squid

qwertyjjj · 08-11-2009, 02:00 PM

Is there a way to prevent or perhaps racks multiple failed logins though ncsa_auth on squid?
I am getting a whole host of 407 errors in the access.logs

Code:

USERID	IP/NAME	DATE/TIME	ACCESSED SITE
122.227.164.96	122.227.164.96	08/10/2009-06:28:51	http://proxyjudge1.proxyfire.net/fastenv
123.134.95.243	123.134.95.243	08/10/2009-12:54:18	http://www.spedia.net/sp_login.htm
		08/10/2009-13:23:31	http://www.spedia.net/sp_login.htm
174.36.237.104	174.36.237.104-static.reverse.softlayer.com	08/10/2009-07:05:06	http://74.63.225.44/phps.php
		08/10/2009-07:22:54	http://74.63.225.44/phps.php
		08/10/2009-07:05:06	http://www.yahoo.com/
		08/10/2009-07:22:54	http://www.yahoo.com/
208.112.91.102	goodsportmedia.com	08/10/2009-07:56:45	http://proxyjudge.securityscanner.org/
		08/10/2009-07:57:45	http://proxyjudge.securityscanner.org/
		08/10/2009-07:56:45	www.google.com:443
		08/10/2009-07:57:45	www.google.com:443
221.195.40.70	221.195.40.70	08/09/2009-10:51:27	http://www.yahoo.com/
		08/09/2009-10:51:28	http://www.yahoo.com/
		08/09/2009-18:37:24	http://www.yahoo.com/
		08/09/2009-18:37:24	http://www.yahoo.com/
221.195.73.68	221.195.73.68	08/09/2009-12:30:43	http://pv.wantsfly.com/prx.php?
		08/09/2009-12:30:43	http://pv.wantsfly.com/prx.php?
		08/10/2009-19:57:21	http://pv.wantsfly.com/prx.php?
		08/10/2009-19:57:21	http://pv.wantsfly.com/prx.php?
222.208.183.218	222.208.183.218	08/10/2009-18:26:39	http://proxyjudge1.proxyfire.net/fastenv
		08/10/2009-19:36:59	http://proxyjudge2.proxyfire.net/fastenv
		08/10/2009-19:39:53	http://sevy.eu.org/azenv.php
		08/10/2009-20:45:33	http://sevy.eu.org/azenv.php
		08/10/2009-20:49:33	http://sevy.eu.org/azenv.php
		08/10/2009-18:28:12	http://zerg.helllabs.net/cgi-bin/textenv.pl
		08/10/2009-21:56:23	http://zerg.helllabs.net/cgi-bin/textenv.pl
		08/10/2009-21:57:11	http://zerg.helllabs.net/cgi-bin/textenv.pl
61.160.216.187	61.160.216.187	08/10/2009-14:26:30	http://www.wantsfly.com/prx.php?
		08/10/2009-14:26:39	http://www.wantsfly.com/prx.php?
74.63.225.44	44-225-63-74.reverse.lstn.net	08/09/2009-23:51:44	http://74.63.225.44/phps.php
		08/10/2009-01:09:14	http://74.63.225.44/phps.php
		08/10/2009-01:09:14	http://www.yahoo.com/
88.80.7.248	a7-248-n44.cust.prq.se	08/09/2009-19:25:41	http://88.80.7.248/pp/anp.php?

unSpawn · 08-11-2009, 06:30 PM

If a client access the proxy without providing authentication information the proxy will return the 407 error code. That is a Good Thing.

qwertyjjj · 08-12-2009, 03:07 AM

Quote:

Originally Posted by unSpawn

If a client access the proxy without providing authentication information the proxy will return the 407 error code. That is a Good Thing.

Yes! But I want to know if they are trying repeatedly to brute force their way by the ncsa_auth.
There doesn't seem to be a way in squid to log IP auth requests through ncsa_auth - or is there?

unSpawn · 08-12-2009, 07:29 AM

Quote:

Originally Posted by qwertyjjj

Yes! But I want to know if they are trying repeatedly to brute force their way by the ncsa_auth.
There doesn't seem to be a way in squid to log IP auth requests through ncsa_auth - or is there?

Doesn't Sarg provides authentication failures reporting? Doesn't your log include lines showing "DENIED/407"? Any log watcher that is capable of filtering regexes from the log and responding with custom actions should be able to work on lines like this:

Code:

1140701230.827 781 192.168.11.01 TCP_DENIED/407 1785 GET http://www.linuxquestions.org/ user NONE/- text/html

qwertyjjj · 08-12-2009, 07:33 AM

Quote:

Originally Posted by unSpawn

Doesn't Sarg provides authentication failures reporting? Doesn't your log include lines showing "DENIED/407"? Any log watcher that is capable of filtering regexes from the log and responding with custom actions should be able to work on lines like this:

Code:

1140701230.827 781 192.168.11.01 TCP_DENIED/407 1785 GET http://www.linuxquestions.org/ user NONE/- text/html

Yes, sarg gave me those lines.
But there's nothing automatic that can ban them as soon as they try logging in say x times in x minutes?
I thought fail2ban only did ssh and a few other things.

centosboy · 08-12-2009, 07:41 AM

Quote:

Originally Posted by qwertyjjj

Yes, sarg gave me those lines.
But there's nothing automatic that can ban them as soon as they try logging in say x times in x minutes?
I thought fail2ban only did ssh and a few other things.

fail2ban blocks ssh and http by default

qwertyjjj · 08-12-2009, 07:45 AM

Quote:

Originally Posted by centosboy

fail2ban blocks ssh and http by default

but not squid ncsa_auth ?

centosboy · 08-12-2009, 07:47 AM

Quote:

Originally Posted by qwertyjjj

but not squid ncsa_auth ?

i dont know if you can configure it to do so, as that was beyond the realm of what i needed it for.

this will tell you - if you can be bothered to read it

Code:

http://www.fail2ban.org/wiki/index.php/HOWTOs

qwertyjjj · 08-12-2009, 07:52 AM

Quote:

Originally Posted by centosboy

i dont know if you can configure it to do so, as that was beyond the realm of what i needed it for.

this will tell you - if you can be bothered to read it

Code:

http://www.fail2ban.org/wiki/index.php/HOWTOs

Looks like something needs to be coded in the regex to look through the denied 407 lines in the logs.
http://www.ducea.com/2006/07/03/usin...force-attacks/

Something would need to check the squid access log for TCP/DENIED 407 errors.
I'll check on the squid user group and post back here.

unSpawn · 08-13-2009, 06:34 AM

IMO regexes are general stuff, I doubt the Squid user group is the right place for it, rather the fail2ban mailing list. The problem is that Squid logs in epoch-stylee and not syslog-like or human readable. I'm not sure about the timeregex / timepattern (%s?) vars but since 'awk '/TCP_DENIED\/407/ {print $3}' /path/to/logfile' prints the IP you need, maybe the failregex could look like ": .*TCP_DENIED\/407.*"?..