[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Do I have a Squid problem???

 Hi,
     Thanks for the hints! I'll apply them as soon as
I get home after works...

     Have a good evening, I sse you're from Europe, so
probably around 6-7 hours ahead of me!

     Denis

--- Harald Kapper <hk@xxxxxxxxxx> wrote: > hi there,
> well I actually would suggest to take a closer look
> using eg.
> 
> less /home/squid2/logs/access.log
> 
> (press shift+f to see what's going on right now)
> (then stop using ctrl+c and "q")
> 
> if you see direct-connections from outside they
> probably
> do abuse your squid to do smtp-connections to hosts
> outside.
> 
> now I'd recommend first to update all those cobalt
> packages you
> are offered in bluelinq. this might help (though I
> don't think so).
> 
> now I'd first of all try to block outside
> connections to port 3128
> on your qube using the basic firewall. if this still
> doesn't help
> you either have bad guys in your LAN or your
> firewall-setup is bogus.
> 
> anyway, this shouldn't happen imho (though sun did
> it this way)
> even on a very basic-non-firewalled-setup.
> 
> I'd recommend to edit your /etc/squid/squid.conf
> file (save a backup before)
> 
> go to the lines where it says:
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> 
> add there another line saying eg:
> acl trustedips src 192.168.0.0/255.255.255.0
> 
> (assuming your local lan is numbered 192.168.0.x)
> (if not change accordingly)
> 
> now scroll down where it says:
> #Default:
> # http_access deny all
> 
> do uncomment this line - simply remove the "#" the
> result should look like this:
> #Default:
> http_access deny all
> 
> and now add another before this "deny all" line
> where you say:
> 
> http_access allow trustedips 
> 
> basically this should do, now restart your squid
> (either via the webinterface or commandline).
> have a look at your logfiles and see if you finished
> the problem.
> 
> if you still get further connects from the outside
> this would be interesting ;-)
> and if you still see activity from the outside
> trying to connect to your port,
> don't worry as long as there is no connection
> established that's just fine, you
> will probably be a target for the next weeks as
> you're known to have had this
> port and squid wide open.
> 
> btw. sidestep:
> after doing a clean q3-setup and patching it to the
> most current patches I see this:
> # -*- COBALT-FILTER-RULES -*-
> acl Cips dst
> acl Cdomains dstdomain sfbay.sun.com
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> # -*- END-COBALT-FILTER-RULES -*-
> 
> in the squid.conf - but actually I have no real clue
> what they want to do with those
> two acl-lines....  - anybody any thoughts?
> 
> best,
> Harald Kapper, icq# 36178328         kapper.net,
> inc.
> managing director                    loeblichgasse 
> 6
> chief software development           1090 vienna,
> .at
> tel +43 1 3195500-0, fax +43 1 3195502,
> hk@xxxxxxxxxx
> 
> On Mon, 5 May 2003 11:40:19 -0400 (EDT), you wrote:
> 
> >Hi all,
> >        I have a Qube 3 at home...
> >
> >        Recently I notice that my cable-modem
> activity
> >light was flashing quite a lot. I then looked at
> >netstat -n and found a huge number of hosts being
> >connected to my system. Do I have to say I was not
> >expecting this as I was not even running netscape
> on
> >my pc, nor did I on any system I have at home?
> >
> >        I then tried to block connection from the
> >network where these hosts were from but gave up
> since
> >I was now at more than 150 entries in the firewall
> >table to be banned! I then decided to act
> differently
> >and block all the port I was not using explicitly
> and
> >allowing only the http port, telnet, ftp and about
> 5
> >others like nameservers etc. I was still getting
> lots
> >of traffic I was not expecting...
> >
> >        So I went on the internet and got
> "sniffit",
> >installed it and ran it to find out packets were
> >coming and going to SQUID, or the cache server that
> >runs on the QUBE. I'm sure it has to do with it
> since
> >the port showed in sniffit is 3128 which happens to
> be
> >the one configured in the squid config file...
> >
> >         When I stop the squid server the traffic
> goes
> >down a lot but I still see some packets going
> around
> >with sniffit eventhough I can't see any connection
> >with netstat. At least the packet rate/length is a
> lot
> >smaller than when it is active...
> >
> >         Does anyone know of virus that attacks
> squid?
> >I found a packet that was coming from Davnet saying
> I
> >was banned on their server because of advertisement
> >sent to their network, on wich I have never
> >connected... They were recommending me to do a
> >virus/trojan scan on my system...
> >
> >         How can I be sure squid works fine? I
> can't
> >believe it should cache stuff while I'm not active
> on
> >the internet!
> >
> >         Thanks all for your help!
> >
> >         Denis
> >
> >         
> >
>
>______________________________________________________________________
> 
> >Post your free ad now! http://personals.yahoo.ca
> >
> >_______________________________________________
> >cobalt-developers mailing list
> >cobalt-developers@xxxxxxxxxxxxxxx
>
>http://list.cobalt.com/mailman/listinfo/cobalt-developers
> 
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
>
http://list.cobalt.com/mailman/listinfo/cobalt-developers 

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca