Re: deny !Safe_ports, any critical reasons? (abuse..)

From: Peter van Dijk <[email protected]>
Date: Thu, 7 Jan 1999 00:37:42 +0100

On Thu, Jan 07, 1999 at 01:06:56AM +0200, Oskar Pearson wrote:
> Hi
>
> > Are there any real bad things (tm) users authorized to use a squid cache
> > could do if I would replace the default Safe_ports acl with
> > something like "acl Safe_ports 1-65535"?
>
> Yes, though what exactly they can do depends on the version of Squid.
>
> With older Squids (1.0) they could do anything from IRC through the server
> (happend to us a few weeks ago) to forge mail.

I am on IRC right now thru my Squid/2.0PATCH2 (and no, I don't use safe_ports
since this proxy is on my intranet and I use it just to test stuff like this :)

Squid/2 does make it harder to forge IRC and mail and all that stuff.. you now
need to specify Content-length and stuff. Also, it buffers the data the IRC
server sends back.

Note that I'm talking about IRC thru POST. If CONNECT is allowed at your
site, it's even easier, because data is not buffered then :)

> The newer Squid limits this kind of stuff a lot more: you may be able to
> get away with it.... up to you. If I did enable random destination port
> access I would set up a cron script that greps for ports outside the ranges
> below every day: just so that you can keep an eye on things.
>
> > --- snip - squid.conf ---
> > acl Safe_ports port 80 21 443 563 70 210 1025-65535
> > http_access deny !Safe_ports
> > --- snap ---

This safe_ports definition will still allow them to IRC thru your proxy, by
the way.
> > xxx
> > Herwig Wittmann <herwig@atnet.at>
> >
> > [1] Usual apologies apply if this posting should be inapropriate -
> > I joined this ML two days ago, but my fellow coworkers at our isp
> > want me to remove the mentioned default restriction, so I decided
> > to post right now :P

Posting seems alright to me :)

> "Haven't slept at all. I don't see why people insist on sleeping. You feel
> so much better if you don't. And how can anyone want to lose a minute -
> a single minute of being alive?" -- Think Twice

How very true. Who needs sleep. Caffeine is your friend. Use Caffeine.

Greetz, Peter.

-- 
<squeezer> AND I AM GONNA KILL MIKE                |          Peter van Dijk
<squeezer> hardbeat, als je nog nuchter bent:      | peter@attic.vuurwerk.nl
<squeezer>   @date = localtime(time);		   |  realtime security d00d
<squeezer>   $date[5] += 2000 if ($date[5] < 37);  | 
<squeezer>   $date[5] += 1900 if ($date[5] < 99);  |    -x- available -x-
Received on Wed Jan 06 1999 - 16:14:48 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:55 MST