Hello Squid users all, I have a bad situation partially resolved: the past few days I have been blind-sided by a Trojan based browser hijacking. A script from Trendmicro has allowed me to navigate the net w/o being redirected to a porn site or similar. Notwithstanding I can see from running wireshark the culprit that Trendmicro has not found the signature to as of yet. I am running: a Linux router/gateway, heavily firewalled (iptables) but with the attack I installed Squid. I created two system files with ACLs to match: bad_src_ip and bad_url_regex. From the Linux box ps shows that squid is running but the logs show no activity at all albeit OK access or error. Moreover, I can ping and tracert to the URLs and IPs I think I am blocking. Do I need to be a master of cache proxies to run Squid? An excerpt of my squid.conf is included below in case anyone has any ideas. I looked at redirection (3128) such as Shallalist and other blacklist but I would rather just create my own ACLs
that work. Thanks in advance and please advise, David.
***************************************************************
ACL list
***************************************************************
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports_unreg port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 # Tomcat 8080
acl Safe_ports port 8082 # Tomcat proxy redirect
acl Safe_ports port 8009 # Tomcat ajp port
acl CONNECT method CONNECT
acl webmin port 10000
acl usermin port 20000
acl LAN myip 192.168.1.1-192.168.1.254
acl Network_DNS srcdomain www.demon.net www.menandmice.com www.network-tools.com
acl davidbrownhosts dstdomain www.davidwbrown.name www.deanbrown.name www.karlbrown.name
acl tomcat urlpath_regex pebble
acl our_networks src 192.168.1.0/24
************************************************************************
Proxy restriction list
************************************************************************
acl bad_src_ip src "/usr/local/etc/squid/bad_src_ip_list"
acl bad_url_regex url_regex -i "/usr/local/etc/squid/bad_url_regex_list"
#acl iana_named_ports port "/usr/local/etc/squid/iana_named_ports_list"
http_access deny manager
http_access deny !Safe_ports_unreg
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow our_networks
http_access allow our_networks
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny bad_url_regex
http_access deny bad_src_ip
http_access deny all
Received on Mon Feb 02 2009 - 21:01:44 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 03 2009 - 12:00:02 MST