At 11:07 18.11.99 -0800, Andrew Daviel wrote:
>The SANS institute has been accepting reports of scanning activity on port
>3128. It seems this is caused by a fairly sophisticated network virus.
>
>On our lightly-loaded Squid (we don't enforce its use), recently about
>30% of all access was denied (i.e. from offsite). No-one has asked
>to subscribe to our cache, so it looks like this activity might
>all be attributed to RingZero or other scanning activity.
>
>One possibility, I suppose, is to move from 3128 to another port...
Security by obscurity that would be. I'd rather properly secure port 3128
than move it to a different port number in the hope of hiding it from
hackers. All your users know that port number and/or your proxy.pac script
openly announces it; how can you hope to keep it secret from the bad guys?
If you do not offer access to your Squid from off-site, block port 3128
on your firewall and be done with it. That's what I do here. Much safer
than changing the port number, anyway.
-- Tilman Schmidt E-Mail: Tilman.Schmidt@sema.de (office) Sema Group Koeln, Germany tilman@schmidt.bn.uunet.de (private)Received on Fri Nov 19 1999 - 03:44:39 MST
This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT