Re: [squid-users] auto blacklist users

On Saturday 08 December 2007 01:40:15 dhottinger@harrisonburg.k12.va.us wrote:
> Quoting ian j hart <ianjhart@ntlworld.com>:
> > On Friday 07 December 2007 23:49:35 Amos Jeffries wrote:
> >
> > [Apologies in advance if I've miss-understood anything, it's late (early)
> > and I'm somewhat brain dead. This time zone thing's a killer]
> >
> >> ian j hart wrote:
> >> > On Friday 07 December 2007 00:58:31 Adrian Chadd wrote:
> >> >> So if I get this right, you'd like to log the acl list that passed or
> >> >> failed the user?
> >> >>
> >> >>
> >> >>
> >> >> Adrian
> >> >
> >> > Near enough.
> >> >
> >> > I want to log the aclname (or custom error page name) and the
> >> > username. I'll probably want the url in short order, followed by
> >> > anything else that proves useful.
> >> >
> >> > I want to do this for users who are denied access.
> >> >
> >> > [The more general solution you state above would probably be okay too.
> >> > I might need to add DENY/ACCEPT so I can include that in the regexp.]
> >> >
> >> > <tangent>
> >> > Here's an example of how this might be generally useful. I have thee
> >> > different proxy ACLs.
> >> >
> >> > A url_regexp
> >> > A dstdomain list harvested from a popular list site
> >> > A "daily" list gleaned from yesterdays access summary
> >>
> >> Problem:
> >> If a student can get through all day today whats to stop them?
> >
> > Nothing. But here's what I hope will happen. (I probably shouldn't reveal
> > this, but what the hey).
>
> Ive missed most of this discussion. But it sounds like you may have
> gotten this to work.

Sorry to dissapoint but as of this time there isn't even a single line of
code/script. There's half a line of a squid patch. I had a whole line but I
lost the patch when I deleted my ports tree :(

OTOH the first draft will be shell script and Perl so it shouldn't take too
long.

We have two full weeks left, I'm hoping to have the logging part running by
Monday. This will be useful in itself.

The current design (such as it is) will require squid -k reconfigure at
regular intervals. This may not suit everyone.

> Is there a recap?
You can catch up here. All the messages are there except the one you replied
to.

http://www.squid-cache.org/mail-archive/squid-users/200712/

> Id really like to see your
> squid.conf (at least snippets that pertain to this).

There's no magic there.

> Are you running a
> transparent proxy?

No.

> Do you run any kind of commercial filter?

No, but our ISP provides a service. They don't seem to be chasing proxy sites
tho' which makes the rest of their filters kind of useless.

> Ive
> been struggling with this same thing. Now I catch this through my
> snort logs, and looking at access_logs for denied hits. I also block
> quite a few sites at my firewall, but it is impossible to stop. I do
> seem to have more support from administration than you.

Those that understand the problem are very supportive.

Are you district admin, or just one school like me?

Cheers

-- 
ian j hart