Re: [squid-users] squid hardening - weird behaviour

From: Amos Jeffries <[email protected]>
Date: Sat, 13 Oct 2007 01:26:26 +1300

devzero@web.de wrote:
> Hello Amos,
>
> many thanks for your hints!
> very valuable!
>
>> squidclient mgr:filedescriptors
>> will give you a list of all sockets and pipes squid has currently open and
>> which module is using it.
>
> here is the output from my system:
>
> Active file descriptors:
> File Type Tout Nread * Nwrite * Remote Address Description
> ---- ------ ---- -------- -------- --------------------- ------------------------------
> 3 Log 0 0 0 /var/log/squid/cache.log
> 5 Socket 0 2625 1393 .0 DNS Socket
> 6 File 0 0 52767 /var/log/squid/access.log
> 7 Pipe 0 0 0 unlinkd -> squid
> 8 File 0 0 47879 /var/log/squid/store.log
> 9 File 0 0 5904 /var/cache/squid/swap.state
> 10 Pipe 0 0 0 squid -> unlinkd
> 11 Socket 1440 70* 0 10.0.0.1.37335 cache_object://10.0.0.1/filedescriptors
> 12 Socket 0 0* 0 .0 HTTP Socket
>
> vmhost:~ # netstat -anp |grep squid
> tcp 0 0 10.0.0.60:3128 0.0.0.0:* LISTEN 6408/(squid)
> udp 0 0 0.0.0.0:34810 0.0.0.0:* 6408/(squid)
> unix 2 [ ] DGRAM 393012150 6406/squid
> unix 2 [ ] DGRAM 393012149 6408/(squid)
>
> weird, i don`t see any listeing socket with squidclient - i would have expected 3128 and 34810 here !?

So did I. Mine shows them. Should have 0.0.0.0.0 (last .0 is port).
Maybe it is slightly different in 2.x than 3.0 in this regard.

Anyway, despite the missing port numbers:
  cache_object://... is squidclient getting the list itself
  that leaves only DNS and HTTP listener TCP/UDP Sockets
  and the two unlinkd pipes (listed as unix by netstat).

So it does appear to be DNS.

Squid will drop any packets received from NS not listed either in
dns_nameservers in squid.conf, or in resolv.conf as your local ones.

Amos

>
>>> would it help if i update to most recent squid release ?
>> If you are after paranoid security. The latest stable release of 2.6.
>> There are a security advisories out for releases as recent as 2.6s11. Some
>> potential loopholes we have fixed as recently as 2.6s17.
>
> mh, maybe the version i`m using is just too old. i think i will update for features/bugfixes
> and compare. if i use squid only from internal network, and close all ports to the outside,
> an update because of security doesn`t really matter for me.
>
> regards
> roland
>
>> -----Urspr�ngliche Nachricht-----
>> Von: "Amos Jeffries" <squid3@treenet.co.nz>
>> Gesendet: 12.10.07 01:36:32
>> An: devzero@web.de
>> CC: squid-users@squid-cache.org
>> Betreff: Re: [squid-users] squid hardening - weird behaviour
>
>
>>> Hello,
>>>
>>> i`m somewhat new to squid "in depth" configuration and need some advice.
>>>
>>> i run an older squid release on a multi-homed system which connects to the
>>> internet on the first interface,
>>> to the local net (10.0.0.0) on the second interface (10.0.0.1)
>>>
>>> for hardening purpose i configured squid to bind to internal interface
>>> only (10.0.0.1:3128) and disabled
>>> all additional ports (icp_port etc.)
>>>
>>> now, there is one open port left and i`m not sure what`s the purpose of
>>> this:
>>>
>>> udp 0 0 0.0.0.0:34806 0.0.0.0:* 6593/(squid)
>>>
>>> why does squid listen to udp requests ?
>> - maybe pinger. Sends/accepts ICMP to measure traffic flows for balancing.
>> - maybe DNS. squid needs to resolve destination addresses. It uses
>> DNS-UDP for this.
>>
>> squidclient mgr:filedescriptors
>> will give you a list of all sockets and pipes squid has currently open and
>> which module is using it.
>> For sockets open to requests it lists the remote hostname from the request.
>>
>>
>>> there seems a relation to this params:
>>>
>>> # udp_incoming_address 0.0.0.0
>>> # udp_outgoing_address 255.255.255.255
>>>
>>> but if i bind udp port to internal interface, squid won`t resolve names
>>> anymore.
>>>
>>> why this?
>> The squid.conf docs are bad. These settings are used by ICP, HTCP, syslog,
>> and DNS.
>> They set the ADDRESS used to send/receive those types of traffic. Each
>> have their own port separate from these settings.
>>
>> You may set it to the internal facing public address of your network for
>> extra security.
>> BUT, your internal services (DNS resolver, syslogd, ICP/HTCP peers) need
>> to be able to communicate with the address(es).
>> Specifically for DNS, resolv.conf needs to only contain NS that can talk
>> to that address.
>>
>>> squid.conf is telling, that this params ar for icp sockets, not for dns
>>>
>>> # udp_incoming_address is used for the ICP socket receiving packets
>>> # from other caches.
>>> # udp_outgoing_address is used for ICP packets sent out to other
>>> # caches.
>>>
>>> any hints how to disable this port for listening or binding to internal
>>> interface only ?
>> Locate the module using it and check the options for that module.
>>
>>> would it help if i update to most recent squid release ?
>> If you are after paranoid security. The latest stable release of 2.6.
>> There are a security advisories out for releases as recent as 2.6s11. Some
>> potential loopholes we have fixed as recently as 2.6s17.
>>
>> Amos
>>
>>
>>
>
>
> _______________________________________________________________________
> Jetzt neu! Sch�tzen Sie Ihren PC mit McAfee und WEB.DE. 3 Monate
> kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=022220
>
Received on Fri Oct 12 2007 - 06:26:32 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT