I'm using Squid 2.3Stable4 and simply don't have the problem you described... Maybe you should check the "ACCESS CONTROLS" section of squid.conf file (i.e. acl Safe_ports, http_access et al.), and/or upgrade your squid. My squid.conf contains something like this (besides the defaults): ... acl LOCAL src 172.16.1.0/255.255.0.0 ... http_access allow LOCAL http_access deny all ... that is, only this (local) net is allowed to use the proxy. regards nicola Mario Enrico Ragucci wrote:
Hello, I used nessus to check my Squid Proxy. I started the scan in the internal network. Nessus showed me the following vulnerabilities: - The proxy, allows everyone to perform requests against arbitrary ports, like 'GET http://cvs.nessus.org:110'. - The proxy allows the users to perform CONNECT requests like CONNECT http://cvs.nessus.org:23 - It was possible to make IIS use 100% of the CPU by sending it malformed extension data in the URL requested, preventing him to serve web pages to legitimate clients. - The misconfigured proxy accepts requests coming from anywhere. This allows attackers to gain some anonymity when browsing some sensitive sites using your proxy, making the remote sites think that the requests come from your network. - The misconfigured proxy accepts requests coming from anywhere. This allows attackers to gain some anonymity when browsing some sensitive sites using your proxy, making the remote sites think that the requests come from your network. - Information found on port unknown (3128/tcp) The remote web server type is : Squid/2.2.STABLE5 We recommend that you configure your web server to return bogus versions, so that it makes the cracker job more difficult
What can I do? I'm running the SuSE_firewall script and I didn't set any ports @ FW_SERVICES_EXTERNAL_TCP. In my opinion nobody from the internet should be able to use my proxy - is that right?
And why does nessus shows me informations about an IIS?
Finally, how can I return bogus informations to hide my squid-version?
Thanx for replies,
Mario
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com