ons 2003-02-12 klockan 11.55 skrev Gavin Hamill:
> For example, here 'a solution' would be to search the squid logs for any
> CONNECT methods on port 443, and try to establish an SSL connection and "GET
> /".
>
> If it really is a webserver, then it will at least reply with an HTTP message.
> If not, then you know you can add a firewall rule or squid ACL against that
> host :)
For the record: People who insists on hiding themselves easily puts up a
dummy web page there making it look like a real https:// site..
The with no doubt best method in the long run is to
1. Have a agreed policy of use
2. which defines actions taken if the user is violating the policy
3. and to actively enforce the policy by periodically auditing the use
of the service and noticeable carry out the actions defined in 2 when
abuse is found.
Using filters and blocks is best viewed as a good tool for keeping users
aware of the policy and that they are violating the policy when doing
bad things.. To achieve this goal make use of deny_info to give a harsh
message to the user about policy breach when they try to perform actions
which have been blocked by policy..
Using filters and blocks alone without being backed by a policy of use
is kind of pointless, as all it leads to is a battle between blocking
such services and such services trying to hide themselves from filters..
Regards
Henrik
-- Henrik Nordstrom <hno@squid-cache.org> MARA Systems AB, SwedenReceived on Wed Feb 12 2003 - 07:18:45 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:20 MST