LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Squid for linux authentication question (https://www.linuxquestions.org/questions/linux-software-2/squid-for-linux-authentication-question-4175417199/)

takeit 07-17-2012 09:31 AM
Squid for linux authentication question
 
Hello,
I have installed squid on my debian server.
I configured it to use ncsa_auth so only users who will type username and password can use it because I had a lot of unknown connections to my proxy server without authentication enabled.

I have installed sqstat to see online connections to my proxy server
Seems like everything is working fine, I can use proxy only when I type username and password I defined.

But here is my question. Even if authentication is set sqstat shows me that there are (at the moment I captured it) 8 users and 95 connections @ 0.00/0.00 KB/s (CURR/AVG) which is weird.. because only I have access to that username with password i created, also shows my connection that I use at the moment.

I enabled Authentication, it prompt to type username and password but some people still have access to my proxy server ?
How is it possible? Can anyone explain me what I did wrong?

In log file it shows something like that:
Code:
1342531625.592      0 109.236.88.33 TCP_DENIED/407 1706 GET http://l13.member.ukl.yahoo.com/? - NONE/- text/html
1342531625.644      0 199.19.105.99 TCP_DENIED/407 1754 GET http://www.academic-softwares.com/store/index.php - NONE/- text/html
1342531625.716      0 50.93.204.245 TCP_DENIED/407 1679 GET http://ib.adnxs.com/ttj? - NONE/- text/html
1342531625.764      0 92.81.193.166 TCP_DENIED/407 1793 GET http://www.gottogofaster.com/ab-circle-workout-machine-review/ - NONE/- text/html
1342531625.797      0 81.30.223.67 TCP_DENIED/407 1655 CONNECT 64.12.202.59:443 - NONE/- text/html
1342531625.851      0 50.93.200.95 TCP_DENIED/407 1697 GET http://ad.yieldmanager.com/st? - NONE/- text/html
1342531625.908      0 68.233.239.13 TCP_DENIED/407 1658 CONNECT 219.106.251.99:25 - NONE/- text/html
1342531625.928      0 173.234.162.130 TCP_DENIED/407 1697 GET http://ad.yieldmanager.com/st? - NONE/- text/html
1342531625.931      0 94.41.205.88 TCP_DENIED/407 1661 CONNECT 205.188.95.208:443 - NONE/- text/html
1342531625.935      0 109.236.88.35 TCP_DENIED/407 1715 GET http://203.209.228.245/config/login? - NONE/- text/html
1342531625.970      0 92.105.237.197 TCP_DENIED/407 1781 GET http://molura.com/judge-server/php4/proxy-judge-ip-1.php4? - NONE/- text/html
1342531625.999      0 109.120.159.153 TCP_DENIED/407 1661 CONNECT 205.188.95.208:443 - NONE/- text/html
1342531626.008      0 109.120.159.153 TCP_DENIED/407 1661 CONNECT 205.188.27.208:443 - NONE/- text/html
1342531626.019      0 109.120.159.153 TCP_DENIED/407 1661 CONNECT 205.188.95.208:443 - NONE/- text/html
1342531626.081      0 50.93.205.175 TCP_DENIED/407 1697 GET http://ad.yieldmanager.com/st? - NONE/- text/html
etc

bathory 07-17-2012 10:47 AM
Hi,

For a public accessible server, it's usual that there are these kind of probes.
In your logs there are only TCP_DENIED/407 that is a good sign. Means that your server requires authentication and denies access if it doesn't get it.

Regards

takeit 07-17-2012 12:07 PM
Ok, but this means that someone is still connecting to my proxy server even if it denies access ? Because I don't know why some people can still connect..

bathory 07-17-2012 03:22 PM
Quote:
Originally Posted by takeit (Post 4730772)
Ok, but this means that someone is still connecting to my proxy server even if it denies access ? Because I don't know why some people can still connect..
Note that they are trying to connect to your server, but they don't succeed. After the initial try they go away.
If you run publicly accessible servers (like web, mail etc), you'll always see attempts like these. If you don't want to see them, use a firewall to block them before accessing your server.

Regards

takeit 07-18-2012 08:38 AM
Quote:
Originally Posted by bathory (Post 4730947)
Note that they are trying to connect to your server, but they don't succeed. After the initial try they go away.
If you run publicly accessible servers (like web, mail etc), you'll always see attempts like these. If you don't want to see them, use a firewall to block them before accessing your server.

Regards
Ok thank you very much for that information


All times are GMT -5. The time now is 06:39 PM.