I am happy to release the new RPMs of squid 3.5.8 for Centos 6 64bit, 32bit and CentOS 7 64bit.<\/p>\n
The new release includes couple bug fixes and improvements. Do we need to protect squid?<\/p>\n Squid comes also to protect other applications but the past lessons teach us that squid like any other software is vulnerable. It can act as an internal management service inside a company or an external service connecting an external network to some internal systems. An example fail2ban action file: “action.d\/iptables-redirect.conf”<\/p>\n I hope it will help others to improve their service.<\/p>\n In this release I will recommend about a nice tutorial video about DDOS from Krassimir Tzvetanov, A10 Networks, Inc. https:\/\/www.youtube.com\/watch?v=POFEMlQw6Rc<\/p>\n Or a local mirror at: A note: From this RPM release for the CentOS 7 RPM I have replaced the sysV init script with a systemd scripts that can monitor squid but requires a special script to make sure that systemd will not halt the system before squid was able to shutdown properly. More details about the repository at squid-wiki<\/a>.<\/p>\n All The Bests, I am happy to release the new RPMs of squid 3.5.8 for Centos 6 64bit, 32bit and CentOS 7 64bit. The new release includes couple bug fixes and improvements. The details about the the RPMs repository are at squid-wiki. * couple important notes about this release in the end of the article Do we need … Continue reading Squid 3.5.8 RPMs release<\/span>
\nThe details about the the RPMs repository are at squid-wiki<\/a>.
\n* couple important notes about this release in the end of the article<\/p>\n
\nPlaces that use squid do not always say they do but universities is one of the users of squid around the internet. Most of them give access to some internal system using a user credentials, a single sign-on pass or other authentication methods. In all of these places there is a chance that some hacker will try to hack the proxy and use it to access these internal systems or to access the internet through it. The basics to defend a proxy service is to block clients which are using wrong authentication credentials.
\nIn most cases the basic act would be to just DROP the IP traffic in the firewall. I do not think it’s a bad way but I do think that using some iptables DNAT\\REDIRECT rule instead of DROPPING the connection\u00a0 is kind of nicer. especially if it’s a system that gives users access to work or office applications and systems.
\nFail2ban is one of the great tools to allow the proxy to defend itself(using squid access.log) from basic attacks. And of-course depends on the sensitivity of the system a DROP rule can be the right solution to mitigate the effect of some attackers.
\nIf you would choose to give the blocked user some information about his situation and who to contact about it please use a very lightweight http service that can take load and use 100% static pages for that purpose.(IE don’t use apache with PHP in it).
\nFor this action you would require a special action from fail2ban in the mangle table of iptables.<\/p>\n# Fail2Ban configuration file\r\n#\r\n# Author: Cyril Jaquier\r\n# Modified by Yaroslav Halchenko for multiport banning\r\n# Modified by Eliezer Croitoru for DNAT into a ban page\\service\r\n\r\n[INCLUDES]\r\nbefore = iptables-common.conf\r\n\r\n[Definition]\r\nactionstart = <iptables> -t nat -N f2b-<name>\r\n <iptables> -t nat -A f2b-<name> -j <returntype>\r\n <iptables> -t nat -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\r\n\r\nactionstop = <iptables> -t nat -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\r\n <iptables> -t nat -F f2b-<name>\r\n <iptables> -t nat -X f2b-<name>\r\n\r\nactioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'\r\n\r\nactionban = <iptables> -t nat -I f2b-<name> 1 -p <protocol> -s <ip> -j REDIRECT --to-ports 8080\r\n\r\nactionunban = <iptables> -t nat -D f2b-<name> -p <protocol> -s <ip> -j REDIRECT --to-ports 8080\r\n\r\n[Init]<\/pre>\n
\nThis talk covers the principles and particular implementations of DDoS. It goes in detail as to what are the bottlenecks that are generally exploited\/overloaded, the attack types and the solutions to those.<\/p>\n
\nTutorial: Denial of Service 101<\/a><\/p>\n
\nAlso the default number of open file descriptors per process is set to 16384 and if you want to change it use one of the two options that are mentioned in the systemd mailing list :
\nsolution 1, override the unit file<\/a>
\nsolution 2, override the service relevant variable<\/a>
\nThe upgrade into the systemd unit file will be reflected when stopping, restarting, upgrading or any other stop related usage of the unit.<\/p>\n
\nEliezer Croitoru<\/p>\n","protected":false},"excerpt":{"rendered":"