Re: [squid-users] auto blacklist users

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sun, 09 Dec 2007 20:03:24 +1300

dhottinger@harrisonburg.k12.va.us wrote:
> Quoting ian j hart <ianjhart@ntlworld.com>:
>
>> On Friday 07 December 2007 23:49:35 Amos Jeffries wrote:
>>
>> [Apologies in advance if I've miss-understood anything, it's late
>> (early) and
>> I'm somewhat brain dead. This time zone thing's a killer]
>>
>>> ian j hart wrote:
>>> > On Friday 07 December 2007 00:58:31 Adrian Chadd wrote:
>>> >> So if I get this right, you'd like to log the acl list that passed or
>>> >> failed the user?
>>> >>
>>> >>
>>> >>
>>> >> Adrian
>>> >
>>> > Near enough.
>>> >
>>> > I want to log the aclname (or custom error page name) and the
>>> username.
>>> > I'll probably want the url in short order, followed by anything
>>> else that
>>> > proves useful.
>>> >
>>> > I want to do this for users who are denied access.
>>> >
>>> > [The more general solution you state above would probably be okay
>>> too. I
>>> > might need to add DENY/ACCEPT so I can include that in the regexp.]
>>> >
>>> > <tangent>
>>> > Here's an example of how this might be generally useful. I have thee
>>> > different proxy ACLs.
>>> >
>>> > A url_regexp
>>> > A dstdomain list harvested from a popular list site
>>> > A "daily" list gleaned from yesterdays access summary
>>>
>>> Problem:
>>> If a student can get through all day today whats to stop them?
>>
>> Nothing. But here's what I hope will happen. (I probably shouldn't reveal
>> this, but what the hey).
>>
>
>
> Ive missed most of this discussion. But it sounds like you may have
> gotten this to work. Is there a recap? Id really like to see your
> squid.conf (at least snippets that pertain to this). Are you running a
> transparent proxy? Do you run any kind of commercial filter? Ive been
> struggling with this same thing. Now I catch this through my snort
> logs, and looking at access_logs for denied hits. I also block quite a
> few sites at my firewall, but it is impossible to stop. I do seem to
> have more support from administration than you.

Here be mine squid.conf entry:

external_acl_type surbl_test ipv6 ttl=5 negative_ttl=5 %SRC %DST
/etc/squid6/helper/rhsbl.sh multi.surbl.org RHSBL
acl surbl_clean external surbl_test
deny_info
http://treenet.co.nz/errors/squid-404.php?RBL-SURBL-%m&err=%o&url=%s
surbl_clean
http_access deny all !surbl_clean

The helper is a little complex doing a DNSBL re-formatting and lookup
before returning OK/ERR to squid.

FYI: SURBL is an anti-malware RHSBL which lists domains advertised in
Spam or known for malware distribution.
There is no reason particularly why the helper can't do a lookup
elsewhere for a locally built list via another medium.

Amos
Received on Sun Dec 09 2007 - 00:03:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST