[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Do I have a Squid problem???

Subject: Re: [cobalt-developers] Do I have a Squid problem???
From: Harald Kapper <hk@xxxxxxxxxx>
Date: Mon May 5 09:58:56 2003
Organization: kapper.net
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

hi there,
well I actually would suggest to take a closer look
using eg.

less /home/squid2/logs/access.log

(press shift+f to see what's going on right now)
(then stop using ctrl+c and "q")

if you see direct-connections from outside they probably
do abuse your squid to do smtp-connections to hosts outside.

now I'd recommend first to update all those cobalt packages you
are offered in bluelinq. this might help (though I don't think so).

now I'd first of all try to block outside connections to port 3128
on your qube using the basic firewall. if this still doesn't help
you either have bad guys in your LAN or your firewall-setup is bogus.

anyway, this shouldn't happen imho (though sun did it this way)
even on a very basic-non-firewalled-setup.

I'd recommend to edit your /etc/squid/squid.conf file (save a backup before)

go to the lines where it says:
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0

add there another line saying eg:
acl trustedips src 192.168.0.0/255.255.255.0

(assuming your local lan is numbered 192.168.0.x)
(if not change accordingly)

now scroll down where it says:
#Default:
# http_access deny all

do uncomment this line - simply remove the "#" the result should look like this:
#Default:
http_access deny all

and now add another before this "deny all" line where you say:

http_access allow trustedips 

basically this should do, now restart your squid (either via the webinterface or commandline).
have a look at your logfiles and see if you finished the problem.

if you still get further connects from the outside this would be interesting ;-)
and if you still see activity from the outside trying to connect to your port,
don't worry as long as there is no connection established that's just fine, you
will probably be a target for the next weeks as you're known to have had this
port and squid wide open.

btw. sidestep:
after doing a clean q3-setup and patching it to the most current patches I see this:
# -*- COBALT-FILTER-RULES -*-
acl Cips dst
acl Cdomains dstdomain sfbay.sun.com
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# -*- END-COBALT-FILTER-RULES -*-

in the squid.conf - but actually I have no real clue what they want to do with those
two acl-lines....  - anybody any thoughts?

best,
Harald Kapper, icq# 36178328         kapper.net, inc.
managing director                    loeblichgasse  6
chief software development           1090 vienna, .at
tel +43 1 3195500-0, fax +43 1 3195502, hk@xxxxxxxxxx

On Mon, 5 May 2003 11:40:19 -0400 (EDT), you wrote:

>Hi all,
>        I have a Qube 3 at home...
>
>        Recently I notice that my cable-modem activity
>light was flashing quite a lot. I then looked at
>netstat -n and found a huge number of hosts being
>connected to my system. Do I have to say I was not
>expecting this as I was not even running netscape on
>my pc, nor did I on any system I have at home?
>
>        I then tried to block connection from the
>network where these hosts were from but gave up since
>I was now at more than 150 entries in the firewall
>table to be banned! I then decided to act differently
>and block all the port I was not using explicitly and
>allowing only the http port, telnet, ftp and about 5
>others like nameservers etc. I was still getting lots
>of traffic I was not expecting...
>
>        So I went on the internet and got "sniffit",
>installed it and ran it to find out packets were
>coming and going to SQUID, or the cache server that
>runs on the QUBE. I'm sure it has to do with it since
>the port showed in sniffit is 3128 which happens to be
>the one configured in the squid config file...
>
>         When I stop the squid server the traffic goes
>down a lot but I still see some packets going around
>with sniffit eventhough I can't see any connection
>with netstat. At least the packet rate/length is a lot
>smaller than when it is active...
>
>         Does anyone know of virus that attacks squid?
>I found a packet that was coming from Davnet saying I
>was banned on their server because of advertisement
>sent to their network, on wich I have never
>connected... They were recommending me to do a
>virus/trojan scan on my system...
>
>         How can I be sure squid works fine? I can't
>believe it should cache stuff while I'm not active on
>the internet!
>
>         Thanks all for your help!
>
>         Denis
>
>         
>
>______________________________________________________________________ 
>Post your free ad now! http://personals.yahoo.ca
>
>_______________________________________________
>cobalt-developers mailing list
>cobalt-developers@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-developers

Follow-Ups:
- Re: [cobalt-developers] Do I have a Squid problem???
  - From: Denis Martin

References:
- [cobalt-developers] Do I have a Squid problem???
  - From: Denis Martin

Prev by Date: Re: [cobalt-developers] Cobalt GUI
Next by Date: RE: [cobalt-developers] Do I have a Squid problem???
Previous by thread: [cobalt-developers] Do I have a Squid problem???
Next by thread: Re: [cobalt-developers] Do I have a Squid problem???

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index