I am happy to release the new RPMs of squid 3.5.8 for Centos 6 64bit, 32bit and CentOS 7 64bit.
The new release includes couple bug fixes and improvements.
The details about the the RPMs repository are at squid-wiki.
* couple important notes about this release in the end of the article
Do we need to protect squid?
Squid comes also to protect other applications but the past lessons teach us that squid like any other software is vulnerable. It can act as an internal management service inside a company or an external service connecting an external network to some internal systems.
Places that use squid do not always say they do but universities is one of the users of squid around the internet. Most of them give access to some internal system using a user credentials, a single sign-on pass or other authentication methods. In all of these places there is a chance that some hacker will try to hack the proxy and use it to access these internal systems or to access the internet through it. The basics to defend a proxy service is to block clients which are using wrong authentication credentials.
In most cases the basic act would be to just DROP the IP traffic in the firewall. I do not think it’s a bad way but I do think that using some iptables DNAT\REDIRECT rule instead of DROPPING the connection is kind of nicer. especially if it’s a system that gives users access to work or office applications and systems.
Fail2ban is one of the great tools to allow the proxy to defend itself(using squid access.log) from basic attacks. And of-course depends on the sensitivity of the system a DROP rule can be the right solution to mitigate the effect of some attackers.
If you would choose to give the blocked user some information about his situation and who to contact about it please use a very lightweight http service that can take load and use 100% static pages for that purpose.(IE don’t use apache with PHP in it).
For this action you would require a special action from fail2ban in the mangle table of iptables.
An example fail2ban action file: “action.d/iptables-redirect.conf”
# Fail2Ban configuration file
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Modified by Eliezer Croitoru for DNAT into a ban page\service
before = iptables-common.conf
actionstart = <iptables> -t nat -N f2b-<name>
<iptables> -t nat -A f2b-<name> -j <returntype>
<iptables> -t nat -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = <iptables> -t nat -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<iptables> -t nat -F f2b-<name>
<iptables> -t nat -X f2b-<name>
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
actionban = <iptables> -t nat -I f2b-<name> 1 -p <protocol> -s <ip> -j REDIRECT --to-ports 8080
actionunban = <iptables> -t nat -D f2b-<name> -p <protocol> -s <ip> -j REDIRECT --to-ports 8080
I hope it will help others to improve their service.
In this release I will recommend about a nice tutorial video about DDOS from Krassimir Tzvetanov, A10 Networks, Inc.
This talk covers the principles and particular implementations of DDoS. It goes in detail as to what are the bottlenecks that are generally exploited/overloaded, the attack types and the solutions to those.
Or a local mirror at:
Tutorial: Denial of Service 101
A note: From this RPM release for the CentOS 7 RPM I have replaced the sysV init script with a systemd scripts that can monitor squid but requires a special script to make sure that systemd will not halt the system before squid was able to shutdown properly.
Also the default number of open file descriptors per process is set to 16384 and if you want to change it use one of the two options that are mentioned in the systemd mailing list :
solution 1, override the unit file
solution 2, override the service relevant variable
The upgrade into the systemd unit file will be reflected when stopping, restarting, upgrading or any other stop related usage of the unit.
More details about the repository at squid-wiki.
All The Bests,