On Jul 14, 8:52am, Bertold Kolics (possibly) wrote:
> Secondly, the access to dangerous services can be easily denied by the
> cache if you use appropriate access control lists. It may be reasonable
> to use these ACLs as a default configuration in the squid distribution.
>
> (By default squid denies connection to the echo, discard and chargen
> ports). The only thing a cache administrator has to do, is to add some
> ports to the existing Dangerous_ports acl in the squid.conf file.
>
> For example (I added telnet, smtp, pop-2, pop-3 and imap).
>
> acl Dangerous_ports port 7 9 19 23 25 109 110 143
An alternative, and safer, method is to run a redirector that checks
to see if the port is a non-standard port (i.e., not http, gopher, et
al) below 1024; most exploitable stuff runs at a below-1024 port. If
it finds this is the case, it refers the person to some variety of
not-available page.
-Allen
-- Allen Smith easmith@beatrice.rutgers.eduReceived on Wed Jul 15 1998 - 04:56:15 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:07 MST