Re: [squid-users] auto blacklist users

On Sunday 09 December 2007 07:03:24 Amos Jeffries wrote:
> dhottinger@harrisonburg.k12.va.us wrote:
> > Quoting ian j hart <ianjhart@ntlworld.com>:
> >> On Friday 07 December 2007 23:49:35 Amos Jeffries wrote:
> >>
> >> [Apologies in advance if I've miss-understood anything, it's late
> >> (early) and
> >> I'm somewhat brain dead. This time zone thing's a killer]
> >>
> >>> ian j hart wrote:
> >>> > On Friday 07 December 2007 00:58:31 Adrian Chadd wrote:
> >>> >> So if I get this right, you'd like to log the acl list that passed
> >>> >> or failed the user?
> >>> >>
> >>> >>
> >>> >>
> >>> >> Adrian
> >>> >
> >>> > Near enough.
> >>> >
> >>> > I want to log the aclname (or custom error page name) and the
> >>>
> >>> username.
> >>>
> >>> > I'll probably want the url in short order, followed by anything
> >>>
> >>> else that
> >>>
> >>> > proves useful.
> >>> >
> >>> > I want to do this for users who are denied access.
> >>> >
> >>> > [The more general solution you state above would probably be okay
> >>>
> >>> too. I
> >>>
> >>> > might need to add DENY/ACCEPT so I can include that in the regexp.]
> >>> >
> >>> > <tangent>
> >>> > Here's an example of how this might be generally useful. I have thee
> >>> > different proxy ACLs.
> >>> >
> >>> > A url_regexp
> >>> > A dstdomain list harvested from a popular list site
> >>> > A "daily" list gleaned from yesterdays access summary
> >>>
> >>> Problem:
> >>> If a student can get through all day today whats to stop them?
> >>
> >> Nothing. But here's what I hope will happen. (I probably shouldn't
> >> reveal this, but what the hey).
> >
> > Ive missed most of this discussion. But it sounds like you may have
> > gotten this to work. Is there a recap? Id really like to see your
> > squid.conf (at least snippets that pertain to this). Are you running a
> > transparent proxy? Do you run any kind of commercial filter? Ive been
> > struggling with this same thing. Now I catch this through my snort
> > logs, and looking at access_logs for denied hits. I also block quite a
> > few sites at my firewall, but it is impossible to stop. I do seem to
> > have more support from administration than you.
>
> Here be mine squid.conf entry:
>
> external_acl_type surbl_test ipv6 ttl=5 negative_ttl=5 %SRC %DST
> /etc/squid6/helper/rhsbl.sh multi.surbl.org RHSBL
> acl surbl_clean external surbl_test
> deny_info
> http://treenet.co.nz/errors/squid-404.php?RBL-SURBL-%m&err=%o&url=%s
> surbl_clean
> http_access deny all !surbl_clean
>

Okay, I'm having a look at this now.

I'm using 2.6.17 on FreeBSD 6.2 (i386)

No problem with %s.

%o works in an error page but not as used above.

%m doesn't seem to be documented.

>
> The helper is a little complex doing a DNSBL re-formatting and lookup
> before returning OK/ERR to squid.
>
> FYI: SURBL is an anti-malware RHSBL which lists domains advertised in
> Spam or known for malware distribution.
> There is no reason particularly why the helper can't do a lookup
> elsewhere for a locally built list via another medium.
>
>
> Amos

-- 
ian j hart