Section 4.9 Stop Squid from Inking Out Their Trail

4.9 Stop Squid from Inking Out Their Trail

Squid is a popular free open source Web Proxy Cache.^[4] It allows a system to cache HTTP, FTP, Gopher, and the related DNS entries, and supports the use of proxies with HTTPS. Squid can reduce your network's Internet bandwidth requirements dramatically, which also improves performance by caching frequently accessed Web pages. It does this by caching (temporarily storing) Web pages frequently accessed by your users.

^[4] The Squid Web site is www.squid-cache.org/, where you may download source and documentation.

By default, Squid will let anyone on any system in the world point their browser at it and make requests. Some distributions now are including it with no access list to prevent this; Red Hat is one such distribution. The request to the Web server will show as coming from Squid, not the actual user. This causes you two problems. If the "squatter" is up to serious no good, the logs from the Web server will point to your system. This might cause your ISP to shut your Internet connection down first and ask questions later.

It might even earn you a visit from the folks with guns (law enforcement) and earn you some publicity that you do not want. It also will use your bandwidth twice for each request. Although Squid can pass on information about who seemed to have made the request, a cracker can spoof his source address or use a compromised system and Squid's "I am just doing it for this other guy" does not show up in low-level packet traces that just report IP addresses anyway. The solution is to make use of some rules in Squid's

 /etc/squid/squid.conf 

configuration file to limit which systems it will accept client requests from. In some installations, this file is in /usr/local/squid/etc instead.

You also may implement rules to limit what Web servers it will allow connections to and it will do some content filtering of URLs too. The Squid FAQ (Frequently Asked Questions) has links for some filtering rules that will block out many sites that are of an adult nature by matching words of an adult nature. Many of these adult sites, in turn, are getting around that by using the HTTP feature of "%" hexadecimal encoding where a percent sign is followed by two hexadecimal numbers representing the ASCII value of each character in the URL. One solution would be to use the content filtering to block URLs with "%" characters in them. A better solution is to enhance Squid to "unhex" these sequences before doing the pattern matching for illegal URLs. A program for unhexing such text hidden by %xy encoding is provided in "Unhexing Encoded URLs" on page 290.

A rule in your firewall to allow only Squid to access ports 80 (http) and 443 (https) outside your organization will prevent users sidestepping your Squid rules.

The following entries in /etc/squid/squid.conf will allow only the systems with the IP addresses of 216.247.56.62 and 216.247.56.63 to use Squid.

 acl OK src 216.247.56.62 216.247.56.63 http_access allow OK http_access deny all 

Note that all the components of an acl entry are ORed together and all the entries of an access entry are ANDed together. Thus, you do not want to list all the hosts on the same allow line (because the AND of disjoint sets is the empty set).

Like many firewall-related products, Squid allows you to specify how many bits of an address to test, which allows a single rule to match your entire network or a subnet. Also, like firewalls, TCP Wrappers, etc. when a request comes in, the program parses an in-memory copy of the configuration file from the top until it finds the first rule that matches (that either allows or denies the request) and only that rule determines the action.

The following will allow only the class-B network 216.247.*.*:

 acl OK src 216.247.0.0/255.255.0.0 acl all src 0.0.0.0/0.0.0.0 http_access allow OK http_access deny all 

If you have a firewall, blocking access to Squid's port from sources outside of your network will solve the problem. However, also blocking foreign addresses from within Squid itself will help protect against trouble from someone inside your network with an unauthorized address who is up to no good. Remember that you should have "Rings of Security."

Squid's default address is TCP port 3128. Note that there has been an increase since spring of 2000 in networks being scanned just for port 3128, clearly looking for this vulnerability. If you do not have a firewall blocking this port, there certainly is no reason to make it easy for crackers by using the default port except that this allows semi-automatic configuration by Netscape. Consider picking a different port. Besides http, Squid also supports https, FTP, Gopher, WAIS, and snews (Network News Transfer Protocol over SSL).

Note that Squid operates as a daemon rather than being invoked by inetd, so you cannot use TCP Wrappers to control which systems it may be accessed from.

Because the downloading of each URL and each image within a URL is via a separate TCP connection, were Squid to be called via inetd instead of it being a daemon, it would have to be forked dozens or hundreds of times per second. This would be an impractical waste of resources. Additionally, operating as a daemon it is able to buffer the most popular pages in memory for even more performance improvement and reduction of required resources (disk).

Because Squid is open source, I expect that it would be easy to add support for libwrap.^[5] A gold star goes to the person who does this and submits it back to the Squid team for integration.

^[5] TCP Wrappers normally operates as a program, tcpd, that is invoked by inetd. This is done by specifying the full pathname for tcpd as the program to supply the service in /etc/inetd.conf. Because this does not work for daemons (daemons are not started from inetd) the libwrap library was created.

Support for TCP Wrappers may be added to any daemon (or other program) by applying simple modifications to its source to call libwrap to decide whether the request should be granted.

Additionally, you can control what ports Squid will connect to. By default it uses the following rules.

 acl Safe_ports port 80 21 443 563 70 210 1025-65535 http_access deny !Safe_ports 

Note that this excludes port 25 (SMTP), which is what sendmail uses. This is to prevent someone from using Squid as a mail relay for spam.^[6] This default allows the services shown in Table 4.3.

^[6] For more details on spam, see "Drop-Shipping Spam (Relaying Spam)" on page 185.

What is wrong with this picture? The philosophy was to disallow "dangerous" services, such as mail (for relaying spam) and echo (for launching DoS attacks), from the reserved ports of 0 to 1023 and allow 1024-65535. Besides the obvious off-by-one error, there are plenty of dangerous ports above 1023.

Various ports in this range are used by Trojan horses that a cracker will install on a compromised system. Do you really want the next DDoS attack that makes national news to be traced to your system?

My suggestion would be to start with

 acl Safe_ports port 80 21 443 563 70 210 http_access deny !Safe_ports 

and allow users to present a case for allowing any other ports. See the CD-ROM for a list of the most popular default cracker ports, as encoded in the ports program source.