Re: [squid-users] External IP in access.log

From: Alex Crow <alex_at_nanogherkin.com>
Date: Thu, 02 Aug 2012 19:47:06 +0100

On 02/08/12 19:32, Usu�rio do Sistema wrote:
> I have done some tests and regardless of the direct come the request
> the proxy always pop up authentication.
>
> maybe there is any way to hacker the authentication....but how to?
>

Uhm - yes, it will pop up an auth prompt for anyone that *isn't* logged
into your domain. The way NTLM is supposed to work is that you only have
to log on to the domain in Windows and then you should be able to browse
*without* entering credentials. That is, if you've done it right
including the Samba/Winbind stuff.

What you are saying in combination with your logs (ie you see "MISS"
from the internet IPs rather then just "DENIED") suggests at least one
of your domain accounts has been compromised, possibly by brute-forcing
the proxy login. How strong were your passwords?

I fear you may now have a whole other mess on your hands, ie figuring
out just what has been compromised and how to fix it - which is beyond
the scope of this list if it is true.

I suggest you post your whole squid.conf here so we can look at it. Good
luck.

Alex
Received on Thu Aug 02 2012 - 18:47:07 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 03 2012 - 12:00:03 MDT