LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-28-2008, 10:14 PM   #1
ocavid
LQ Newbie
 
Registered: Mar 2005
Posts: 24

Rep: Reputation: 15
Question using squidGuard to block internet or external anonymous proxy


Hi,

user behind our proxy were able access banned sites so we are task to block access to internet web proxies similar to this http://unfiltersites.com, what we found out in the said site is that most of the access have similar contents: http://unfiltersites.com/index.php?q=<then an encrypted text follows>

we tried to block this thru regular expression but of no luck.

how can we block the url containing the index.php?q= which are very common to those internet proxy sites?

thank you,
OcaVid

Last edited by ocavid; 01-29-2008 at 12:20 AM.
 
Old 01-30-2008, 08:13 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
* If employees (I think we're talking about business or institution here, right?) revert to using proxies it means they do not want to adhere to rules. This means they do no see the reasons why the rules are in place. In the ideal situation a change of attitude would have employees see that work isn't for playing, but this won't work in a lot of situations. This requires the company to have a network acceptable user policy (AUP) including repercussions, punishment, and the employees being bound by contract to adhere to the AUP. If the company has no policy in place it should implement and enforce one before doing anything else. If it doesn't then reduced production due to unacceptable distractions can't be recovered from in another way, IMNSHO.

If you need to restrict traffic there are a few options: whitelist access requires the network users to submit sites for inclusion and a crew to validate the content before inclusion in the whitelist ruleset. Blacklist access requires a crew to validate the content from reading log statistics before inclusion in the blacklist ruleset. Buying access lists requires the company to invest money in buying lists (kinda like the Netnanny thing) and a crew to validate the content from reading log statistics to adjust where necessary.

Quote:
Originally Posted by ocavid View Post
how can we block the url containing the index.php?q= which are very common to those internet proxy sites?
In either case this unfortunately is the wrong approach IMNSHO since that string can be used by allowable URI's as well.
 
Old 01-30-2008, 04:34 PM   #3
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
What he said, all of it.

It's a 2-part problem: Employee Relations & Filtering Technology

Employee Relations
The more important problem -- what kind of AUP do you have in place? If they're using proxies to circumvent your existing filters, surely they know they are doing something wrong. Why not "hang" (metaphorically) a few to "discourage the others".

Filtering Technology
I assume if you're already using squidGuard, you're a fairly sophisticated admin. I also assume that you've already decided on a Blacklist approach, else your E'ees couldn't have used any proxy sites. Have you been to http://www.squidguard.org/blacklists.html recently? There are 4 links there, & the 1st 3 seem to be free.
Notes:
  • I haven't used these -- I still filter via DNS.
  • I am sure there is lots of duplication.
  • Look for "proxy" & "redirector".
 
Old 02-27-2008, 11:10 PM   #4
ocavid
LQ Newbie
 
Registered: Mar 2005
Posts: 24

Original Poster
Rep: Reputation: 15
Thank you!
 
Old 02-28-2008, 02:36 AM   #5
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
I work in schools and we have simple methods to block this sort of thing. It's remarkably easy:

1) Redirect everything through a squid transparent proxy (with squidGuard if you like) so that they can't try to "bypass" the proxy - i.e. if they try to go out on port 80, 8080, or anything else that looks like HTTP, it gets silently redirected to the proxy. Block everything common port that isn't being used, e.g. SSH. Block things that are being used down to the individual IP level if necessary (John's moaning that he needs to go out on SSH for his job, so open it up for just his IP and lock his HTTP proxy settings in his browser).

2) Make sure the proxy logs everything, including the source IP of the computer that made the request.

3) When you see a request that bypasses your proxy or filter (like the ones mentioned), block the entire site in question, traceback to logs to find the IPs and therefore users who did it and remove their accounts for violation of your network policies. This can be an internet-only ban or an account ban.

In schools, we go for Internet-ban first, then account ban for persistent offenders. "But they MUST have an account to do their work/exams", the teachers cry - fine. We'll unblock it at your request and only your direct, written or oral request for half-hour blocks at a time and you take responsibility for their actions online during that time, i.e. supervise them. Amazing how quickly that one gets the kids (and staff) behaving again.

4) Have a system in place which means the user needs to grovel to someone in charge in order to get their account turned back on. This works marvellously and the more hassle it is for them and other people to get their access back, the more likely they are to stop pulling such tricks. Especially if they are told that they are breaching company/school policy in doing so and risk suspension. It's even better if you've got them signing something to this effect when they get a computer account.

This way you don't need to chase blacklists all the time (although one helps), you don't have to mess with regexp's for a simple website (they will always find a website that uses other regexps, in the same way that they will always find a proxy website whose address you haven't blocked, so you might as well save yourself some time and just block individual domains as you see them).

The external school filtering in all the schools I've ever worked at even stopped you looking for anything with proxy in the name - they blocked all google searches for relevant terms, the google cache, archive.org etc. and anything with "proxy" in the domain or anything with relevant keywords on the pages (even, to my annoyance, things like the OpenVPN website, VNC software, and things like ShieldsUp because it let you see HTTP headers etc.). It worked remarkably well - we only had one proxy found in a year even though the kids were constantly trying to get into them and had a list of keywords to search on as long as your arm, and that was blocked quickly. Oh, and the people who were trying to search for a bypass site got all their accounts switched off too.

Automated filtering is only a stop-gap. It helps the network admin spot trouble and block the obvious or accidental stuff. For real, deliberate bypasses, you just start taking them off the system because they are untrusted users. If they are bypassing your filter, why are they? Is it too restrictive or are they trying to do something that they know isn't allowed? If it's the latter, what will they bypass next? Share security? User login/password procedure? Data protection policy? You don't faff about, you just take them off.
 
Old 02-28-2008, 07:42 AM   #6
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Really, really, nice essay. +5

BTW, ocavid, both unSpawn & I assumed that your Q arose in a business context, while ledow spoke from an education point of view; I'm curious: what kind of organization are you dealing with?
 
Old 03-04-2008, 04:10 AM   #7
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Education or business, you need a network usage policy.

You also need to enforce that. If that means turning John off because he's trying to circumvent NETWORK SECURITY then that's exactly what you do. You can even make a disciplinary offence of it, quite easily (I've seen it done to STAFF in schools for doing similar stupid things).

Your users do NOT have free reign on your network, whether they work at the same company or not, or they'd all be given administrator access to everything. Data Protection laws etc. require you to implement basic network security. That includes being able to reasonably guarantee that data isn't uploaded somewhere.

Almost all companies stop you being allowed to access any and every website. Being able to access every website is not a requirement for business. Circumventing network security in order to do that is a problem for HR and the user's boss, not primarily a technical problem.

You think it's any easier to turn off a 18-year-old's account when they are in the middle of their A-Level Computer Science course, coming up to exam time? It isn't. But it can be done (even in the most unreasonable schools) and that's what you have to do, or the next time you'll find that they are breaking every network rule because nobody ever enforces them.

(As a side note, I once actually had a student threaten to report me to education authorities etc. because I banned their account because they were playing games during school hours, which wasn't allowed under our policy. I actually banned them because they were playing games AND DIDN'T STOP when asked, along with being very stroppy - but the school backed me 100% of the way, and because the student had signed a form at the beginning of the year saying they wouldn't do it, there was nothing the student could do (the threats quickly stopped when they realised that they were in the wrong and that, actually, the school could pretty much do what they wanted with their account) - he lost his account for several weeks and had to apologise to me - that was in the middle of the exam times and they were on a Computing course at the time. Provisions were put in place that if they NEEDED a computer, they would have to be supervised by a member of teaching staff over those few weeks).

The point is you can babysit your users remotely by implementing all sorts of clever filters but then guess who's in trouble when your babysitting isn't up to scratch and one of them gets caught downloading something they shouldn't? Or you can teach your users that it's THEIR problem if they try to circumvent anything you have in place, no matter how "vital" it is or how "trivial" the security is.

Of course, you always have SOMETHING in place to stop accidental straying and you ALWAYS have logging in place to find people who do try to circumvent the system, but if you babysit your users, you'll be expected to babysit them against EVERYTHING.

Given some legal climates, you would think that schools would work like mad in order to block every potential website the students could possibly find. They don't. They buy a blocklist, implement filtering, and when holes are poked through (which they inevitably are) they report the users and report the bugs to the filtering service who do their best to fix them one at a time. People will ALWAYS find a way around. You can either take responsibility for every hole that you have, or you make your users take responsibility for every hole that they decide to exploit.
 
Old 03-04-2008, 06:35 AM   #8
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
+5 again.

BTW, I'm still curious -- which context, education or business, is OP dealing w/?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Blacklists refusing to block with squidGuard-1.2.1 with Fedora Core 5 A Simple Noob Linux - Server 1 10-22-2007 12:45 AM
squidguard doesn't block anything? taiwf Linux - Software 3 03-19-2006 07:36 PM
Block web address using SquidGuard shipon_97 Linux - Security 1 03-17-2006 03:40 PM
block internal user to access external proxy server ckamheng Linux - Security 7 09-09-2005 03:37 AM
get Squidguard to block entire countries web sites? Possible? Pcghost Linux - Software 3 09-19-2004 02:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration