squid will listen? in my squid.conf i used 8080 so if i will whitelist ports do i still have to place it in the squid.conf or not?
ex.
Quote:
http_port 8080
http_access allow my_network HTTPS_port allowed_https_sites
http_access allow my_network HTTP_port
http_access deny all
|
|
|
|
07-02-2007, 10:31 PM
|
#24
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SBN
but when you whitelist ports how do you specify a port where squid will listen? in my squid.conf i used 8080 so if i will whitelist ports do i still have to place it in the squid.conf or not?
|
The port Squid listens on doesn't need to be in an ACL. The port ACLs only refer to ports on the destination server. The http_port directive shouldn't be confused with the HTTP_port ACL name I used in my example. If you wish to control who can connect to the port Squid is listening on you'd need to use iptables.
Last edited by win32sux; 07-02-2007 at 10:32 PM.
|
|
|
07-02-2007, 10:52 PM
|
#25
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Original Poster
Rep:
|
ok now everything is clear... i have also checked dansguardian and it seems that some of its capabilites are the same with squid. correct me if im wrong but isnt it that squid can also block sites if its contents contains word like porn, sex...etc..
|
|
|
07-02-2007, 11:43 PM
|
#26
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SBN
ok now everything is clear... i have also checked dansguardian and it seems that some of its capabilites are the same with squid. correct me if im wrong but isnt it that squid can also block sites if its contents contains word like porn, sex...etc..
|
Squid is limited to looking for those words in the URL. DansGuardian can look for them anywhere on the web page itself, the actual "content".
Last edited by win32sux; 07-02-2007 at 11:45 PM.
|
|
|
07-03-2007, 12:15 AM
|
#27
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Original Poster
Rep:
|
Ok....
Just one quick question on dansguardian... can it detect file download and deny it if the user or ip is restricted on downloading file? or will it just block the entire site where the file can be downloaded.
|
|
|
07-03-2007, 01:51 AM
|
#28
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SBN
Just one quick question on dansguardian... can it detect file download and deny it if the user or ip is restricted on downloading file?
|
Yes.
Quote:
or will it just block the entire site where the file can be downloaded.
|
No, if you tell DansGuardian to filter .zip files (for example) then http://www.example.net/file.zip would be filtered, while http://www.example.net/ and everything within it will still be accessible, unless they get filtered by another match, such as pornographic content, etc. Oh, and yes, you can specify which IPs the restrictions apply to. Sorry I can't be more specific, it's been a while since I've configured a DansGuardian install.
Last edited by win32sux; 07-03-2007 at 01:53 AM.
|
|
|
07-03-2007, 08:13 PM
|
#29
|
Member
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474
Original Poster
Rep:
|
Wow thats cool. do you know any other documentation of dansguardian aside from those doc in the dansguardian website
|
|
|
07-03-2007, 11:06 PM
|
#30
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SBN
Wow thats cool. do you know any other documentation of dansguardian aside from those doc in the dansguardian website
|
Not really, although I would imagine there's several howtos on the web.
|
|
|
All times are GMT -5. The time now is 03:12 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|