LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   squid - prevent brute force attacks on ncsa auth (https://www.linuxquestions.org/questions/linux-software-2/squid-prevent-brute-force-attacks-on-ncsa-auth-746794/)

qwertyjjj 08-11-2009 03:00 PM

squid - prevent brute force attacks on ncsa auth
 
Is there a way to prevent or perhaps racks multiple failed logins though ncsa_auth on squid?
I am getting a whole host of 407 errors in the access.logs

Code:

USERID        IP/NAME        DATE/TIME        ACCESSED SITE
122.227.164.96        122.227.164.96        08/10/2009-06:28:51        http://proxyjudge1.proxyfire.net/fastenv
123.134.95.243        123.134.95.243        08/10/2009-12:54:18        http://www.spedia.net/sp_login.htm
                08/10/2009-13:23:31        http://www.spedia.net/sp_login.htm
174.36.237.104        174.36.237.104-static.reverse.softlayer.com        08/10/2009-07:05:06        http://74.63.225.44/phps.php
                08/10/2009-07:22:54        http://74.63.225.44/phps.php
                08/10/2009-07:05:06        http://www.yahoo.com/
                08/10/2009-07:22:54        http://www.yahoo.com/
208.112.91.102        goodsportmedia.com        08/10/2009-07:56:45        http://proxyjudge.securityscanner.org/
                08/10/2009-07:57:45        http://proxyjudge.securityscanner.org/
                08/10/2009-07:56:45        www.google.com:443
                08/10/2009-07:57:45        www.google.com:443
221.195.40.70        221.195.40.70        08/09/2009-10:51:27        http://www.yahoo.com/
                08/09/2009-10:51:28        http://www.yahoo.com/
                08/09/2009-18:37:24        http://www.yahoo.com/
                08/09/2009-18:37:24        http://www.yahoo.com/
221.195.73.68        221.195.73.68        08/09/2009-12:30:43        http://pv.wantsfly.com/prx.php?
                08/09/2009-12:30:43        http://pv.wantsfly.com/prx.php?
                08/10/2009-19:57:21        http://pv.wantsfly.com/prx.php?
                08/10/2009-19:57:21        http://pv.wantsfly.com/prx.php?
222.208.183.218        222.208.183.218        08/10/2009-18:26:39        http://proxyjudge1.proxyfire.net/fastenv
                08/10/2009-19:36:59        http://proxyjudge2.proxyfire.net/fastenv
                08/10/2009-19:39:53        http://sevy.eu.org/azenv.php
                08/10/2009-20:45:33        http://sevy.eu.org/azenv.php
                08/10/2009-20:49:33        http://sevy.eu.org/azenv.php
                08/10/2009-18:28:12        http://zerg.helllabs.net/cgi-bin/textenv.pl
                08/10/2009-21:56:23        http://zerg.helllabs.net/cgi-bin/textenv.pl
                08/10/2009-21:57:11        http://zerg.helllabs.net/cgi-bin/textenv.pl
61.160.216.187        61.160.216.187        08/10/2009-14:26:30        http://www.wantsfly.com/prx.php?
                08/10/2009-14:26:39        http://www.wantsfly.com/prx.php?
74.63.225.44        44-225-63-74.reverse.lstn.net        08/09/2009-23:51:44        http://74.63.225.44/phps.php
                08/10/2009-01:09:14        http://74.63.225.44/phps.php
                08/10/2009-01:09:14        http://www.yahoo.com/
88.80.7.248        a7-248-n44.cust.prq.se        08/09/2009-19:25:41        http://88.80.7.248/pp/anp.php?


unSpawn 08-11-2009 07:30 PM

If a client access the proxy without providing authentication information the proxy will return the 407 error code. That is a Good Thing.

qwertyjjj 08-12-2009 04:07 AM

Quote:

Originally Posted by unSpawn (Post 3639839)
If a client access the proxy without providing authentication information the proxy will return the 407 error code. That is a Good Thing.

Yes! But I want to know if they are trying repeatedly to brute force their way by the ncsa_auth.
There doesn't seem to be a way in squid to log IP auth requests through ncsa_auth - or is there?

unSpawn 08-12-2009 08:29 AM

Quote:

Originally Posted by qwertyjjj (Post 3640158)
Yes! But I want to know if they are trying repeatedly to brute force their way by the ncsa_auth.
There doesn't seem to be a way in squid to log IP auth requests through ncsa_auth - or is there?

Doesn't Sarg provides authentication failures reporting? Doesn't your log include lines showing "DENIED/407"? Any log watcher that is capable of filtering regexes from the log and responding with custom actions should be able to work on lines like this:
Code:

1140701230.827 781 192.168.11.01 TCP_DENIED/407 1785 GET http://www.linuxquestions.org/ user NONE/- text/html

qwertyjjj 08-12-2009 08:33 AM

Quote:

Originally Posted by unSpawn (Post 3640396)
Doesn't Sarg provides authentication failures reporting? Doesn't your log include lines showing "DENIED/407"? Any log watcher that is capable of filtering regexes from the log and responding with custom actions should be able to work on lines like this:
Code:

1140701230.827 781 192.168.11.01 TCP_DENIED/407 1785 GET http://www.linuxquestions.org/ user NONE/- text/html

Yes, sarg gave me those lines.
But there's nothing automatic that can ban them as soon as they try logging in say x times in x minutes?
I thought fail2ban only did ssh and a few other things.

centosboy 08-12-2009 08:41 AM

Quote:

Originally Posted by qwertyjjj (Post 3640398)
Yes, sarg gave me those lines.
But there's nothing automatic that can ban them as soon as they try logging in say x times in x minutes?
I thought fail2ban only did ssh and a few other things.

fail2ban blocks ssh and http by default

qwertyjjj 08-12-2009 08:45 AM

Quote:

Originally Posted by centosboy (Post 3640407)
fail2ban blocks ssh and http by default

but not squid ncsa_auth ?

centosboy 08-12-2009 08:47 AM

Quote:

Originally Posted by qwertyjjj (Post 3640413)
but not squid ncsa_auth ?

i dont know if you can configure it to do so, as that was beyond the realm of what i needed it for.

this will tell you - if you can be bothered to read it ;)

Code:

http://www.fail2ban.org/wiki/index.php/HOWTOs

qwertyjjj 08-12-2009 08:52 AM

Quote:

Originally Posted by centosboy (Post 3640414)
i dont know if you can configure it to do so, as that was beyond the realm of what i needed it for.

this will tell you - if you can be bothered to read it ;)

Code:

http://www.fail2ban.org/wiki/index.php/HOWTOs

Looks like something needs to be coded in the regex to look through the denied 407 lines in the logs.
http://www.ducea.com/2006/07/03/usin...force-attacks/

Something would need to check the squid access log for TCP/DENIED 407 errors.
I'll check on the squid user group and post back here.

unSpawn 08-13-2009 07:34 AM

IMO regexes are general stuff, I doubt the Squid user group is the right place for it, rather the fail2ban mailing list. The problem is that Squid logs in epoch-stylee and not syslog-like or human readable. I'm not sure about the timeregex / timepattern (%s?) vars but since 'awk '/TCP_DENIED\/407/ {print $3}' /path/to/logfile' prints the IP you need, maybe the failregex could look like ": .*TCP_DENIED\/407.*"?..


All times are GMT -5. The time now is 10:44 PM.