Re: [squid-users] squid hardening - weird behaviour

Hello Amos,

many thanks for your hints!
very valuable!

> squidclient mgr:filedescriptors
> will give you a list of all sockets and pipes squid has currently open and
> which module is using it.

here is the output from my system:

Active file descriptors:
File Type Tout Nread * Nwrite * Remote Address Description
---- ------ ---- -------- -------- --------------------- ------------------------------
   3 Log 0 0 0 /var/log/squid/cache.log
   5 Socket 0 2625 1393 .0 DNS Socket
   6 File 0 0 52767 /var/log/squid/access.log
   7 Pipe 0 0 0 unlinkd -> squid
   8 File 0 0 47879 /var/log/squid/store.log
   9 File 0 0 5904 /var/cache/squid/swap.state
  10 Pipe 0 0 0 squid -> unlinkd
  11 Socket 1440 70* 0 10.0.0.1.37335 cache_object://10.0.0.1/filedescriptors
  12 Socket 0 0* 0 .0 HTTP Socket

vmhost:~ # netstat -anp |grep squid
tcp 0 0 10.0.0.60:3128 0.0.0.0:* LISTEN 6408/(squid)
udp 0 0 0.0.0.0:34810 0.0.0.0:* 6408/(squid)
unix 2 [ ] DGRAM 393012150 6406/squid
unix 2 [ ] DGRAM 393012149 6408/(squid)

weird, i don`t see any listeing socket with squidclient - i would have expected 3128 and 34810 here !?

> > would it help if i update to most recent squid release ?
>
> If you are after paranoid security. The latest stable release of 2.6.
> There are a security advisories out for releases as recent as 2.6s11. Some
> potential loopholes we have fixed as recently as 2.6s17.

mh, maybe the version i`m using is just too old. i think i will update for features/bugfixes
and compare. if i use squid only from internal network, and close all ports to the outside,
an update because of security doesn`t really matter for me.

regards
roland

> -----Ursprüngliche Nachricht-----
> Von: "Amos Jeffries" <squid3@treenet.co.nz>
> Gesendet: 12.10.07 01:36:32
> An: devzero@web.de
> CC: squid-users@squid-cache.org
> Betreff: Re: [squid-users] squid hardening - weird behaviour

>
> > Hello,
> >
> > i`m somewhat new to squid "in depth" configuration and need some advice.
> >
> > i run an older squid release on a multi-homed system which connects to the
> > internet on the first interface,
> > to the local net (10.0.0.0) on the second interface (10.0.0.1)
> >
> > for hardening purpose i configured squid to bind to internal interface
> > only (10.0.0.1:3128) and disabled
> > all additional ports (icp_port etc.)
> >
> > now, there is one open port left and i`m not sure what`s the purpose of
> > this:
> >
> > udp 0 0 0.0.0.0:34806 0.0.0.0:* 6593/(squid)
> >
> > why does squid listen to udp requests ?
>
> - maybe pinger. Sends/accepts ICMP to measure traffic flows for balancing.
> - maybe DNS. squid needs to resolve destination addresses. It uses
> DNS-UDP for this.
>
> squidclient mgr:filedescriptors
> will give you a list of all sockets and pipes squid has currently open and
> which module is using it.
> For sockets open to requests it lists the remote hostname from the request.
>
>
> > there seems a relation to this params:
> >
> > # udp_incoming_address 0.0.0.0
> > # udp_outgoing_address 255.255.255.255
> >
> > but if i bind udp port to internal interface, squid won`t resolve names
> > anymore.
> >
> > why this?
>
> The squid.conf docs are bad. These settings are used by ICP, HTCP, syslog,
> and DNS.
> They set the ADDRESS used to send/receive those types of traffic. Each
> have their own port separate from these settings.
>
> You may set it to the internal facing public address of your network for
> extra security.
> BUT, your internal services (DNS resolver, syslogd, ICP/HTCP peers) need
> to be able to communicate with the address(es).
> Specifically for DNS, resolv.conf needs to only contain NS that can talk
> to that address.
>
> >
> > squid.conf is telling, that this params ar for icp sockets, not for dns
> >
> > # udp_incoming_address is used for the ICP socket receiving packets
> > # from other caches.
> > # udp_outgoing_address is used for ICP packets sent out to other
> > # caches.
> >
> > any hints how to disable this port for listening or binding to internal
> > interface only ?
>
> Locate the module using it and check the options for that module.
>
> >
> > would it help if i update to most recent squid release ?
>
> If you are after paranoid security. The latest stable release of 2.6.
> There are a security advisories out for releases as recent as 2.6s11. Some
> potential loopholes we have fixed as recently as 2.6s17.
>
> Amos
>
>
>

_______________________________________________________________________
Jetzt neu! Schützen Sie Ihren PC mit McAfee und WEB.DE. 3 Monate
kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=022220
Received on Fri Oct 12 2007 - 01:41:36 MDT