Discussion:
[squid-users] Bypassed Proxy
Eliezer Croitoru
2016-12-23 09:31:41 UTC
Permalink
My suggestion would be to find the holes in the system.
There are couple good networking tools ie:
Iptstate
Iptraf-ng
netstat-nat
conntrackd-tools

The above tools have the options to see what parts of the IP is not ports such as:
53
80
443

Which you can control easily.
You can easily add a DROP or REJECT rule in iptables for all new connections on other then these ports as a starter.
It's very simple to write and I think you should dig a bit on iptables so you would be able to understand how it works better to give you a glimpse into the networking security world.
This amazing site and page:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

Gives a better understanding to iptables and also on networking.
If you need more guidance let me know.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: ***@ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On Behalf Of Sameh Onaissi
Sent: Friday, December 23, 2016 2:03 AM
To: Antony Stone <***@squid.open.source.it>
Cc: squid-***@lists.squid-cache.org
Subject: Re: [squid-users] Bypassed Proxy

I have been trying to replicate what he is doing.

I have tried 4 or 5 VPN software and none connects, including Hotspot Shield. My iptables seem to be doing the job in that regard (Eliezer helped me set them up)
The user has hotspot shield installed on his PC, which I believe is a
similar extension to the one you mentioned.
He is getting by squid with some sort of VPN, I thought squid can be
configured against such things?
It sounds as though you need to review your firewall (routing) policies.
Anyone who is allowed to use a VPN can effectively bypass all security
policies on your network.
Antony.
--
Schrödinger's rule of data integrity: the condition of any backup is
unknown until a restore is attempted.
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Eliezer Croitoru
2016-12-21 18:43:50 UTC
Permalink
How does squid.conf looks now?
It’s probably a typo or some settings exception.
You need to debug and check first if squidguard receives the request details
and what it does with it.
To see the relevant details you will need to use squid debug_options:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

Specifically section 61.
You should add to squid.conf the line
debug_options ALL,1 61,6

And your cache.log will be flooded with details about any request that is
being passed to squidguard.
I believe that this should be a start point that will show you if squid is
sending the request to squidguard and how squidguard answers.
If you want more help share with a paste the current squid.conf and
squidguard.conf.
This way even if it’s not related directly to squid we can see if there is a
hole in the setup you don’t see yet.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: ***@ngtech.co.il


From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On
Behalf Of Sameh Onaissi
Sent: Wednesday, December 21, 2016 7:14 PM
To: squid-***@lists.squid-cache.org
Subject: [squid-users] Bypassed Proxy

Hello all,

I got a transparent squid installed on Ubuntu 16.04

Using squid guard, I am blocking certain websites, including youtube.

Anytime a user tries accessing it, he/she is redirected to an access denied
page.

Except for ONE user!

One user is somehow, able to access you tube through squid!
That IP is not on the exempt list, and has no special configurations.

access.log:

1482339083.228      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.324      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.331      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.422      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.436      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.517      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339086.251      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html


Any other user tries and gets:

1482339588.002    350 10.0.0.40 TCP_MISS/200 611 GET
https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html

That is the redirect html page.

My deny list where youtube is:

var/lib/squidguard/db/deny/urls has http://www.youtube.com
var/lib/squidguard/db/deny/domains has http://youtube.com


Any idea to how he is doing it?

I can add a rule to specifically deny 10.0.0.162, but I want to know how he
is doing it to prevent it for others. Also this is a dynamic IP.

Thank you,
Sam
Eliezer Croitoru
2016-12-21 23:09:46 UTC
Permalink
Try to see what happens when you change and simplify squidguard conf(after a backup) to a one default which blocks youtube.
This way you would be able to minimize the options from squidguard to squid or backwards.
Try to follow the cache.log and see if you see anything about anything which mentions "youtube".

The options for the issue are one of two:
Squidguard is configured wrong or has a bug
Squid is configured wrong or has a bug

I cannot say that squid is 100% bullet proof but first analyze the logs to see what happens and if you need to block youtube specifically I would do it in the squid level rather then in squidguard level since it's a very simple and tiny and static rule.
And leaving the beauty of the splash page and just block add the next lines to the beginning of squid.conf:
#YT DOMS
acl ytdoms dstdomain .youtube.com .ytimg.com .googlevideo.com
acl ytallowedusers src 10.0.0.1/32 10.0.0.2/32
http_access deny ytdoms !ytallowedusers
##END OF ADDITION

If you wish to allow a specific user to access these domains just add them to the ytallowedusers acl.
Use squidguard only for things which needs more frequent updates.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: ***@ngtech.co.il


From: Sameh Onaissi [mailto:***@solcv.com]
Sent: Thursday, December 22, 2016 12:20 AM
To: Eliezer Croitoru <***@ngtech.co.il>
Cc: squid-***@lists.squid-cache.org
Subject: Re: [squid-users] Bypassed Proxy

HI Eliezer,


squid.conf: http://pastebin.com/7Nusciiu

sqiudguard.conf: http://pastebin.com/DiRgD23c


I think the client is using a Google chrome extension: https://chrome.google.com/webstore/detail/hotspot-shield-free-vpn-p/nlbejmccbhkncgokjcmghpfloaajcffj?hl=en

(can’t get cache logs now as client is disconnected)




On Dec 21, 2016, at 1:43 PM, Eliezer Croitoru <mailto:***@ngtech.co.il> wrote:

How does squid.conf looks now?
It’s probably a typo or some settings exception.
You need to debug and check first if squidguard receives the request details
and what it does with it.
To see the relevant details you will need to use squid debug_options:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

Specifically section 61.
You should add to squid.conf the line
debug_options ALL,1 61,6

And your cache.log will be flooded with details about any request that is
being passed to squidguard.
I believe that this should be a start point that will show you if squid is
sending the request to squidguard and how squidguard answers.
If you want more help share with a paste the current squid.conf and
squidguard.conf.
This way even if it’s not related directly to squid we can see if there is a
hole in the setup you don’t see yet.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:***@ngtech.co.il


From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On
Behalf Of Sameh Onaissi
Sent: Wednesday, December 21, 2016 7:14 PM
To: mailto:squid-***@lists.squid-cache.org
Subject: [squid-users] Bypassed Proxy

Hello all,

I got a transparent squid installed on Ubuntu 16.04

Using squid guard, I am blocking certain websites, including youtube.

Anytime a user tries accessing it, he/she is redirected to an access denied
page.

Except for ONE user!

One user is somehow, able to access you tube through squid!
That IP is not on the exempt list, and has no special configurations.

access.log:

1482339083.228 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.324 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.331 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.422 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.436 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.517 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339086.251 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html


Any other user tries and gets:

1482339588.002 350 10.0.0.40 TCP_MISS/200 611 GET
https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html

That is the redirect html page.

My deny list where youtube is:

var/lib/squidguard/db/deny/urls has http://www.youtube.com
var/lib/squidguard/db/deny/domains has http://youtube.com


Any idea to how he is doing it?

I can add a rule to specifically deny 10.0.0.162, but I want to know how he
is doing it to prevent it for others. Also this is a dynamic IP.

Thank you,
Sam
Amos Jeffries
2016-12-23 03:06:49 UTC
Permalink
Post by Eliezer Croitoru
I have been trying to replicate what he is doing.
I have tried 4 or 5 VPN software and none connects, including Hotspot
Shield. My iptables seem to be doing the job in that regard (Eliezer
helped me set them up)
Do you have matching ip6tables rules to prevent IPv6 networking being
used for the prohibited things?
Post by Eliezer Croitoru
The user has hotspot shield installed on his PC, which I believe is a
similar extension to the one you mentioned.
He is getting by squid with some sort of VPN, I thought squid can be
configured against such things?
Squid can only prevent things going through itself.

Unless the VPN software is using HTTP(S) protocol messaging as a
transport layer, AND that messaging goes through the proxy, the answer
is no. That kind of control is what firewalls are for.
Post by Eliezer Croitoru
It sounds as though you need to review your firewall (routing) policies.
Anyone who is allowed to use a VPN can effectively bypass all security policies
on your network.
I second that.

Keep in mind that "iptables" command only sets up rules for IPv4
connections. They could be using IPv6. 'VPN' also has a number of
sub-types: 6to4, SOCKS, IP-IP, or remote NPT relay.

Amos
Alex Rousskov
2016-12-21 23:51:29 UTC
Permalink
Post by Eliezer Croitoru
One user is somehow, able to access you tube through squid!
1482339083.228 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443 - HIER_NONE/- text/html
What makes you think this user was able to access youtube? AFAICT, Squid
responded with an error (TAG_NONE/503) and did not contact the origin
server (HIER_NONE/-).

I understand that you want Squid to redirect users instead of responding
with an error. This 503 response could be due to Squid being unable to
bump the user connection for some reason. Successful bumping is required
to redirect users.

You may see more details inside that error response itself. Others on
the list may be able to help you to get to that response in Squid logs
or packet captures.


HTH,

Alex.
Sameh Onaissi
2016-12-22 21:02:56 UTC
Permalink
Hello,


Eliezer’s recommended fix did not work.

The user was on YouTube watching UFC all day today.

Here’s a copy of the log at the time.
1482436450.285 353 10.0.0.105 TAG_NONE/200 0 CONNECT 167.114.159.186:443 - ORIGINAL_DST/167.114.159.186 -
1482436450.303 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.318 4756 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436450.340 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.567 839 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 -
1482436450.585 0 10.0.0.105 TAG_NONE/503 4459 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.650 373 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.7.35:443 - ORIGINAL_DST/85.203.7.35 -
1482436450.669 0 10.0.0.105 TAG_NONE/503 4450 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.682 1969 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436450.706 386 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.73.9:443 - ORIGINAL_DST/188.166.73.9 -
1482436450.740 6540 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.18.254:443 - ORIGINAL_DST/85.203.18.254 -
1482436450.784 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.784 0 10.0.0.105 TAG_NONE/503 4453 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.784 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.909 469 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 -
1482436450.927 1882 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 -
1482436450.940 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.955 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.063 197 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 -
1482436451.080 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.217 434 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.97.9:443 - ORIGINAL_DST/138.68.97.9 -
1482436451.236 0 10.0.0.105 TAG_NONE/503 4450 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.322 271 10.0.0.105 TAG_NONE/200 0 CONNECT 65.52.108.76:443 - ORIGINAL_DST/65.52.108.76 -
1482436451.345 479 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 -
1482436451.361 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.498 4240 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436451.530 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.909 817 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 -



I know 503 is an error, but the user was using youtube without any hassles.
Those IPs are for Digital Ocean and Alentus Corporation.

Squid is being “fooled” somehow.
I did notice the 503, which made it more confusing to me.
The reason I investigated the issue was because I saw youtube working on the client’s PC with a blue shield-like icon along with some words on top of the youtube page (was not close enough to see the exact logo/words). The video was working fine, but that blue shield extension seems to be the reason behind “fooling” squid.

Both the chrome extension and the Desktop client are installed on the machine.

I tried replicating that, but I couldn’t even connect the client.

What should I be looking for in cache.log?


Thanks again!

Sam

On Dec 21, 2016, at 6:59 PM, Sameh Onaissi <***@solcv.com<mailto:***@solcv.com>> wrote:





On Dec 21, 2016, at 6:51 PM, Alex Rousskov <***@measurement-factory.com<mailto:***@measurement-factory.com>> wrote:

On 12/21/2016 10:14 AM, Sameh Onaissi wrote:

One user is somehow, able to access you tube through squid!

1482339083.228 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html

What makes you think this user was able to access youtube? AFAICT, Squid
responded with an error (TAG_NONE/503) and did not contact the origin
server (HIER_NONE/-).

I did notice the 503, which made it more confusing to me.
The reason I investigated the issue was because I saw youtube working on the client’s PC with a blue shield-like icon along with some words on top of the youtube page (was not close enough to see the exact logo/words). The video was working fine, but that blue shield extension seems to be the reason behind “fooling” squid.

In any case, I applied the ACL’s to the squid.conf as Eliezer recommended, now I’ll wait till the user comes back in tomorrow to see if it worked.


I understand that you want Squid to redirect users instead of responding
with an error. This 503 response could be due to Squid being unable to
bump the user connection for some reason. Successful bumping is required
to redirect users.

You may see more details inside that error response itself. Others on
the list may be able to help you to get to that response in Squid logs
or packet captures.


HTH,

Alex.
Amos Jeffries
2016-12-23 03:56:27 UTC
Permalink
Post by Sameh Onaissi
Hello,
Eliezer’s recommended fix did not work.
The user was on YouTube watching UFC all day today.
Here’s a copy of the log at the time.
1482436450.285 353 10.0.0.105 TAG_NONE/200 0 CONNECT 167.114.159.186:443 - ORIGINAL_DST/167.114.159.186 -
1482436450.303 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.318 4756 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436450.340 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.567 839 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 -
1482436450.585 0 10.0.0.105 TAG_NONE/503 4459 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.650 373 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.7.35:443 - ORIGINAL_DST/85.203.7.35 -
1482436450.669 0 10.0.0.105 TAG_NONE/503 4450 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.682 1969 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436450.706 386 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.73.9:443 - ORIGINAL_DST/188.166.73.9 -
1482436450.740 6540 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.18.254:443 - ORIGINAL_DST/85.203.18.254 -
1482436450.784 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.784 0 10.0.0.105 TAG_NONE/503 4453 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.784 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.909 469 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 -
1482436450.927 1882 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 -
1482436450.940 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436450.955 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.063 197 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 -
1482436451.080 0 10.0.0.105 TAG_NONE/503 4462 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.217 434 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.97.9:443 - ORIGINAL_DST/138.68.97.9 -
1482436451.236 0 10.0.0.105 TAG_NONE/503 4450 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.322 271 10.0.0.105 TAG_NONE/200 0 CONNECT 65.52.108.76:443 - ORIGINAL_DST/65.52.108.76 -
1482436451.345 479 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 -
1482436451.361 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.498 4240 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436451.530 0 10.0.0.105 TAG_NONE/503 4456 CONNECT s.youtube.com<http://s.youtube.com>:443 - HIER_NONE/- text/html
1482436451.909 817 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 -
I know 503 is an error, but the user was using youtube without any hassles.
Those IPs are for Digital Ocean and Alentus Corporation.
rDNS says they are being used by the northghost "Touch VPN" network.
Post by Sameh Onaissi
Squid is being “fooled” somehow.
I did notice the 503, which made it more confusing to me.
Squid is rejecting the YT traffic attempts asked of it. Maybe not in the
way you intended, but to the same effect.

The above log implies they are visiting northghost. Nothing is
prohibiting that. Then Squid during the bumping process sees the YT
domain in SNI or somesuch, and tries to reject it but cant at that late
stage so 503 occurs.

There are very likely other attempts being made in other ways since
these did not succeed. If any of those do succeed the user gets their YT
access.

Amos
Sameh Onaissi
2016-12-23 17:30:37 UTC
Permalink
Thank you all for the suggestions.

I will try to read up on iptables and add the necessary rules, as well as try to add norhtghost IPs to the blacklist.

On another note, I noticed Tor Browser bypasses squid completely. The only search results I found on how to block it with squid date back to 2011. (Amos has a script for that?)
Any idea how to block Tor? I downloaded it and ran it and none of its traffic is detected by Squid.
Post by Eliezer Croitoru
My suggestion would be to find the holes in the system.
Iptstate
Iptraf-ng
netstat-nat
conntrackd-tools
53
80
443
Which you can control easily.
You can easily add a DROP or REJECT rule in iptables for all new connections on other then these ports as a starter.
It's very simple to write and I think you should dig a bit on iptables so you would be able to understand how it works better to give you a glimpse into the networking security world.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
Gives a better understanding to iptables and also on networking.
If you need more guidance let me know.
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
-----Original Message-----
Sent: Friday, December 23, 2016 2:03 AM
Subject: Re: [squid-users] Bypassed Proxy
I have been trying to replicate what he is doing.
I have tried 4 or 5 VPN software and none connects, including Hotspot Shield. My iptables seem to be doing the job in that regard (Eliezer helped me set them up)
The user has hotspot shield installed on his PC, which I believe is a
similar extension to the one you mentioned.
He is getting by squid with some sort of VPN, I thought squid can be
configured against such things?
It sounds as though you need to review your firewall (routing) policies.
Anyone who is allowed to use a VPN can effectively bypass all security
policies on your network.
Antony.
--
Schrödinger's rule of data integrity: the condition of any backup is
unknown until a restore is attempted.
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri Voinov
2016-12-23 17:43:43 UTC
Permalink
Post by Sameh Onaissi
Thank you all for the suggestions.
I will try to read up on iptables and add the necessary rules, as well as try to add norhtghost IPs to the blacklist.
AFAIK not IPs, but network ranges. And you require to regullarry update
it, to keep up-to-date, and made enough exceptions - to work innocent sites.
Post by Sameh Onaissi
On another note, I noticed Tor Browser bypasses squid completely. The only search results I found on how to block it with squid date back to 2011. (Amos has a script for that?)
Any idea how to block Tor? I downloaded it and ran it and none of its traffic is detected by Squid.
Bridged Tor?! Cool story, bro. Ever China government, with Great China
Firewall, can't block Tor.

PS. Personal advice. Forget about blocking Tor. Forever. It desined to
prevent any blocking. And good designed.
Post by Sameh Onaissi
Post by Eliezer Croitoru
My suggestion would be to find the holes in the system.
Iptstate
Iptraf-ng
netstat-nat
conntrackd-tools
53
80
443
Which you can control easily.
You can easily add a DROP or REJECT rule in iptables for all new connections on other then these ports as a starter.
It's very simple to write and I think you should dig a bit on iptables so you would be able to understand how it works better to give you a glimpse into the networking security world.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
Gives a better understanding to iptables and also on networking.
If you need more guidance let me know.
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
-----Original Message-----
Sent: Friday, December 23, 2016 2:03 AM
Subject: Re: [squid-users] Bypassed Proxy
I have been trying to replicate what he is doing.
I have tried 4 or 5 VPN software and none connects, including Hotspot Shield. My iptables seem to be doing the job in that regard (Eliezer helped me set them up)
The user has hotspot shield installed on his PC, which I believe is a
similar extension to the one you mentioned.
He is getting by squid with some sort of VPN, I thought squid can be
configured against such things?
It sounds as though you need to review your firewall (routing) policies.
Anyone who is allowed to use a VPN can effectively bypass all security
policies on your network.
Antony.
--
Schrödinger's rule of data integrity: the condition of any backup is
unknown until a restore is attempted.
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
--
What is the fundamental difference between the programmer and by a fag?
Fag never become five times to free the memory of one object. Fag will
not use two almost identical string libraries in the same project. Fag
will never write to a mixture of C and C ++. Fag will never pass objects
by pointer. Now you know why these two categories so often mentioned
together, and one of them is worse :)
Loading...